Cities still us­ing Rus­sian firm’s soft­ware

San Mar­cos, Buda not heed­ing warn­ings on vul­ner­a­bil­ity to hack­ing.

Austin American-Statesman - - FRONT PAGE - By Taylor Gold­en­stein tgold­en­stein@states­

The cities of San Mar­cos and Buda con­tinue to use a Rus­sian cy­ber­se­cu­rity com­pany’s soft­ware de­spite con­cerns raised by the U.S. gov­ern­ment and law­mak­ers that it might leave them vul­ner­a­ble to hack­ing by the Krem­lin.

The Gen­eral Ser­vices Ad­min­is­tra­tion, the fed­eral agency in charge of pur­chas­ing, an­nounced in July that it was elim­i­nat­ing Mos­cow-based Kasper­sky Lab from its list of ap­proved ven­dors for two gov­ern­men­twide pur­chas­ing con­tracts.

In a state­ment, the agency says only that its “pri­or­i­ties are to en­sure the in­tegrity and se­cu­rity of U.S. gov­ern­ment sys­tems and net­works,” and it of­fers no ev­i­dence of vul­ner­a­bil­i­ties. How­ever, cy­ber­se­cu­rity ex­perts say the de­ci­sion in­di­cates the agency is cau­tion­ing against the soft­ware’s use be­cause of cy­beres­pi­onage con­cerns.

Kasper­sky has pushed back against al­le­ga­tions of ties to the Rus­sian gov­ern­ment and of­fered to work with U.S. in­ves­ti­ga­tors by, among other things, pro­vid­ing the 20-year-old com­pany’s source code.

“The com­pany has never helped, nor will help, any gov­ern­ment in the world with its cy­ber es­pi­onage ef­forts,” Kasper­sky

said in a state­ment. “Kasper­sky Lab be­lieves it is com­pletely un­ac­cept­able that the com­pany is be­ing un­justly ac­cused with­out any hard ev­i­dence to back up these false al­le­ga­tions.”

The un­rest over the com­pany’s po­ten­tial ties came af­ter U.S. in­tel­li­gence agen­cies con­cluded that Rus­sia in­ter­fered in the 2016 pres­i­den­tial elec­tion. The Jus­tice Depart­ment is in­ves­ti­gat­ing whether Pres­i­dent Don­ald Trump’s cam­paign col­luded with Rus­sia.

San Mar­cos spokes­woman Kristi Wy­att said the GSA’s state­ment came about a month af­ter the city re­newed a three-year, roughly $47,000 con­tract for Kasper­sky’s anti-virus soft­ware. The city has spent about $95,000 on the soft­ware since it be­gan us­ing it in 2009.

“We had used it and hadn’t had a prob­lem; how­ever, we did see that the warn­ing came out, but it was much later than our pur­chase,” Wy­att said. “We haven’t had any con­cerns from the pub­lic (or) any calls or emails re­lated to it, ex­cept from re­porters.”

Wy­att said the city doesn’t have plans to re­place the soft­ware but will re-eval­u­ate its needs when the con­tract ends in three years.

San Mar­cos has faced other cy­ber­se­cu­rity con­cerns re­cently. A Fe­bru­ary phish­ing at­tack led to the re­lease of hun­dreds of em­ploy­ees’ W-2 forms, and some of those work­ers dis­cov­ered some­one else had filed a fraud­u­lent tax re­turn in their name. A year ear­lier, a con­sul­tant found that the city lacked es­sen­tial se­cu­rity train­ing and pro­ce­dures.

Buda also has Kasper­sky soft­ware on at least some machines. City spokesman David Marino said of­fi­cials did not pur­chase Kasper­sky soft­ware, but it was in­cluded in sup­port of some com­puter equip­ment that the city bought.

Marino de­clined to give more de­tail “as a mat­ter of se­cu­rity” but said the city’s use of the soft­ware “is lim­ited and does not touch pri­vate in­for­ma­tion.” The GSA state­ment came out af­ter the soft­ware was al­ready in use in Buda, he said.

“The city is eval­u­at­ing po­ten­tial risks and is re­quest­ing feed­back and al­ter­na­tives from the hard­ware sup­plier,” Marino said.

Lo­cal gov­ern­ments from Austin to Round Rock to Bas­trop told the Amer­i­can-States­man they do not use Kasper­sky soft­ware for their cy­ber­se­cu­rity needs.

“We ac­tu­ally use mul­ti­ple ven­dors so that we have var­i­ous lay­ers of pro­tec­tion to keep our sys­tems safe,” said Pflugerville po­lice spokes­woman Sara Bustil­loz, not­ing Kasper­sky is not among them.

Lo­cal gov­ern­ments still us­ing Kasper­sky are left to weigh their op­tions: toss out and re­place the soft­ware im­me­di­ately and swal­low the fi­nan­cial cost or con­tinue to use it know­ing the risk.

But some ex­perts say that risk is too great for lo­cal gov­ern­ments — whose sys­tems store a wide ar­ray of sen­si­tive in­for­ma­tion — to take chances.

When peo­ple in­stall anti-virus soft­ware, they are giv­ing deep ac­cess to their com­puter and network in ex­change for pro­tec­tion against mal­ware and other at­tacks, said Michael Sul­meyer, the Belfer Cen­ter’s Cy­ber Se­cu­rity Project di­rec­tor at the Har­vard Kennedy School.

“The risk is that if ... Kasper­sky Lab soft­ware is in fact do­ing the bid­ding of the Rus­sian in­tel­li­gence ser­vice, we are giv­ing them the ac­cess,” Sul­meyer said. “They’re not even hav­ing to work for it. We’re pay­ing for them to have the ac­cess.”

Sul­meyer said that while ev­i­dence has yet to be re­leased pub­licly — and it might never be — state­ments such as the one the GSA made in July that seem to dis­cour­age use of a com­pany’s soft­ware are “un­usual” and worth pay­ing at­ten­tion to.

“It would not seem to be the best move right now (to con­tinue us­ing the soft­ware). ... If it were me, I would start look­ing for al­ter­na­tives,” Sul­meyer said. “The fed­eral gov­ern­ment sees a prob­lem, and the fed­eral gov­ern­ment is in a bet­ter po­si­tion to know than lo­cal and state gov­ern­ment be­cause they have a lot more sources of in­tel­li­gence.”

Aside from the GSA, law­mak­ers are re-ex­am­in­ing the fed­eral gov­ern­ment’s re­la­tion­ship with the com­pany af­ter se­nior in­tel­li­gence of­fi­cials tes­ti­fied be­fore Congress in May that they wouldn’t use the soft­ware on their own com­put­ers.

Rep. La­mar Smith, R-San An­to­nio, chair­man of the House Com­mit­tee on Sci­ence, Space, and Tech­nol­ogy, last week asked 22 fed­eral agen­cies to share doc­u­ments on the com­pany, writ­ing in let­ters that Kasper­sky’s prod­ucts could be used “as a tool for es­pi­onage, sab­o­tage or other ne­far­i­ous ac­tiv­i­ties against the United States.”

Last month, the Se­nate Armed Ser­vices Com­mit­tee re­leased a defense-spend­ing pol­icy bill that would block the use of the com­pany’s soft­ware at the U.S. Defense Depart­ment and associated net­works.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.