Kaspersky soft­ware

The Washington Post - - FRONT PAGE - BY ELLEN NAKASHIMA AND JACK GIL­LUM Aaron C. Davis con­trib­uted to this re­port.

will be banned in U.S. govern­ment agen­cies un­der a new di­rec­tive prompted by con­cerns that the Rus­sian firm has ties to state cy­beres­pi­onage ac­tiv­i­ties.

The U.S. govern­ment on Wed­nes­day moved to ban the use of a Rus­sian brand of se­cu­rity soft­ware by fed­eral agen­cies amid con­cerns the com­pany has ties to state-spon­sored cy­beres­pi­onage ac­tiv­i­ties.

In a bind­ing di­rec­tive, act­ing Home­land Se­cu­rity Sec­re­tary Elaine Duke or­dered that fed­eral civil­ian agen­cies iden­tify Kaspersky Lab soft­ware on their net­works. Af­ter 90 days, un­less oth­er­wise di­rected, they must re­move the soft­ware, on the grounds that the com­pany has con­nec­tions to the Rus­sian govern­ment and its soft­ware poses a se­cu­rity risk.

The Depart­ment of Home­land Se­cu­rity “is con­cerned about the ties be­tween cer­tain Kaspersky of­fi­cials and Rus­sian in­tel­li­gence and other govern­ment agen­cies, and re­quire­ments un­der Rus­sian law that al­low Rus­sian in­tel­li­gence agen­cies to re­quest or com­pel as­sis­tance from Kaspersky and to in­ter­cept com­mu­ni­ca­tions tran­sit­ing Rus­sian net­works,” the depart­ment said in a state­ment. “The risk that the Rus­sian govern­ment, whether act­ing on its own or in col­lab­o­ra­tion with Kaspersky, could cap­i­tal­ize on ac­cess pro­vided by Kaspersky prod­ucts to com­pro­mise fed­eral in­for­ma­tion and in­for­ma­tion sys­tems di­rectly im­pli­cates U.S. na­tional se­cu­rity.”

The di­rec­tive comes months af­ter the fed­eral Gen­eral Ser­vices Ad­min­is­tra­tion, the agency in charge of govern­ment pur­chas­ing, re­moved Kaspersky from its list of ap­proved ven­dors. In do­ing so, the GSA sug­gested a vul­ner­a­bil­ity ex­ists with Kaspersky that could give the Krem­lin back­door ac­cess to the sys­tems the com­pany pro­tects.

The com­pany said in a state­ment Wed­nes­day that it “doesn’t have in­ap­pro­pri­ate ties with any govern­ment, which is why no cred­i­ble ev­i­dence has been pre­sented pub­licly by any­one or any or­ga­ni­za­tion to back up the false al­le­ga­tions made against the com­pany.”

It also said that the Rus­sian law re­quir­ing as­sis­tance does not ap­ply to the com­pany.

“Kaspersky Lab has never helped, nor will help, any govern­ment in the world with its cy­beres­pi­onage or of­fen­sive cy­ber ef­forts, and it’s dis­con­cert­ing that a pri­vate com­pany can be con­sid­ered guilty un­til proven in­no­cent, due to geopo­lit­i­cal is­sues,” Kaspersky said. “The com­pany looks for­ward to work­ing with DHS, as Kaspersky Lab ar­dently be­lieves a deeper ex­am­i­na­tion of the com­pany will sub­stan­ti­ate that th­ese al­le­ga­tions are with­out merit.”

The depart­ment is giv­ing Kaspersky 90 days to prove its prod­ucts are not a se­cu­rity risk or to mit­i­gate the con­cerns.

“We’ve de­ter­mined that [Kaspersky soft­ware] poses an un­ac­cept­able amount of risk based on our as­sess­ment,” said Christo­pher Krebs, a se­nior DHS of­fi­cial in the Na­tional Pro­tec­tion and Pro­grams Direc­torate. “If they want to pro­vide ad­di­tional in­for­ma­tion or mit­i­ga­tion strate­gies, our door is open.”

The di­rec­tive comes in the wake an un­prece­dented Rus­sian op­er­a­tion to in­ter­fere in the U.S. pres­i­den­tial elec­tion, with Rus­sian spy ser­vices hack­ing the net­works of the Demo­cratic Na­tional Com­mit­tee and other po­lit­i­cal or­ga­ni­za­tions and re­leas­ing dam­ag­ing in­for­ma­tion.

At least a half-dozen fed­eral agen­cies run Kaspersky on their net­works, U.S. of­fi­cials said, although there may be other net­works where an agency’s chief in­for­ma­tion se­cu­rity of­fi­cer — the of­fi­cial ul­ti­mately re­spon­si­ble for sys­tems se­cu­rity — might not be aware it is be­ing used.

The or­der ap­plies only to civil­ian govern­ment net­works. The De­fense Depart­ment, which in­cludes the Na­tional Se­cu­rity Agency, does not use Kaspersky soft­ware, of­fi­cials said.

Mean­while, the di­rec­tive may also put pres­sure on state and lo­cal gov­ern­ments that use Kaspersky prod­ucts. Many had been left to spec­u­late about the risks of stick­ing with the com­pany or aban­don­ing tax­payer-funded con­tracts, some­times at great cost. In July, The Wash­ing­ton Post found sev­eral state and lo­cal agen­cies that used Kaspersky’s anti-virus or se­cu­rity soft­ware had pur­chased or sup­ported the soft­ware within the past two years.

The U.S. in­tel­li­gence com­mu­nity has long as­sessed that Kaspersky has ties to the Rus­sian govern­ment. The com­pany’s founder, Eu­gene Kaspersky, grad­u­ated from a KGB-sup­ported cryp­tog­ra­phy school and had worked in Rus­sian mil­i­tary in­tel­li­gence.

Rob Joyce, the White House cy­ber­se­cu­rity co­or­di­na­tor and a for­mer NSA of­fi­cial, hailed the move. The idea that data col­lected by soft­ware on govern­ment net­works could wind up with Rus­sian spy agen­cies “was an un­ac­ceptof able risk,” he said Wed­nes­day at the Billing­ton Cy­ber­Se­cu­rity Sum­mit in Wash­ing­ton.

Sen. Jeanne Sha­heen (D-N.H.), an out­spo­ken critic of Kaspersky, said the DHS an­nounce­ment is “a sig­nif­i­cant step for­ward in im­prov­ing our na­tional se­cu­rity and pro­tect­ing against such vul­ner­a­bil­i­ties on fed­eral sys­tems.”

In an­nounc­ing its July de­ci­sion, the GSA un­der­scored that its mis­sion was to “en­sure the in­tegrity and se­cu­rity of U.S. govern­ment sys­tems and net­works” and that Kaspersky was delisted “af­ter re­view and care­ful con­sid­er­a­tion.” The ac­tion re­moved the com­pany from the list of prod­ucts ap­proved for pur­chase on fed­eral sys­tems and at dis­counted prices for state gov­ern­ments.

Joseph Lorenzo Hall, chief tech­nol­o­gist at the Cen­ter for Democ­racy and Technology, said he is con­cerned the pub­lic has not seen ev­i­dence of malfea­sance by Kaspersky but only “in­tel­li­gencecom­mu­nity rumblings about the po­ten­tial for back doors” — a ref­er­ence to holes in soft­ware.

PAVEL GOLOVKIN/AS­SO­CI­ATED PRESS

Eu­gene Kaspersky in July at his com­pany’s head­quar­ters in Moscow. Kaspersky Lab said U.S. al­le­ga­tions are “with­out merit.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.