The Department of Homeland Security’s decision to ban federal agencies and departments from using products from Moscow-based cybersecurity firm Kaspersky Lab comes as no surprise, say security experts.
Officials say that the prominent company poses a threat to U.S. national security and have given government agencies and departments 90 days to get rid of Kaspersky Lab software.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS officials said, in a statement on the “Binding Operational Directive” Wednesday. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” it added.
Kaspersky Lab denies the allegations.
Security experts told Fox News that they were not surprised by the DHS move.
“The US government has a duty to protect its information, and we can assume that this decision is based on careful consideration and evidence, some or much of which they have not made public,” said Alex Hamerstone, Practice Lead for the Governance, Risk, and Compliance division at security consultant TrustedSec, in an email sent to Fox News. “While I don’t have insight into the dealings of the Russian government and Kaspersky, we’ve seen in the news over the last few years that US companies regularly cooperate with US intelligence agencies … why would we think that this isn’t happening in other countries too?”
“The U.S. government has been looking at Kaspersky for years, so this announcement is no real surprise to anyone. In fact, the GSA pulled Kaspersky from its list of pre-approved vendors back in July,” added Michael Borohovski, co-founder of Tinfoil Security, noting U.S. fears about potential cyber espionage. “The US has aired similar concerns about other companies, like Chinese telecom company Huawei, which is currently banned from entering the US network equipment market.”
Huawei, however, does sell phones in the U.S. consumer market.
The DHS National Protection and Programs Directorate told Fox News that it does not currently have data on how much Kaspersky software is being across the U.S. government. As part of its directive, the DHS is instructing departments and agencies to identify any use of Kaspersky products on their information systems in the next 30 days and to develop detailed plans to remove the software in the next 60 days. Unless directed otherwise by DHS based on new information, agencies and departments have 90 days from the date of the directive to discontinue use of Kaspersky Lab products.
The directive suggests the U.S. government puts some credence in reports that the popular antivirus company, and its founder Eugene Kaspersky, have close ties to Russian intelligence services.
Sen. Jeanne Shaheen, D-N.H, has been pushing to prohibit the federal government from using the firm’s products. In a New York Times column earlier this month, Shaheen warned that the company poses a danger to U.S. national security.
Shaheen welcomed the DHS move in a tweet on Wed. “Applaud DHS for heeding my call to remove all Kaspersky products from fed agencies. Kaspersky is a direct threat to national security,” she tweeted.
However, DHS is also providing Kaspersky Lab an opportunity to tell its side of the story via a written response to the Department’s concerns. “The Department wants to ensure that the company has a full opportunity to inform the Acting Secretary of any evidence, materials, or data that may be relevant,” it said. “This opportunity is also available to any other entity that claims its commercial interests will be directly impacted by the directive.”
In a statement sent to Fox News, Kaspersky Lab denied any involvement with the Russian government. “Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the U.S. Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded,” it said. “No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company.”
Eugene Kaspersky also tweeted in response to the DHS directive. “I guess this explains it all “Guilty ‘til proven innocent, jailed ‘til you clear your name” Welcome to 21st century,” he wrote Thursday.
TrustedSec’s Hamerstone said the DHS move could have widespread implications. “This wasn’t an easy action for the US government to take, and it will also have significant ramifications for corporations that use Kaspersky,” explained Hamerstone, who is the Practice Lead for the Governance, Risk, and Compliance division at security consultant TrustedSec. “Many of those companies will now feel compelled to go through their systems and remove this antivirus program, as well as conduct a risk assessment.”
Earlier this week, retailer Best Buy said it would stop selling Kaspersky software for the time being. In a tweet, Kaspersky Lab said that the two companies have “suspended” their relationship, which they said may be “re-evaluated” in the future.
Additional reporting by Chris Ciaccia.