The General Services Administration first realized it may have a problem with Kaspersky Lab technology products toward the end of 2016.
Seven months later, GSA gave the three resellers who offered the company’s products on the Schedules program 30 days to remove Kaspersky’s anti-virus and other cybersecurity software and services.
David Shive, the GSA chief information officer, told the House Science, Space and Technology subcommittee on Oversight that all three vendors complied with the agency’s request in a timely manner.
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
But cyber experts say that while Kaspersky may be getting all the attention on Capitol Hill and from the Homeland Security Department, agencies are at risk from any vendor providing similar cyber products and services.
“In order to properly assess any risk posed by Kaspersky Lab products to the federal government, one must first understand the technical nature of those products themselves. As with many other information and communication technologies (ICT), vendors and service providers, Kaspersky Lab remotely administers its services on client networks. Moreover, the very nature of Kaspersky Lab’s security product offering is to provide constant and complete network monitoring to prevent and/or detect cyber intrusions and the harmful effects of malicious software,” Sean Kanuk, the director of Future Conflict and Cyber Security at the International Institute for Strategic Studies and a former National Intelligence Officer (NIO) for Cyber Issues in the Office of the Director of National Intelligence, told the subcommittee at yesterday’s hearing. “Discussions regarding the potential to introduce surreptitious ‘back doors’ into Kaspersky Lab software are largely a moot point, because a well-known — and explicitly marketed feature — of the product offering is a wide open ‘front door’ for Kaspersky algorithms and technicians to not only view corporate network activity (including files and traffic flows) but also to issue remedial instructions to computers on the networks they protect.”
Kanuk said Kaspersky and other similar vendors obtain Internet intelligence that is as broad as it is deep. He said these vendors basically have a “private global cyber network.”
“I would encourage the U.S. government to assess all IT products from all vendors regardless of national origin because if we are trying to protect sensitive information, we should be fully cognizant that foreign intelligence actors will be willing to exploit any IT vendor that we are using even if it’s not of their own national origin,” he said.
Kanuk’s concerns about the deep network access Kaspersky Lab and other cyber vendors have through their products became more real today. Kaspersky Lab issued a statement saying it obtained source code used for hacking in a routine investigation of an Advanced Persistent Threat. Reuters reported that the source code is from the Equation Group, which is a National Security Agency project.
James Norton, president of Play-Action Strategies LLC and an adjunct professor at Johns Hopkins University, said agencies struggle to fully know what software is on their networks and that’s a huge piece to the broader problem.
He said agencies have underinvested in cybersecurity over the last decade and that has led to weaknesses in their network security.
“We haven’t had the capability, the staffing or the opportunity to take an internal look at what is on the network outside these kinds of clean-ups that are happening now,” Norton said. “The executive branch is just now looking at this over the last couple of years. It’s obviously a big miss and there’s been a lot of success in terms of foreign adversaries being able to infiltrate not only the DoD, but DHS and other networks.”
And it’s that need to clean up Kaspersky Lab products that led the Homeland Security Department to issue a Binding Operational Directive Sept. 13 mandating agencies remove those products from their networks.
Sen. Claire McCaskill (D-Mo.), ranking member of the Homeland Security and Governmental Affairs Committee, wrote to acting DHS Secretary Elaine Duke Tuesday asking for an update by Nov. 14 on governmentwide efforts to meet the BOD.
McCaskill outlined 11 questions in her letter, including how DHS is ensuring compliance among agencies, how many systems are using Kaspersky as of the issuance of the BOD and how does the BOD apply to contractor systems?
There seems to be some disagreement about the last question.
Shive told the House committee that the DHS directive restricts contractors from using Kaspersky.
But on Oct. 15, Chris Krebs, the senior official performing the duties of the undersecretary for the National Protection and Programs Directorate at DHS, initially told the Senate Armed Services Committee that the BOD didn’t impact contractors, but then said he would check and get back to the committee.
An email to DHS today seeking clarification was not immediately returned.
As for the Defense Department, Ken Rapuano, the assistant secretary of Defense for Homeland Defense and Global Security, told the Senate committee, “We have instructed the removal of Kaspersky from all of the DOD information systems. I’ll follow up specifically on contractors.”
The directive highlighted a broader need for non-government entities who may be targets of cyber attacks to better understand the potential threat Kaspersky Lab could pose.
This is why Sen. Jean Shaheen (D-N.H.) wants DHS to declassify the evidence of why Kaspersky is a threat to the government and public.
She wrote to DHS and Dan Coats, the director of national intelligence, today saying she remains concerned about the use of Kaspersky Lab products on non-governmental systems.
“As we now know, Kaspersky Lab was used by Russian intelligence services to obtain highly-sensitive data through targeting of an NSA employee’s home computer. Furthermore, Kaspersky Lab has engaged in a campaign of offering free anti-virus protection to computer users nationwide, despite the seeming ramifications to the company’s bottom line,” Shaheen wrote. “These incidents as well as the long-standing links between Kaspersky Lab and the Kremlin continue to concern me and my colleagues. Therefore, I urge you to declassify information about Kaspersky Lab and its products for the public good.”
Cyber experts say the answer to concerns about Kaspersky Lab or other cyber vendor product is resilience and supply chain management.
GSA’s Shive told the subcommittee it’s every federal CIO’s job to understand what is on their networks and the risks that come with the software or hardware.
Norton said maybe it’s time to come back to the concept of having a trusted vendor list, especially for cybersecurity companies.
“We all know that there is massive political pressure for the federal government to step up and secure their networks. But that means they are buying very quickly and making decisions from all different levels. I think having that trusted vendor list from not only U.S. companies, but companies that the U.S. are allies with so CIOs and managers can then rely on to implement the solutions going forward is a place we need to start,” he said. “Supply chain management and supply chain security is certainly a key part of this. I think there needs to be investment from the private sector and the government.”
DHS issued a supply chain risk management framework for the continuous diagnostics and mitigation program in July as part of a growing effort to ensure confidence in cyber products.
“A proper review of the features of a lot of these security softwares would allow you to do a proper assessment. In my experience, foreign intelligence actors and criminals alike, once they find out who has access to the network, they seek access, will attempt to derive ways to exploit that path in. So it’s a matter of intent and resources,” Kanuk said. “I do not believe there is any network or product that is perfectly secure, it’s all a risk management issue.”