Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development
Kaspersky Software Ordered Removed From US Gov't Computers
DHS: Russian-Owned Company Poses Risk to Federal ITThe Trump administration is ordering U.S. federal executive branch agencies to remove anti-virus software from Russian-owned Kaspersky Lab from their computers within 90 days.
See Also: The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience
The Department of Homeland Security, in a statement issued Wednesday, says Kaspersky security products pose a risk to federal information systems because they provide broad access to files and elevated privileges on the computers where they're installed that could be exploited by malicious cyber actors to compromise those IT systems.
"The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks," the DHS statement says. "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security."
The company's founder, Eugene Kaspersky, has worked for the Russian military and was educated at a KGB-sponsored technical college.
Kaspersky Lab, in a statement posted on its website, says the company does not have inappropriate ties with any government and is disappointed with the decision to ban its products from U.S. government computers. "No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company," the company statement says. "Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia."
'Guilty Until Proven Innocent'
A Russian law that requires telecom companies and internet service providers to cooperate with the Kremlin does not apply to Kaspersky, the company contends. "Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it's disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues," the company statement says.
The binding operational directive, issued by Acting Homeland Security Secretary Elaine Duke, calls on U.S. federal departments and agencies to identify Kaspersky products on their computers within the next 30 days. The directive gives the agencies 60 days to develop a plan to remove the software. .
DHS says it's providing an opportunity for Kaspersky to submit a written response addressing the department's concerns or to mitigate those concerns. " The department wants to ensure that the company has a full opportunity to inform the acting secretary of any evidence, materials or data that may be relevant," the statement says.
Kaspersky says it will take up DHS's offer. "The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit," the company statement says.