The Homeland Security Department is giving agencies 30 days to identify where they are using products and services from Kaspersky Lab and to remove those technologies from federal networks 60 days after that.
DHS issued a binding operational directive (BOD) Sept. 13 detailing the steps agencies must take.
“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems,” DHS said in a statement. “The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allows Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
Rob Joyce, White House cyber coordinator, said at the eighth annual Billington Cybersecurity Summit in Washington that DHS made a risk-based decision to protect federal networks.
Insight by Apptio: Download the results of his strategic guidance survey and learn how CIOs at ITA, LoC and other agencies are maximizing their investments to make sure resources are aligned to mission goals.
“For us, the idea of a piece of software that is going to live on our networks, that is going to touch every file in those networks and going to be able to, at the discretion of company, decide what goes back to their cloud in Russia, and what you really need to understand is under Russian law the company must collaborate with the FSB so for us in the government that was an unacceptable risk,” Joyce said. “We made risk decisions based on the technology and the environment, and it’s unacceptable for federal networks.”
Joyce said in an interview after his speech that DHS and the White House reviewed all risks associated with the decision, ranging from potential retaliation to impacts on agencies, the private sector and allies.
A Kaspersky Lab spokeswoman said by email that the company is disappointed with DHS’ decision but is grateful for the opportunity to respond to the allegations.
“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company,” the company stated. “Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia. In addition, more than 85 percent of its revenue comes from outside of Russia, which further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line. These ongoing accusations also ignore the fact that Kaspersky Lab has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy technology development.”
DHS will let Kaspersky submit a written response addressing the concerns or to mitigate those concerns.
“The department wants to ensure that the company has a full opportunity to inform the Acting Secretary of any evidence, materials, or data that may be relevant,” DHS stated. “This opportunity is also available to any other entity that claims its commercial interests will be directly impacted by the directive.”
The spokeswoman added the federal government is misinterpreting Russian laws.
“The laws and tools in question are applicable to telecom companies and Internet Service Providers (ISPs), and contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM), since the company doesn’t provide communication service,” she said. “Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates and more. Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues. The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.”
Agencies now have 30 days to identify all uses of Kaspersky Lab products and services, and then two months to remove the technology from their networks and systems.
Joyce said the effort will be an aggressive one for the government.
“We are pushing departments and agencies to work aggressively toward it,” he said. “I will not go for exemptions at the beginning, but certainly with any activity in the government, we are not marching ahead blindly and we will consider the factors.”
Another government official familiar with the BOD told Federal News Radio agencies will need time and money to move off Kaspersky Lab technologies.
“Part of the BOD talks about if agencies are having difficulties, they need to work with the CFO and your agency to work on that,” the official said. “We will cooperate with the other departments and agencies to help them understand and do the replacements. This was not a collaborative process initially, but it will be now once the BOD is signed.”
The official said federal chief information officers and chief information security officers should have known it was coming out.
The official added there has been a concern about Kaspersky Lab for a period of time, and the concern has manifested in some things the government has learned.
“This has been a long and involved process to make sure the legal parts of it were properly structured,” the official said.
Agencies will have to find the money to remove and replace Kaspersky Lab technologies.
DHS will assist and support agency efforts to make the process as quick and painless as possible.
DHS’ move follows the decision by the General Services Administration to remove Kaspersky Lab from its schedules program.
Additionally, Sen. Jean Shaheen (D-N.H.) has submitted a provision in the 2018 Defense Authorization bill to ban Kaspersky Lab products from Defense Department networks.
Shaheen said in a statement that DHS’s actions are important to remove “this national security vulnerability from federal computer systems. I’m optimistic that Congress will soon act on my governmentwide ban of Kaspersky software so that this new policy is reinforced by statute.”
Rep. Lamar Smith (R-Texas), chairman of the Science, Space, and Technology Committee, wrote to agencies in July asking for documents and information regarding Kaspersky Lab use on federal networks. Smith’s letter requested information regarding computers, systems, data and any other information that may be accessible to Kaspersky Lab from each agency.
Smith applauded the DHS decision on Twitter, and announced a Sept. 27 hearing “on Kaspersky products and risks they pose to U.S. systems.”
A spokeswoman for Smith said they have received feedback from several agencies and expects to hear from the rest in the coming weeks.
This was DHS’ fifth BOD since Congress gave them the authority in 2014 for mandate agency compliance with imminent cyber threats. Previous BODs covered everything from patching software provided by CISCO Systems and another focused on reporting cybersecurity incidents.
Jake Williams, a former National Security Agency executive who worked on the Tailored Access Operations (TAO) cyber warfare effort and now is an instructor and course author for the SANS Institute, said in an email to Federal News Radio that the public case that Kaspersky has ties to the Russian government is not strong.
“First, [the BOD] notes any direct and indirect use of the software. I think that’s significant because, as you probably know, Kaspersky licenses it’s code for use in a number of security products. It is going to be really difficult for most agencies to find all of the indirect uses of Kapsersky code,” he said. “I think the government wisely hedged its bets with regards to Kaspersky, saying ‘the Russian government, whether acting on its own or in collaboration with Kaspersky.'”
He added that even though Kaspersky Lab has the ability to ask for redress of the ban, it likely will not work. Williams said the fact that the company offered for the government to do a third-party audit of its code was not effective shows that the remedy is unlikely to make a difference.
Tom Kellermann, CEO of Strategic Cyber Ventures and 20-year cyber expert, said this move by DHS is the latest action in a brewing technology conflict.
“The balkanization of cyberspace has begun in earnest,” Kellermann said. “Russia began this cyber Cold War not just with the hacking of the US Government but also in her condemnation and partial ban of Microsoft. As a result of this ban, supply chain security has never been more paramount, particularly if you desire to do business with the U.S. Government.”