Acting Secretary of Homeland Security Elaine Duke released a binding operational directive on Sept. 13 requiring agencies to identify and plan to remove all Kaspersky Lab products within the next 90 days.
“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems,” the Department of Homeland security (DHS) said in a statement. “Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
Kaspersky recently reinforced its commitment to the North American market through the announcement of three new offices in the region, and particularly emphasized its dedication to expanding the U.S. government market:
“Given that U.S. government sales have not been a significant part of the company’s activity in North America, Kaspersky Lab is exploring opportunities to better optimize the Washington D.C. office responsible for threat intelligence offerings to U.S. government entities.”
Since the revelation of Russia’s involvement in the 2016 hack of Democratic National Committee servers, Kaspersky has been mired in suspicion over its ties to the Russian government. To combat this, CEO Eugene Kaspersky offered to turn over product source code to the U.S. government for examination in July, saying that he would do anything “to prove that we don’t behave maliciously.”
“Great work on the part of DHS to look at the threats to our networks and the implications,” Robert Joyce, special assistant to the president and cybersecurity coordinator for the White House, said of the directive at the Billington CyberSecurity Summit. “For us the idea of a piece of software that’s going to live on our networks, going to touch every file on those networks, going to be able to, at the discretion of the company, to decide what goes back to their cloud in Russia–and then what you really need to understand is under Russian law they must collaborate with FSB [Russian Federal Security Service]–for us in the government that was unacceptable risk.”
“I trust DHS to make these decisions,” said Rep. Will Hurd, R-Texas, adding that this should not be part of an escalation with Russia. “Is there potentially going to be retaliations? We’ll see. I don’t think getting into a tit-for-tat with Russia is in anybody’s best interest, but first and foremost we need to defend our own digital infrastructure.”
A section of the Senate National Defense Authorization Act for 2018 also took aim at the Russia-based company:
“No department, agency, organization, or other element of the Department of Defense may use, whether directly or through work with or on behalf of another organization or element of the Department or another department or agency of the United States Government, any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.”
The DHS statement said that though Kaspersky happens to have ties to the Russian government, the department “will take appropriate action related to the products of any company that presents a security risk based on DHS’s internal risk management and assessment process.”
DHS will also be offering Kaspersky Labs the opportunity to submit a written response to the concerns raised by the directive to provide any evidence, materials, or data that may be relevant.
MeriTalk has contacted Kaspersky for comment on the directive.
This story has been updated.