Week ahead: What comes next for Kaspersky Lab’s scuffle with the feds?

For weeks, the cybersecurity community has wondered why, exactly, the Department of Homeland Security (DHS) found it necessary to ban federal agencies from using Kaspersky Lab products.

On Thursday, we got our first semblance of an answer: Kaspersky Lab products were leveraged to hack a National Security Agency (NSA) contractor in 2015 and stole NSA hacking tools.

We do not know if Kaspersky Lab had any knowledge of its role in the attack — the company says it did not — or whether the 2015 incident played a role in DHS’s binding operational directive to shun the company’s products.

We also do not know if the NSA will take Sen. Ben Sasse’s (R-Neb.) exhortation to re-evaluate its use of contractors to heart — including Edward Snowden, this is the third known major breach of surveillance tools from a contractor. And we do not know if Sen. Jeanne Shaheen’s (D-N.H.) request to the White House to declassify other Kaspersky Lab intel will be granted.

But many of the pieces may start to fall into place this week, the first full week to respond to the incident.

The response to the Equifax breach may become a little clearer as well, even if that response is not to Equifax.

There were four hearings either focused on or largely about the Equifax breach last week, a process that appears to have produced more legislative ire toward the IRS than Equifax or the credit monitoring industry.

At issue is a no-bid $7 million IRS contract signed by Equifax on Sept. 29, well after the company announced its historic breach. Giving Equifax more responsibility for sensitive data did not go over well with House Homeland subcommittee on cybersecurity Chairman John Ratcliffe (R-Texas), who called for the DHS to review the contract on security grounds. It also drew harsh criticism from legislators from Sasse to Sen. Elizabeth Warren (D-Mass.).

The IRS gave an explanation for the deal at a hearing last Wednesday. In July, it had awarded a contract to replace Equifax with a new vendor for an anti-fraud service. But Equifax challenged the procurement — a process still being adjudicated by the Government Accountability Office (GAO). The $7 million contract is to keep the lights on temporarily while the GAO considers a final ruling.

Nonetheless, it is shaping up that the next step in oversight for the Equifax breach will be focusing on the IRS procurement, possibly this week.

Major hearings this week include a Wednesday panel on security clearances, a process often seen as a bottleneck across the security spectrum. Also on Wednesday, the House Science, Space and Technology Committee will discuss the physical security of the federal standards agency NIST. Hearings will also focus on the threat landscapes of North Korea and Iran, which both hold large cyber operations.

In case you missed them, here are some of our recent pieces:

Private data of more than 1,100 NFL players, agents exposed

GOP rep pitches fines for hacked credit-monitoring firms

Senator presses voting machine makers on whether they have been hacked

White House official calls for ending Social Security numbers as means of identification

European Union courts to hear case that could hobble Facebook

EC says 2016 hack exposed personal data

Ex-Equifax CEO: Tech staff were told to patch security flaw before breach