The Department of Homeland Security (DHS) is ordering federal agencies and departments to stop using software produced by Russian firm Kaspersky Lab, citing potential risks to U.S. national security.
The department says it’s concerned about ties between certain Kaspersky employees and the Russian government.
Elaine Duke, the department’s acting secretary, issued a binding operational directive on Wednesday ordering federal executive bodies to identify any Kaspersky cybersecurity products on their information systems within the next 30 days and come up with “detailed plans” to remove the security software.
{mosads}Agencies and departments are to begin removing Kaspersky products from their systems in three months.
Kaspersky has come under intense scrutiny in recent months amid news reports alleging connections between the firm and Russian intelligence. Eugene Kaspersky, the firm’s founder, has also been scrutinized for his education at a computer science institute backed by the KGB, the Soviet-era spy angency.
The multinational company, which has headquarters in Moscow but locations across the globe, has long maintained that it has no ties to the Russian government. But Kaspersky has attracted increased attention in the wake of Russia’s interference in the U.S. presidential election.
The DHS cited “information security risks” posed by the presence of Kaspersky software on federal information systems, explaining that Kaspersky products “provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems.”
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the DHS said Wednesday.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
In a statement, Kaspersky called allegations of ties to the Kremlin “completely unfounded” and said that Russian laws and policies are being “misinterpreted.”
Rob Joyce, President Trump’s cybersecurity coordinator, applauded the DHS on Wednesday, calling the move a “risk-based decision.”
“For us, the idea of a piece of software that’s able to live on our networks and touch every file on those networks, going to be able to, at the discretion of the company, decide what goes back to their cloud in Russia, and then what you really need to understand is under Russian law, the company must collaborate with the FSB,” Joyce, speaking at a cybersecurity conference in Washington, said. The FSB is the successor agency of the KGB.
“For us in the government, it was an unacceptable risk.”
The U.S. government has not publicly produced evidence of links between Kaspersky and Russian intelligence. However, the FBI is said to be pursuing a probe into the company, interviewing some employees at their homes earlier this year.
Kaspersky has also attracted attention on Capitol Hill. In May, top intelligence officials testified before the Senate Intelligence Committee that they would not be comfortable with Kaspersky software on their computers.
Sen. Jeanne Shaheen (D-N.H.) has introduced an amendment to annual defense policy legislation that would bar federal agencies from using Kaspersky products on their systems. On Wednesday, she applauded the DHS for “heeding” her call, labeling Kaspersky a “direct threat to national security.”
The company, which produces lauded anti-virus software, boasts more than 400 million customers worldwide.
The DHS is giving Kaspersky the opportunity to submit a written response addressing the concerns raised or to mitigate concerns spelled out in the directive.
“Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the U.S. Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded,” Kaspersky said in a statement to The Hill.
“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company,” the company said.
Recently, Best Buy, the largest electronics retailer in the U.S., stopped selling Kaspersky software in its stores and on its website.
Joe Uchill contributed.