The U.S. government banned any federal agency from using products made by Russian-owned and operated security firm Kaspersky Lab, concluding that the level of access that the security products have to be too great a risk for national security.
In a Binding Operational Directive (BOD) published on Sept. 13, Elaine Duke, acting Secretary of U.S. Department of Homeland Security gave federal agencies 30 days to identify any use of Kaspersky products, 60 days to develop plans to remove the products, and 90 days to transition to other vendors’ security offerings. Duke also requested a response to the directive from Kaspersky Lab.
“Kaspersky antivirus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems,” the DHS said in a statement announcing the directive.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
The order came two months after the General Services Administration (GSA) removed Kaspersky Lab from the lists of approved vendors for information-technology services and digital photographic equipment. The delisting occurred the same day that Bloomberg reported that internal emails from Kaspersky Lab indicated a closer relationship to Russia’s main intelligence agency that previously admitted.
In a statement sent to eWEEK, Kaspersky Lab stated that it is not required to provide aid to the Russia government, unlike domestic Russian Internet service providers and telecommunication firms. The company underscored that 85 percent of its revenue comes from outside Russia — a massive incentive for the company to eschew anything that could jeopardize its business.
“Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the U.S. Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded,” the company stated.
“These ongoing accusations also ignore the fact that Kaspersky Lab has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy technology development,” the company statement added.
DHS stressed that its concerns about Kaspersky Lab are related to the access that the company’s products have to sensitive systems, which could allow—either knowingly or unwittingly—Russian intelligence services to gain access to vital government information and operations.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” the DHS said in its statement.
“Safeguarding federal government systems requires reducing potential vulnerabilities, protecting against cyber intrusions, and anticipating future threats,” the DHS added. “While this action involves products of a Russian-owned and operated company, the Department will take appropriate action related to the products of any company that present a security risk based on DHS’s internal risk management and assessment process.”
