Citing fears of Russian spying, the Department of Homeland Security announced Wednesday that all federal executive branch departments and agencies must take steps to remove any software related to AO Kaspersky Labs.
“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems,” the agency said in its announcement. “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”
The Washington Post notes that the federal agency in charge of government purchasing removed Kaspersky from its list of approved vendors months ago, citing possibilities that the software could offer the Russian government a backdoor into any system that uses Kaspersky products. This order didn’t bar agencies already using the software from continuing to use it, according to the Post, but rather took the company off “the list of products approved for purchase on federal systems and at discounted prices for state governments.”
Wednesday’s directive takes things a step further by forcing the software off civilian federal executive branch systems entirely. (Military and intelligence systems “generally” do not use Kaspersky software, the Post notes.) DHS is giving federal executive branch agencies 30 days to identify any Kaspersky software or products in their systems, 60 days to develop plans to remove the software, and 90 days to begin acting on the plan to remove the software.
The decision comes just over a week after Sen. Jeanne Shaheen (D-N.H.), in a New York Times op-ed, said she would introduce legislation prohibiting the entire federal government from using the company’s software. “The Kremlin hacked our presidential election, is waging a cyberwar against our NATO allies and is probing opportunities to use similar tactics against democracies worldwide,” Shaheen wrote. “Why then are federal agencies, local and state governments and millions of Americans unwittingly inviting this threat into their cyber networks and secure spaces?”
Kaspersky products are used by as many as 400 million users worldwide, according to Bloomberg, which makes the point that as many as half of those users don’t realize they’re using the company’s software due to licensing agreements with other companies. One of the firm’s key products is antivirus software, which enables the Kaspersky program to access to every file on any system on which it’s installed.
As Politico reports, Eugene Kaspersky, the company’s founder and CEO, along with several other top company executives, are former Russian intelligence, and the US intelligence community and lawmakers of both parties have been concerned about its potential ties with Russian intelligence “for years.” Pressure grew to take action against the company after evidence started mounting that the Russian government was behind a widespread hacking and disinformation campaign to influence the 2016 presidential election.
Eugene Kaspersky declined to comment when reached by Mother Jones on Wednesday. But in a point-by-point response to Shaheen’s op-ed, the company denied having “any inappropriate ties with any government, which is why no-credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company. The only conclusion seems to be that the Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.” The company also said Eugene Kaspersky “grew up in the Soviet era, when almost every education opportunity was sponsored by the government in some manner and military service was mandatory,” adding that he served as a software engineer at a Ministry of Defense scientific institute and “contrary to misinformed sources, he never worked for the KGB.”
Private sector information security experts have varying opinions on exactly what’s happening with and at Kaspersky Labs. Jake Williams, a former NSA employee and founder of an information security company called Rendition Infosec, wrote in a recent Cyberscoop column that the actions being taken against Kaspersky should be backed up with more public evidence lest US companies face similar actions abroad.
“It has been well-known that [Eugene] Kaspersky was trained by Russian intelligence and served with them for some time before starting his company,” Williams wrote. “But this alone cannot be the standard of proof for ‘influence from Russian intelligence.’ A large number of US companies (mine included) would meet this standard for ‘influence’ by US intelligence.”
Reached Wednesday, Williams tells Mother Jones that the licensing agreements Kaspersky has are going to make it “really difficult for most agencies to find all of the indirect uses of Kaspersky code,” and that, in its announcement, the government is perhaps unintentionally hinting that its case against Eugene Kaspersky isn’t as strong as they might like.
“I think the government wisely hedged its bets with regards to Kaspersky, saying ‘the Russian government, whether acting on its own or in collaboration with Kaspersky,’” Williams tells Mother Jones. “I don’t think their public case of ‘Eugene Kaspersky has Russian ties’ has been very strong. People are starting to ask questions. So we see that they’ve moved to a narrative of ‘maybe the Russian government would just do it without Kaspersky.’”
Meanwhile Dave Aitel, a former NSA research scientist, says the US government doesn’t actually need to release any evidence. “It’s really pretty clear what the US is saying,” Aitel wrote in a blog post on his personal site about US pressure on Kaspersky earlier this summer. “They are saying, through leaks and not-so-subtle hints, that Kaspersky was involved in Russian operations. It’s not about ‘being close to the Kremlin’ or historical ties between Eugene Kaspersky and the FSB …. It’s about a line being crossed operationally.”
There are reasons to side with both camps in this debate, says Philip Chertoff, a research fellow in the cybersecurity program at the GLOBSEC Policy Institute, an EU/NATO think tank. In a recent Wired column, Cherftoff argues that it’s not unreasonable to think that Kaspersky has ties to Russian intelligence given “Russia’s relationship-based business climate” that sometimes depends on “relationships with senior government officials.” But, he argues, similar blurred lines exist between intel and information security firms in countries such as France, Israel, China, and the US. Additionally, Kaspersky is an industry leader in threat research and hampering access to it could harm the work of security researchers.
What is clear, though, is that Moscow won’t be happy with the DHS move. In June, Bloomberg cited Russia’s Communications Minister Nikolai Nikiforov, who warned that any “unilateral political sanctions” by the US could prompt a response from Russia, as the Russian government uses “a huge proportion of American software and hardware solutions in the IT sphere, even in very sensitive areas.”