Cities still using Russian firm’s software
San Marcos, Buda not heeding warnings on vulnerability to hacking.
The cities of San Marcos and Buda continue to use a Russian cybersecurity company’s software despite concerns raised by the U.S. government and lawmakers that it might leave them vulnerable to hacking by the Kremlin.
The General Services Administration, the federal agency in charge of purchasing, announced in July that it was eliminating Moscow-based Kaspersky Lab from its list of approved vendors for two governmentwide purchasing contracts.
In a statement, the agency says only that its “priorities are to ensure the integrity and security of U.S. government systems and networks,” and it offers no evidence of vulnerabilities. However, cybersecurity experts say the decision indicates the agency is cautioning against the software’s use because of cyberespionage concerns.
Kaspersky has pushed back against allegations of ties to the Russian government and offered to work with U.S. investigators by, among other things, providing the 20-year-old company’s source code.
“The company has never helped, nor will help, any government in the world with its cyber espionage efforts,” Kaspersky
said in a statement. “Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations.”
The unrest over the company’s potential ties came after U.S. intelligence agencies concluded that Russia interfered in the 2016 presidential election. The Justice Department is investigating whether President Donald Trump’s campaign colluded with Russia.
San Marcos spokeswoman Kristi Wyatt said the GSA’s statement came about a month after the city renewed a three-year, roughly $47,000 contract for Kaspersky’s anti-virus software. The city has spent about $95,000 on the software since it began using it in 2009.
“We had used it and hadn’t had a problem; however, we did see that the warning came out, but it was much later than our purchase,” Wyatt said. “We haven’t had any concerns from the public (or) any calls or emails related to it, except from reporters.”
Wyatt said the city doesn’t have plans to replace the software but will re-evaluate its needs when the contract ends in three years.
San Marcos has faced other cybersecurity concerns recently. A February phishing attack led to the release of hundreds of employees’ W-2 forms, and some of those workers discovered someone else had filed a fraudulent tax return in their name. A year earlier, a consultant found that the city lacked essential security training and procedures.
Buda also has Kaspersky software on at least some machines. City spokesman David Marino said officials did not purchase Kaspersky software, but it was included in support of some computer equipment that the city bought.
Marino declined to give more detail “as a matter of security” but said the city’s use of the software “is limited and does not touch private information.” The GSA statement came out after the software was already in use in Buda, he said.
“The city is evaluating potential risks and is requesting feedback and alternatives from the hardware supplier,” Marino said.
Local governments from Austin to Round Rock to Bastrop told the American-Statesman they do not use Kaspersky software for their cybersecurity needs.
“We actually use multiple vendors so that we have various layers of protection to keep our systems safe,” said Pflugerville police spokeswoman Sara Bustilloz, noting Kaspersky is not among them.
Local governments still using Kaspersky are left to weigh their options: toss out and replace the software immediately and swallow the financial cost or continue to use it knowing the risk.
But some experts say that risk is too great for local governments — whose systems store a wide array of sensitive information — to take chances.
When people install anti-virus software, they are giving deep access to their computer and network in exchange for protection against malware and other attacks, said Michael Sulmeyer, the Belfer Center’s Cyber Security Project director at the Harvard Kennedy School.
“The risk is that if ... Kaspersky Lab software is in fact doing the bidding of the Russian intelligence service, we are giving them the access,” Sulmeyer said. “They’re not even having to work for it. We’re paying for them to have the access.”
Sulmeyer said that while evidence has yet to be released publicly — and it might never be — statements such as the one the GSA made in July that seem to discourage use of a company’s software are “unusual” and worth paying attention to.
“It would not seem to be the best move right now (to continue using the software). ... If it were me, I would start looking for alternatives,” Sulmeyer said. “The federal government sees a problem, and the federal government is in a better position to know than local and state government because they have a lot more sources of intelligence.”
Aside from the GSA, lawmakers are re-examining the federal government’s relationship with the company after senior intelligence officials testified before Congress in May that they wouldn’t use the software on their own computers.
Rep. Lamar Smith, R-San Antonio, chairman of the House Committee on Science, Space, and Technology, last week asked 22 federal agencies to share documents on the company, writing in letters that Kaspersky’s products could be used “as a tool for espionage, sabotage or other nefarious activities against the United States.”
Last month, the Senate Armed Services Committee released a defense-spending policy bill that would block the use of the company’s software at the U.S. Defense Department and associated networks.