The government’s actions against Kaspersky Lab is a de facto debarment. Let’s just call it like it is. The government gave Kaspersky Lab the federal procurement version of the death penalty.
And the lack of due process for the company should be alarming for every federal contractor. In fact, the entire episode should be a big, flashing, warning light for other companies, as the actions taken by the government are highly unusual, severe and unexplainable, according to cyber and legal experts.
Additionally, the lack of transparency on the evidence of a connection between Kaspersky Lab and the Russian government for this de facto debarment from the General Services Administration or anyone in the intelligence community is just as disconcerting.
Insight by VMware: Be a part of the conversation about what the future of the workforce looks like by downloading this exclusive ebook.
Federal procurement lawyers and federal cyber experts both say there seems to be no good reason for GSA to have kicked Kaspersky off the schedules program, and now for lawmakers to aggressively question agency use of their software. The latest comes from Sen. Jeanne Shaheen (D-N.H.), who added a provision to the National Defense Authorization bill that would prohibit any agency from using Kaspersky Lab hardware, software or services whether directly or indirectly through a subcontractor or third party.
“If you look in the Federal Acquisition Regulations (FAR) part 9.4, there’s a whole administrative process which started back in the 1980s after a company argued they were denied due process. The courts held companies needed to have due process and Kaspersky hasn’t had its due process,” said Bill Shook, a procurement attorney and former congressional investigator. “What we don’t have is specific knowledge of if there is a backdoor that the Russian government can access and I don’t know how much of this is hysteria over President Donald Trump’s supposed connections to the Russian government. If I was representing them, I’d take this to court and then the government would have to show the judge evidence that the software is not secure or produces a national security threat.”
Jake Williams, a former National Security Agency executive who worked on the Tailored Access Operations (TAO) cyber warfare effort and now is an instructor and course author for the SANS Institute, said he is skeptical of Kaspersky Lab’s connection to the Russian government.
“Practically everyone I’ve talked to says, ‘We have evidence of that connection,’ but no one has seen it,” Williams said in an interview with Federal News Radio. “I’m not sure if someone started something and now it’s routing by rumor. We don’t know if the homework has been done, but we haven’t seen it if it has.”
Williams said it’s quite possible that Kaspersky could have some backdoor or other hidden vulnerability that the Russian government could take advantage of, but it’s the type of thing that would only happen once and then no one would trust the company ever again.
John Pescatore, director of emerging security trends at SANS and a former Gartner researcher who did work for Kaspersky, said concerns about the company’s connection to Russia aren’t new and there have been plenty of opportunities for researchers and others to discover potential or real problems.
“The whole thing from GSA and now Congress really came out of the blue,” he said. “No security folks I’ve talked with have found any smoking guns or evidence. If this is a trade war where countries are not using each other’s cyber software, the U.S. has the most to lose because we have so many software companies. This seems like a symbolic gesture or unofficial sanction.”
And that’s also what’s getting federal procurement attorneys concerned.
Eric Crusius, a senior counsel with Holland & Knight in Washington, D.C., said taking aggressive actions against a contractor without due process is highly unusual, if not unprecedented.
“There may be facts to justify these actions that we don’t know about, but any actions taken should be taken with due process afforded to everyone else,” he said. “Cybersecurity is an existential threat. Congress shouldn’t bend rule of law even around a company who’s suspected of cyber espionage without going through normal protocol.”
Shook added it’s also highly unusual for a lawmaker to get involved in a specific procurement issue.
He said former Rep. Norm Dicks (D-Wash.) applied strict oversight of the Air Force’s award of its refueling tanker in the mid-2000s, which eventually went to Boeing and was in Dicks’ district.
Experts had a hard time recalling another time when a member of Congress tried to legislatively ban a vendor from working with the government.
Pescatore said an Israeli cyber company called Check Point was caught up in the espionage case of Jonathan Pollard in 1985 and was temporarily banned from the NSA.
He also pointed to the Chinese networking and telecommunications company Huawei, as well as when IBM sold its PC branch to Lenovo as times when lawmakers raised concerns about possible cyber threats for the federal government. But there was no attempt to legislatively ban the vendor.
“There is an issue of supply chain to make sure all software is safe without any backdoors. There are ways to do that. The U.K. required Huawei to give them their source code to look for vulnerabilities and bugs or back doors,” Pescatore said. “It’s not widely done in the federal government. NSA has been pushing this issue around vulnerabilities.”
As for Kaspersky Lab, a spokeswoman didn’t tip their hand as to whether they would take legal action against GSA or the government.
“Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts. The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy development of technologies, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations,” the spokeswoman said by email. “Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game. Eugene Kaspersky, CEO and founder of Kaspersky Lab, has repeatedly offered to meet with government officials, testify before the U.S. Congress and provide the company’s source code for an official audit to help address any questions the U.S. government has about the company. Kaspersky Lab continues to be available to assist all concerned government organizations with any investigations, and the company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded.”
The fact is the government’s decision may be well constituted in facts, but without sharing it or at least offering some further explanation, the random and seemingly unfair action against Kaspersky Lab should send a shiver down other vendors.