DHS gives agencies 90 days to remove Kaspersky Lab IT from networks
The Homeland Security Department is giving agencies 30
days to identify where they are using products and services from Kaspersky Lab
and to remove those technologies from federal networks 60 days after that.
DHS issued a binding operational directive
(BOD) Sept. 13 detailing the steps agencies must take.
“This action is based on the information
security risks presented by the use of Kaspersky products on federal
information systems. Kaspersky anti-virus products and solutions provide broad
access to files and elevated privileges on the computers on which the software
is installed, which can be exploited by malicious cyber actors to compromise
those information systems,” DHS said in a statement. “The department is
concerned about the ties between certain Kaspersky officials and Russian
intelligence and other government agencies, and requirements under Russian law
that allows Russian intelligence agencies to request or compel assistance from
Kaspersky and to intercept communications transiting Russian networks. The risk
that the Russian government, whether acting on its own or in collaboration with
Kaspersky, could capitalize on access provided by Kaspersky products to
compromise federal information and information systems directly implicates U.S.
national security.”
Rob Joyce, White House cyber coordinator, said
at the eighth annual Billington Cybersecurity Summit in Washington that DHS
made a risk-based decision to protect federal networks.
“For us, the idea of a piece of software that is going to
live on our networks, that is going to touch every file in those networks and
going to be able to, at the discretion of company, decide what goes back to
their cloud in Russia, and what you really need to understand is under Russian
law the company must collaborate with the FSB so for us in the government that
was an unacceptable risk,” Joyce said. “We made risk decisions based on the
technology and the environment, and it’s unacceptable for federal networks.”
Joyce said in an interview after his speech
that DHS and the White House reviewed all risks associated with the decision,
ranging from potential retaliation to impacts on agencies, the private sector
and allies.
A Kaspersky Lab spokeswoman said by email that
the company is disappointed with DHS’ decision but is grateful for the
opportunity to respond to the allegations.
“No credible evidence has been presented
publicly by anyone or any organization as the accusations are based on false
allegations and inaccurate assumptions, including claims about the impact of
Russian regulations and policies on the company,” the company stated.
“Kaspersky Lab has always acknowledged that it provides appropriate products
and services to governments around the world to protect those organizations
from cyberthreats, but it does not have unethical ties or affiliations with any
government, including Russia. In addition, more than 85 percent of its revenue
comes from outside of Russia, which further demonstrates that working
inappropriately with any government would be detrimental to the company’s
bottom line. These ongoing accusations also ignore the fact that Kaspersky Lab
has a 20-year history in the IT security industry of always abiding by the
highest ethical business practices and trustworthy technology development.”
DHS will let Kaspersky submit a written
response addressing the concerns or to mitigate those concerns.
“The department wants to ensure that the
company has a full opportunity to inform the Acting Secretary of any evidence,
materials, or data that may be relevant,” DHS stated. “This opportunity is also
available to any other entity that claims its commercial interests will be
directly impacted by the directive.”
The spokeswoman added the federal government is
misinterpreting Russian laws.
“The laws and tools in question are applicable
to telecom companies and Internet Service Providers (ISPs), and contrary to the
inaccurate reports, Kaspersky Lab is not subject to these laws or other
government tools, including Russia’s System of Operative-Investigative Measures
(SORM), since the company doesn’t provide communication service,” she said.
“Also, it’s important to note that the information received by the company, as
well as traffic, is protected in accordance with legal requirements and
stringent industry standards, including encryption, digital certificates and
more. Kaspersky Lab has never helped, nor will help, any government in the
world with its cyberespionage or offensive cyber efforts, and it’s disconcerting
that a private company can be considered guilty until proven innocent, due to
geopolitical issues. The company looks forward to working with DHS, as
Kaspersky Lab ardently believes a deeper examination of the company will
substantiate that these allegations are without merit.”
Agencies now have 30 days to identify all uses
of Kaspersky Lab products and services, and then two months to remove the
technology from their networks and systems.
Joyce said the effort will be an aggressive
one for the government.
“We are pushing departments and agencies to
work aggressively toward it,” he said. “I will not go for exemptions at the
beginning, but certainly with any activity in the government, we are not
marching ahead blindly and we will consider the factors.”
Another government official familiar with the
BOD told Federal News Radio agencies will need time and money to move off
Kaspersky Lab technologies.
“Part of the BOD talks about if agencies are
having difficulties, they need to work with the CFO and your agency to work on
that,” the official said. “We will cooperate with the other departments and
agencies to help them understand and do the replacements. This was not a
collaborative process initially, but it will be now once the BOD is signed.”
The official said federal chief information
officers and chief information security officers should have known it was
coming out.
The official added there has been a concern
about Kaspersky Lab for a period of time, and the concern has
manifested in some things the government has learned.
“This has been a long and involved process to
make sure the legal parts of it were properly structured,” the official said.
Agencies will have to find the money to remove
and replace Kaspersky Lab technologies.
DHS will assist and support agency efforts to
make the process as quick and painless as possible.
DHS’ move follows the decision by the General
Services Administration to remove Kaspersky Lab from its schedules program.
Additionally, Sen. Jean Shaheen (D-N.H.) has
submitted a provision in the 2018 Defense Authorization bill to ban Kaspersky
Lab products from Defense Department networks.
Shaheen said in a statement that DHS’s actions
are important to remove “this national security vulnerability from federal
computer systems. I’m optimistic that Congress will soon act on my
governmentwide ban of Kaspersky software so that this new policy is reinforced
by statute.”
Rep. Lamar Smith (R-Texas), chairman of the
Science, Space, and Technology Committee, wrote to agencies in July asking for
documents and information regarding Kaspersky Lab use on federal networks.
Smith’s letter requested information regarding computers, systems, data and
any other information that may be accessible to Kaspersky Lab from each agency.
Smith applauded the DHS decision on Twitter,
and announced a Sept. 27 hearing “on Kaspersky products and risks they pose to
U.S. systems.”
A spokeswoman for Smith said they have
received feedback from several agencies and expects to hear from the rest in
the coming weeks.
This was DHS’ fifth BOD since Congress gave
them the authority in 2014 for mandate agency compliance with imminent cyber
threats. Previous BODs covered everything from patching software
provided by CISCO Systems and another focused on reporting cybersecurity
incidents.
Jake Williams, a former National Security Agency
executive who worked on the Tailored Access Operations (TAO) cyber warfare
effort and now is an instructor and course author for the SANS Institute, said
in an email to Federal News Radio that the public case that Kaspersky has ties
to the Russian government is not strong.
“First, [the BOD] notes any direct and
indirect use of the software. I think that’s significant because, as you
probably know, Kaspersky licenses it’s code for use in a number of security
products. It is going to be really difficult for most agencies to find all of
the indirect uses of Kapsersky code,” he said. “I think the government wisely
hedged its bets with regards to Kaspersky, saying ‘the Russian government,
whether acting on its own or in collaboration with Kaspersky.'”
He added that even though Kaspersky Lab has
the ability to ask for redress of the ban, it likely will not work. Williams
said the fact that the company offered for the government to do a third-party
audit of its code was not effective shows that the remedy is unlikely to make a
difference.
Tom Kellermann, CEO of Strategic Cyber
Ventures and 20-year cyber expert, said this move by DHS is the latest action
in a brewing technology conflict.
“The balkanization of cyberspace has begun in
earnest,” Kellermann said. “Russia began this cyber Cold War not just with the
hacking of the US Government but also in her condemnation and partial ban of
Microsoft. As a result of this ban, supply chain security has never been more
paramount, particularly if you desire to do business with the U.S. Government.”
source federalnewsradio.com
No comments: