The Department of Homeland Security has asked federal agencies to remove all Kaspersky products from federal networks within the next 90 days, according to a new binding operation directive issued Wednesday by Acting Secretary of Homeland Security Elaine Duke.
“The BOD calls on departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days, to develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and at 90 days from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems,” Homeland Security’s statement reads.
The ban is being justified “based on the information security risks presented by the use of Kaspersky products on federal information systems” and concern over “the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
Speaking in Washington D.C., White House cybersecurity czar Rob Joyce called Kaspersky “an unacceptable risk” for the U.S. government because, under Russian law, “companies like Kaspersky “must collaborate with the FSB.” He called the ban a “risk-based decision.”
Rick Ledgett, former deputy director at the NSA, echoed that sentiment when he told CyberScoop that the reasoning for the ban comes from the risk posed by the fact that Russian agencies can compel cooperation from Kaspersky. Ledgett declined to say, citing that such information would classified, if examples existed where Kaspersky had handed over sensitive information about American companies or agencies to Russian intelligence.
Sen. Jeanne Shaheen, D-N.H., applauded the move on Twitter and called Kaspersky “a direct threat to national security.” Earlier this month, the Senator wrote an op-ed in the New York Times calling for a federal ban.
Various arms of the federal government has been pushing for U.S. public and private sector institutions to push Kaspersky away amidst mounting tension between the Moscow-based cybersecurity firm and the U.S. government. The FBI has held briefings with major private sector firms urging them to cut ties with Kaspersky. Some of the briefings have yielded major success.
Last week, the U.S. retail giant Best Buy pulled Kaspersky from its shelves.
Some high-level U.S. intelligence officials believe the Kaspersky issue is being mishandled but the current political climate regarding U.S.-Russia tension and the pressure being put on congress and the federal government to act. The FBI has not publicly provided evidence that Kaspersky is acting inappropriately.
Kaspersky has long denied inappropriate collaboration with Russian intelligence services.
“The company doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against Kaspersky Lab,” the company told CyberScoop last month. “The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly, even though the company has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts.”
In apparent retaliation, Russian president Vladimir Putin backed a plan to push foreign software out of Russian government networks.
Chris Bing contributed to this story.