New Law Bans Kaspersky AV Software From Federal ComputersMeasure Included in Military Funding Bill Signed by President Trump
A new U.S. law signed by President Donald Trump on Tuesday prohibits federal agencies from running anti-virus software from Moscow-based Kaspersky Lab. The company criticized the action, saying it's being singled out based solely on where its corporate headquarters is located.
The National Defense Authorization Act for Fiscal Year 2018, a military funding bill, includes a section that bars all civilian and military agencies from using software products from Kaspersky Lab.
The statute expands a Trump administration order issued in September for executive branch agencies to remove Kaspersky products from their computers within 90 days (see Kaspersky Software Ordered Removed From US Gov't Computers).
'Law Is Long Overdue'
"Considering the grave risk that Kaspersky Lab poses to our national security, it's necessary that the current directive to remove Kaspersky Lab software from government computers be broadened and reinforced by statute," says Sen. Jeanne Shaheen, D-Vt., who was among the first lawmakers to push for the Kaspersky ban. "The case against Kaspersky is well-documented and deeply concerning. This law is long overdue."
The Department of Homeland Security's top cybersecurity official, Christopher Krebs, said after the bill's signing that Kaspersky software already has been removed from nearly all executive branch agencies' computers.
U.S. government officials say Kaspersky Lab products are suspect, in part, because the company's founder and CEO, Eugene Kaspersky, had been trained by and has formerly worked for Russian intelligence. But they have yet to provide evidence of a link between Kaspersky and Russian spies.
At a House hearing in November, a top DHS cybersecurity official said she has seen no decisive proof that Kaspersky Lab's security software had been exploited to breach federal government information systems. "We do not currently have evidence, conclusive evidence, that they have been breached," Jeanette Manfra, DHS assistant secretary for cybersecurity and communications, told the House Science, Space and Technology Oversight Subcommittee (see DHS Official: No Proof Kaspersky Software Used to Hack Fed IT).
Report Ties Kaspersky to FSB
On Wednesday, however, the Washington Post reported that a court document posted on the Facebook page of a Russian criminal suspect this year shows what appears to be an unusual degree of closeness between Kaspersky Lab and the FSB, Russia's security agency. The Post reports that Russian authorities arrested Konstantin Kozlovskiy in the summer of 2016 for a string of cyber heists of Russian banks; he's in a Moscow jail awaiting trial. From his cell, the newspaper reports, he posted documents related to his case.
According to the Post, one post shows an FSB agent inside the office of Kaspersky Lab in Moscow in April 2015 giving a company technician a password for a suspected Russian cybercriminal's computer. The technician gained access to the computer and obtained decrypted documents for the agent, the news report says.
The Post story says the FSB used the information Kaspersky obtained to help make its case against Kozlovskiy, who is a member of the criminal group Lurk.
On a number of occasions, Kaspersky Lab has denied it has ties to the Russian government or other governments and has said it doesn't help any government to spy. To address misgivings about its software, Kaspersky has offered to make its source code available to independent parties to review.
Genesis of Security Concern
The Kaspersky scrutiny was originally sparked by reports that the company's software plucked exploitation tools from the home computer of a National Security Agency agent (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software). The agent, Nghia Hoang Pho, 67, of Ellicot City, Maryland, recently pleaded guilty to one count of willfull retention of national security data (see Spy Whose Files Were Plucked by Kaspersky Pleads Guilty).
In addition, the The New York Times reported that Israeli intelligence discovered at least two years ago that Russia had its hooks in Kaspersky Lab's software and was using it as the equivalent of a search engine for classified data on U.S. intelligence programs (see Will Kaspersky Lab Survive Russia Hacking Scandal?)
In a statement issued Tuesday, Kaspersky Lab criticized the U.S. government, saying it singled out the company based on where its headquarters is located. It contended that enactment of the law will result in substantial and irreparable harm to the company, its U.S.-based employees and American business partners.
The company contends all anti-virus software could contain vulnerabilities that malicious cyber actors can exploit. "Yet, Congress failed to address this fact or take a comprehensive look at federal IT sourcing policies to determine what improvements, if any, Congress could make to existing statutory and administrative authorities related to protecting government networks," the company statement says.
Kaspersky Lab's contention that all anti-virus products could contain security flaws was backed by experts testifying before Congress in October. At another House Science, Space and Technology Oversight Subcommittee hearing, the experts said the vulnerabilities found in Kaspersky anti-virus products exist in its competitors' wares, too (see Dearth of Support for Kaspersky at Congressional Hearing).
All Software Vulnerable
"Because of the persistent nature of the threat, all [anti-virus] software is vulnerable," David Shive, CIO at the General Services Administration, the federal agency that's enforcing the government ban of Kaspersky products, told the panel. "That's why CIOs have the obligation to assess those software [products] before they enter them into service and into their agencies."
Another witness testified that all anti-virus software includes features that could be exploited by nefarious actors. "Quite frankly, in my experience, foreign intelligence actors and criminals alike, once they find out who has access to the network they seek to access, they'll attempt to derive ways to exploit that path, and it's a matter of intent and resources," said Sean Kanuck, director of future conflict and cybersecurity at the think tank International Institute for Strategic Studies. "I do not believe there's any network or any product that is perfectly secure. It's all a risk management issue."