U.S. Acting Secretary of Homeland Security Elaine Duke this week issued a Binding Operational Directive requiring all Federal Executive Branch departments and agencies to stop using any products, solutions or services from Russia's Kaspersky Lab.
Departments and agencies have 30 days to identify any presence of Kaspersky products on their information systems, 60 days to develop detailed plans to remove and discontinue all use of the products, and 90 days to begin to implement those plans to remove and discontinue use of Kaspersky products.
The decision was made, according to the Department of Homeland Security (DHS), "based on the information security risks presented by the use of Kaspersky products on federal information systems," particularly since Kaspersky products generally provide broad access to files and elevated privileges on the computers on which they're installed.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to incercept communications transiting Russian networks," the DHS said in a statement.
"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security," the DHS added.
In response, Kapsersky said in a statement that it has no inappropriate ties with any government, and said the DHS allegations regarding ties to Russian intelligence and other agencies are "completely unfounded."
"Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it's disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues," Kaspersky said. "The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit."
Christopher Krebs, a senior DHS official in the National Protection and Programs Directorate, told the Washington Post that the department is giving Kaspersky 90 days to prove that its products don't present a security risk. "We've determined that [the software] poses an unacceptable amount of risk based on our assessment," he said. "If they want to provide additional information or mitigation strategies, our door is open."
U.S. officials told the Post that at least a half dozen federal agencies run Kaspersky software.
In an interview with the BBC, Kaspersky Lab founder Eugene Kaspersky said, "When they say we have strong ties with Russian espionage it's not true."
"We cooperate with many law enforcement agencies around the world -- in the past with the U.S. as well," Kaspersky added.
A Loss of Trust
Venafi CEO Jeff Hudson told eSecurity Planet by email that this is part of a much larger pattern. "U.S. government officials are pressuring software companies to implement encryption backdoors because they think it will help them catch potential terrorists," he said.
"At the same time, they banned security software from a Russian company for use in the U.S. government because they are concerned about security backdoors," Hudson added. "They want to have it both ways, which is understandable."
It's not even controversial at this point, Hudson said, to suggest that other governments will inevitably take the same steps against U.S. software manufacturers if they're required to include encryption backdoors, and U.S. software companies will suffer.
"The net result is that the entire Internet will become completely untrustable -- there will be backdoors everywhere, and governments and bad guys will use them at will," Hudson said. "We have to hold ourselves to a higher standard and lead the way to show the rest of the world the right way to secure the Internet."