U.S. institutes ban on Russia software
Agencies warned of cyber-espionage
The U.S. government Wednesday banned federal agencies from using a Russian brand of security software over concerns that the company has ties to state-sponsored cyber-espionage activities, U.S. officials said.
Acting Homeland Security Secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal government networks and gave agencies a timeline to get rid of it, according to several officials familiar with the plan who were not authorized to speak publicly about it.
Duke ordered the action on the grounds that the company has connections to the Russian government and its software poses a security risk.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said in a statement.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” the department said.
The directive comes months after the federal General Services Administration, the agency in charge of government purchasing, removed Kaspersky from its list of approved vendors. In doing so, the agency suggested that a vulnerability exists in Kaspersky that could give the Kremlin backdoor access to the systems the company protects.
In a statement to The Washington Post on Wednesday, the company said, “Kaspersky Lab doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company.
“The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts,” the company said.
“Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia,” the firm said.
The directive comes in the wake of an unprecedented Russian operation to interfere in the U.S. presidential election that saw Russian spy services hack the networks of the Democratic National Committee and other political organizations and release damaging information.
At least a half-dozen federal agencies run Kaspersky on their networks, the U.S. officials said, although there may be other networks where an agency’s chief information security officer — the official ultimately responsible for systems security — might not be aware it is being used.
The order applies only to civilian government networks, not the military’s. But the Defense Department, which includes the National Security Agency, does not generally use Kaspersky software, officials said.
The U.S. intelligence community has long assessed that Kaspersky has ties to the Russian government, according to officials who spoke on the condition of anonymity to discuss internal deliberations. The company’s founder, Eugene Kaspersky, graduated from a KGB-supported cryptography school and had worked in Russian military intelligence.
In recent months, concern has mounted inside the government about the potential for Kaspersky software to be used to gather information for the Russian secret services, officials said.
Richard Ledgett, former National Security Agency deputy director, hailed the move. Speaking Wednesday on the sidelines of the Billington CyberSecurity Summit in Washington, he noted that Kaspersky, like other Russian companies, is “bound to comply with the directive of Russian state security services, by law, to share with them information from their servers.”