“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS officials said, in a statement on the “Binding Operational Directive” to agencies and departments. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” it added.
The DHS is instructing departments and agencies to identify any use Kaspersky products on their information systems in the next 30 days and to develop detailed plans to remove the software in the next 60 days. Unless directed otherwise by DHS based on new information, agencies and departments have 90 days from the date of the directive to discontinue use of Kaspersky Lab products.
The directive suggests the U.S. government puts some credence in reports that the popular antivirus company, and its founder Eugene Kaspersky, have close ties to Russian intelligence services.
Sen. Jeanne Shaheen, D-N.H, has been pushing to prohibit the federal government from using the firm’s products. In a New York Times column earlier this month, Shaheen warned that the company poses a danger to U.S. security.
In a statement, DHS echoed this sentiment Wednesday. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” it said.
However, DHS is also providing Kaspersky Lab an opportunity to tell its side of the story via a written response to the Department’s concerns. “The Department wants to ensure that the company has a full opportunity to inform the Acting Secretary of any evidence, materials, or data that may be relevant,” it said. “This opportunity is also available to any other entity that claims its commercial interests will be directly impacted by the directive.”
Kaspersky Lab denied any involvement with the Russian government. “Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the U.S. Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded,” it said. “No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company.”
Security expert Alex Hamerstone said the U.S. government’s decision could have widespread implications. “This wasn’t an easy action for the US government to take, and it will also have significant ramifications for corporations that use Kaspersky,” explained Hamerstone, who is the Practice Lead for the Governance, Risk, and Compliance division at security consultant TrustedSec. “Many of those companies will now feel compelled to go through their systems and remove this antivirus program, as well as conduct a risk assessment.”
Earlier this week, retailer Best Buy said it would stop selling Kaspersky software for the time being. In a tweet, Kaspersky Lab said that the two companies have “suspended” their relationship, which they said may be “re-evaluated” in the future.
Michael Borohovski, co-founder of Tinfoil Security, told Fox News that he wasn’t surprised by the Department of Homeland Security’s move. “The U.S. government has been looking at Kaspersky for years, so this announcement is no real surprise to anyone. In fact, the GSA pulled Kaspersky from its list of pre-approved vendors back in July,” he said, noting U.S. fears about potential cyber espionage. “The US has aired similar concerns about other companies, like Chinese telecom company Huawei, which is currently banned from entering the US network equipment market.”
Huawei, however, does sell phones in the U.S. consumer market.