The Department of Homeland Security on Sept. 13 ordered all federal agencies to stop using Moscow-based cyber security firm Kaspersky Lab’s software products over concerns surrounding the company’s ties to potential Kremlin cyberespionage activities.
Acting Secretary of Homeland Security Elaine Duke issued the directive, which allows agencies 30 days to identify any potential use of Kaspersky software on their networks, and then over the next 90 days develop a plan to remove any remaining trace of the company’s products from federal systems.
“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems,” the DHS wrote in a statement Sept. 13. “Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems.”
The directive follows a House Science, Space, and Technology Committee effort in July to collect documents from 22 federal agencies related to their potential use of Kaspersky software.
Committee Chairman Lamar Smith (R-Texas) sent a letter on July 28 detailing concerns on the company’s CEO Eugene Kaspersky’s close ties to Russian spies, and the potential for their anti-virus software to be used as a backdoor for entry into critical information systems.
DHS has also raised concerns about Kaspersky officials’ close relationship with Russian intelligence, including its Federal Security Service (FSB).
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” DHS wrote in its statement.
White House Cyber Security Coordinator offered his support for the DHS directive while speaking at the Billington CyberSecurity Summit on Sept. 13.
“Great work on the part of DHS to look at the threats to our networks and the implications. This is a risk-based decision we need to make,” said Joyce. “For us, the idea of a piece of software that’s going to live on our networks, and touch every file on those networks, going to be able to, at the discretion of the company, decide what goes back to their cloud in Russia. What you really need to understand is, under Russian law, the company must collaborate with the FSB. So for us at the government that was an unacceptable risk.”
In its statement, DHS offered the chance for Kaspersky to address its concerns over the move to eliminate its products from federal systems, and clarified that the department would take the same action for the products of any company that might present a security risk.
Kaspersky offered a response to the DHS directive and denied any inappropriate ties with any government, and claimed since it is not technically a communication services provider it was not subject to Russian law requiring compliance with the FSB.
“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues. The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit,” wrote Kaspersky Labs in a statement.
The DHS directive extends to all federal civilian executive branch departments and agencies.