US government bans agencies from using Russian cybersecurity software over spying fears

Mythili Sampathkumar
A picture taken on 17 October 2016 shows employees working at the headquarters of Internet security giant Kaspersky in Moscow: KIRILL KUDRYAVTSEV/AFP/Getty Images

The US government has banned federal agencies from using Kaspersky Lab security software, a Russian company, over concerns it may be tied to state-sponsored espionage.

Acting Homeland Security Secretary Elaine Duke has issued a directive given at least six federal agencies a timeline to get rid of the software from government networks.

The move comes amid parallel investigations by Congress, and the FBI under Special Prosecutor Robert Mueller into Russian interference in the 2016 presidential election and potential ties between Donald Trump's 2016 campaign team and Russian officials.

The agencies have 30 days to identify if they are using the software in question, 60 days to come up with a plan to uninstall it and find a replacement, and 90 days to actually begin uninstalling and replacing the Kaspersky software.

According to US officials not authorised to speak publicly about the matter, Ms Duke feels the company's relationship with the Russian government poses a security threat to the US government - the Kremlin could access federal information through a backdoor.

In a statement accompanying its directive, the Department of Hiomeland Security said it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”

It continued: “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”

The department said it would provide Kaspersky with the opportunity to submit a written response to address the allegations. The agency said other entities claiming commercial interests affected by the directive could also submit information

R. David Edelman, who leads a cybersecurity project at MIT's Internet Policy Research Initiative and Centre for International Studies, told The Independent that the move signals “the idea that we're in a chilly period for U.S.-Russia relations, especially on cybersecurity matters.”

Mr Edelman points out that the General Services Administration, an independent federal agency tasked with handling the basic functions of government, had taken Kaspersky Lab software off its approved vendor and procurement list back in July 2017.

For its part, Kaspersky said in a statement sent to The Independent that it has no ties to the Russian government.


“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company,” the company said.

Mr Edelman noted that the DHS’ decision was too “big” to have been made without some hard evidence of security risk and exposure, but that it likely involves sensitive materials requiring the agency to keep it away from the public.

Kaspersky also made the point that 85 per cent of its revenue comes from outside of Russia, “which further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line.”

The company has not answered questions regarding how much of its business comes from the US federal and various US state governments.

Richard Ledgett, former National Security Agency Deputy Director, said the move by the US government was a wise one.

He told the Washington Post that Kaspersky is “bound to comply with the directive of Russian state security services, by law, to share with them information from their servers.”

The company contends Mr Ledgett’s interpretation of Russian law is incorrect and Kaspersky Labs does not fall under the purview of the law because it only applies to telecommunications or Internet Service Provider (ISP) companies.

“It’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,” the company said.

Mr Edelman said that there is “potential fallout” from DHS’ decision from the private sector as well as US authorities.

He said it prompts companies to ask: “If cooperating with governments is dangerous business, wouldn't it also embolden companies to resist overtures from U.S. authorities as well?”

The DHS directive also strongly urged state governments to stop using the software but the decision whether to continue using it or prematurely end contracts at the potentially high cost to taxpayers will be dependent on the state government's decision.