The U.S. government on Wednesday plans to ban the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyberespionage activities, according to U.S. officials.
Acting Homeland Security Secretary Elaine Duke will order that Kaspersky Lab software be barred from federal government networks while giving agencies a timeline to get rid of it, according to several officials familiar with the plan who were not authorized to speak publicly about it. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.
The directive comes months after the federal General Services Administration, the agency in charge of government purchasing, removed Kaspersky from its list of approved vendors. In doing so, GSA suggested a vulnerability exists in Kaspersky that could give the Kremlin backdoor access to the systems the company protects.
In a statement to The Washington Post on Wednesday, the company said: “Kaspersky Lab doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company. The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.
“Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia,” the firm said.
The directive comes in the wake of an unprecedented Russian operation to interfere in the U.S. presidential election that saw Russian spy services hack into the Democratic National Committee and the networks of other political organizations and release damaging information.
At least a half-dozen federal agencies run Kaspersky on their networks, the U.S. officials said, although there may be other networks where an agency’s chief information security officer — the official ultimately responsible for systems security — might not be aware it is being used.
The U.S. intelligence community has long assessed that Kaspersky has ties to the Russian government, according to officials, who spoke on condition of anonymity to discuss internal deliberations. Its founder, Eugene Kaspersky, graduated from a KGB-supported cryptography school and had worked in Russian military intelligence.
In recent months concern has mounted inside the government about the potential for Kaspersky software to be used to gather information for the Russian secret services, officials said.
Richard Ledgett, former National Security Agency Deputy Director, hailed the move. Speaking on the sidelines of the Billington cybersecurity summit in Washington Wednesday, he noted that by Kaspersky, like other Russian companies, is “bound to comply with the directive of Russian state security services, by law, to share with them information from their servers.”
Concerns about Kaspersky software had been brewing for years, according to one former official who told The Post that some congressional staffers were warned by federal law enforcement officials as early as November 2015 not to meet with employees from Kaspersky over concerns of electronic surveillance.
When GSA announced its July decision, it underscored its mission was to “ensure the integrity and security of U.S. government systems and networks” and that Kaspersky was delisted “after review and careful consideration.” The action removed the company from the list of products approved for purchase on federal systems and at discounted prices for state governments.
The directive will also put pressure on state and local governments that use Kaspersky’s products. Many had been left to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost. In July, The Post found several state or local agencies that used Kaspersky’s antivirus or security software had purchased or supported the software within the last two years.
SPREAD Everywhere if you care!