The U.S. government on Wednesday banned the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyberespionage activities, according to U.S. officials.
Acting Homeland Security secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal government networks, giving agencies a timeline to get rid of it, according to several officials familiar with the plan who were not authorized to speak publicly about it. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said in a statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
The directive comes months after the federal General Services Administration, the agency in charge of government purchasing, removed Kaspersky from its list of approved vendors. In doing so, the GSA suggested a vulnerability exists in Kaspersky that could give the Kremlin backdoor access to the systems the company protects.
In a statement to The Washington Post on Wednesday, the company said: “Kaspersky Lab doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company. The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.”
“Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia,” the firm said.
The directive comes in the wake of an unprecedented Russian operation to interfere in the U.S. presidential election that saw Russian spy services hack the networks of the Democratic National Committee and other political organizations and release damaging information.
At least a half-dozen federal agencies run Kaspersky on their networks, the U.S. officials said, although there may be other networks where an agency’s chief information security officer – the official ultimately responsible for systems security – might not be aware it is being used.
The order applies only to civilian government networks, not the military’s. But the Defense Department, which includes the National Security Agency, does not generally use Kaspersky software, officials said.
The U.S. intelligence community has long assessed that Kaspersky has ties to the Russian government, according to officials who spoke on the condition of anonymity to discuss internal deliberations. The company’s founder, Eugene Kaspersky, graduated from a KGB-supported cryptography school and had worked in Russian military intelligence.
In recent months concern has mounted inside the government about the potential for Kaspersky software to be used to gather information for the Russian secret services, officials said.
Richard Ledgett, former NSA deputy director, hailed the move. Speaking Wednesday on the sidelines of the Billington CyberSecurity Summit in Washington, he noted that Kaspersky, like other Russian companies, is “bound to comply with the directive of Russian state security services, by law, to share with them information from their servers.”
Concerns about Kaspersky software had been brewing for years, according to one former official who told The Post that some congressional staffers were warned by federal law enforcement officials as early as November 2015 not to meet with employees from Kaspersky, over concerns about electronic surveillance.
When the GSA announced its July decision, it underscored that its mission was to “ensure the integrity and security of U.S. government systems and networks” and that Kaspersky was delisted “after review and careful consideration.” The action removed the company from the list of products approved for purchase on federal systems and at discounted prices for state governments.
The directive will also put pressure on state and local governments that use Kaspersky’s products. Many had been left to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost. In July, The Post found several state or local agencies that used Kaspersky’s anti-virus or security software had purchased or supported the software within the past two years.
(c) 2017, The Washington Post · Ellen Nakashima, Jack Gillum