Kaspersky Lab logo
The US Department of Homeland Security (DHS) has ordered all government agencies to "develop plans to remove" all "information security products, solutions, and services" produced by Kaspersky Lab, the Russian multinational cybersecurity and anti-virus provider.

The DHS issued a Binding Operational Directive (BOD) that calls "on departments and agencies to identify any use or presence of Kaspersky products on their information systems" and "to develop detailed plans to remove and discontinue present and future use of the products," giving them 90 days to comply with the order.

The DHS further explained that its decision is based on assessments of the "information security risks presented by the use of Kaspersky products on federal information systems." It added that these products could be "exploited by malicious cyber actors to compromise those information systems."

US authorities also believe that "certain Kaspersky officials" could have ties with Russian intelligence and other government agencies, providing an opportunity for US security to be "compromised."

"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security," a DHS statement issued Wednesday reads.

The DHS provided no specific evidence supporting its claims, however.

It also afforded "an opportunity for Kaspersky to submit a written response addressing the department's concerns or to mitigate those concerns."

In recent months, Kaspersky Lab been subjected to increased scrutiny by US law enforcement agencies and Congress. In June, the FBI questioned its employees across the US while US senators approved a draft defense policy spending bill aimed at barring the Pentagon from using its software.

Comment: According to Jake Williams writing for CyberScoop, the FBI has been briefing U.S. companies to stop using Kaspersky products. But the intel they've been sharing has not been made public. Sen. Jeanne Shaheen, D-N.H., is behind the push to drop Kaspersky from Pentagon networks, citing "Russian spies" and "classified assessments" - i.e., no evidence. But as with any antivirus software, there is always room for concern. Ironically, that concern means that if it's true, Kaspersky and (allegedly) the Russian government already know everything the U.S. intel knows:
It has been reported that one of the pieces of "evidence" against Kaspersky is that they inappropriately exfiltrate files from customer environments. It is entirely possible that this is benign behavior as part of Kaspersky's cloud analytics program, but for this discussion, let's take the claim at face value and assume maximum malice.

From their software installations, Kaspersky could be monitoring emails, webmail exchanges, and other documents being shared. The FBI is specifically briefing organizations that use Kaspersky products, so all of the companies briefed would be subject to monitoring from Kaspersky. The briefings from the FBI are certainly scheduled. Even if the FBI tells the organizations not to talk about the upcoming briefing over email or other electronic messaging, human nature - especially in organizations that do not have a security culture - virtually guarantees that some percentage of them inevitably do.

If Kaspersky is what the FBI claims it is, they have certainly intercepted these communications and shared them with Russian intelligence.

And, after the briefings from the FBI; when organizations are considering switching antivirus products, the merits of the bureau's arguments are certainly being discussed in channels that Kaspersky could monitor. Switching antivirus providers is no small investment in time and software costs and it is a decision that is not taken lightly by any organization. The quality of the arguments put forth by the FBI would doubtless be discussed by IT, information security, procurement, and management personnel. Until Kaspersky is replaced in the organization's network, they are again in a position to intercept this data and share it with Russian intelligence.

It is easy then to make the case that those being briefed by the FBI are discussing the facts of the Kaspersky case. It is also clear that Kaspersky would be in a position to monitor these discussions and report them to Russian intelligence. The Russian government is doubtlessly interested to know what information the FBI is briefing U.S. organizations about a Russian company. If Kaspersky can be influenced by Russian intelligence (as the public claims by the FBI imply) then we can only conclude that Kaspersky (and the Russian government) already know what the FBI is briefing.

Protection of intelligence sources and methods is the standard reason given for withholding intelligence data from public consumption. But, if Kaspersky and Russian intelligence knows what the FBI is briefing to U.S. companies, there are no sources and methods to protect.

The American public remain the only people unable to make an informed decision about whether or not to use Kaspersky. The FBI needs to educate the American people so they can make an informed decision about Kaspersky.

It's high time the bureau showed its cards or folded its hand.

In mid-July, the US General Services Administration (GSA) removed the firm from two lists of government contractors, citing security reasons.

Comment: It looks like the recent push by Shaheen is just more bandwagon-jumping "Russkies are coming" nonsense:
"Americans were outraged by Russia's interference in our presidential election, but a wider threat is Russia's doctrine of hybrid warfare, which includes cyber-sabotage of critical American infrastructure from nuclear plants to electrical grids," Shaheen said in the release. "Kaspersky Lab, with an active presence in millions of computer systems in the United States, is capable of playing a powerful role in such an assault. It's time to put a stop to this threat to our national security."

The senator also cited a public hearing of the Senate Intelligence Committee in May where six top intelligence officials, including the heads of the FBI, CIA and National Security Agency (NSA), unequivocally answered no when asked if they would be comfortable with Kaspersky Lab software on their agencies' computers, as an example of the threat the firm poses.

Shaheen has already successfully introduced an amendment to the Senate defense policy legislation that would bar the US Defence Department from using Kaspersky Lab software and is now looking to expand the ban to all federal agencies.

The move comes less than a day after Bloomberg magazine published an article, accusing the Moscow-based world cybersecurity leader of having close ties to Russia's security service, the FSB.

Kaspersky has repeatedly denied all claims of collusion with the Kremlin and denounced the report as "numerous allegations, misinterpretations & fakes."

The firm then issued a statement in which it said it had never launched DDoS attacks on behalf of the Russian government or any other entity. It further denied that it ever assisted government agencies in tracing and hunting down people.

Kaspersky Lab reiterated that it "has no ties to any government"and is a victim of a political battle.

Facing intense pressure from US authorities, company CEO, Eugene Kaspersky even expressed his readiness to reveal the source code for its software to the US government in order to dispel all allegations of its perceived links to Russian intelligence.

Comment: According to engadget, Kaspersky said that
some governments (he hasn't said which) have pressured Kaspersky Lab to go to the "dark side" and launch cyberattacks, and that some staffers are former Russian intelligence officers. However, he insists that his company has never caved to those demands, and that the hires are "most probably" sales staff meant to court government deals. He adds that the company network is too segmented for any one employee to abuse it.

"If the United States needs, we can disclose the source code," he told AP in early July, adding that he would do "anything he can" to "prove that we [the Kaspersky Lab] don't behave maliciously."

Remarkably, the head of Kaspersky Lab's computer incidents investigations unit, Ruslan Stoyanov, was charged in Russia in February 2017 over "treason in favor of the US" together with two FSB officers.