After months of current and former U.S. government officials warning against using cybersecurity products developed and sold by Russia-based Kaspersky Lab, acting Homeland Security Secretary Elaine Duke issued a binding operational directive on Wednesday telling all federal agencies to get Kaspersky software off their systems within 90 days.
“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems,” Duke said in a release announcing the BOD. “The department is concerned about the ties between certain Kaspersky officials and Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
Duke cited the anti-virus’ broad access to files and secure areas of federal networks on which the software is installed.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” she added.
The directive gives agencies 30 days to identify all instances of Kaspersky products on their networks; 60 days to work up plans to remove those products; and 90 days to implement those plans. That means agencies must be clear of Kaspersky by Dec. 12, “unless directed otherwise by DHS based on new information.”
“This is a risk-based decision we need to make,” White House Cybersecurity Coordinator Rob Joyce said Wednesday while speaking at the annual Billington Cybersecurity Summit. “For us the idea of a piece of software that’s going to live on our networks, going to touch every file on those networks, going to be able to at the discretion of the company decide what goes back to their cloud in Russia — and then what you really need to understand is under Russian law the company must collaborate with the FSB. So for us in the government that was an unacceptable risk.”
DHS said Kaspersky will be given a chance to offer a “written response addressing the department’s concerns or to mitigate those concerns,” an offer that is also extended to other companies that feel they will be adversely impacted by this directive.
“Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the U.S. Department of Homeland Security, but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded,” Kaspersky Lab told Fifth Domain in an email Wednesday.
The comment continued:
No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company. Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.
In addition, more than 85 percent of its revenue comes from outside of Russia, which further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line. These ongoing accusations also ignore the fact that Kaspersky Lab has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy technology development.
Regarding the Russian polices and laws being misinterpreted, the laws and tools in question are applicable to telecom companies and Internet Service Providers (ISPs), and contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM), since the company doesn’t provide communication services. Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates and more.
Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues. The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.
U.S. intelligence community officials have long been skeptical of Kaspersky products being used within the government and critical infrastructure, though few have spoken publicly about those concerns.
Richard Ledgett, who was most recently deputy director of NSA until his retirement at the end of April, spoke about the U.S. intelligence community’s concerns in a July podcast interview.
“The concern over Kaspersky is well founded and I think that there’s growing recognition — there has been for a while and more recently [within] Congress — that we probably don’t want that in really significant parts of the government or critical infrastructure networks,” he said.
Ledgett, like most current officials, noted there is much he cannot say on this topic.
Fifth Domain reporter Mark Pomerleau contributed to this report.