Security Experts:

DHS Orders Government Agencies to Stop Using Kaspersky Products

The U.S. Department of Homeland Security (DHS) issued a binding operational directive on Wednesday ordering government departments and agencies to stop using products from Kaspersky Lab due to concerns regarding the company’s ties to Russian intelligence.

The DHS told agencies that they have 30 days to identify the use or presence of products supplied directly or indirectly by Kaspersky. Once such products have been identified, agencies have 30 days to develop a plan for their removal from IT systems, and another 30 days to start implementing the plan.

In a statement, the DHS said Kaspersky’s products expose systems to cyberattacks due to the broad access and elevated privileges they provide.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the DHS said. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

However, the DHS said Kaspersky will be given the opportunity to submit a written response to address or mitigate these concerns.

In response, Kaspersky said it was dissapointed with the decision and reiterated that it does not have inappropriate ties with any government, but the security firm is grateful for the opportunity to prove that the allegations are “completely unfounded.” The company claims the Russian laws and policies cited by the DHS have been misinterpreted as they only apply to telecoms firms and ISPs.

“Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia,” Kaspersky stated.

“In addition, more than 85 percent of its revenue comes from outside of Russia, which further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line. These ongoing accusations also ignore the fact that Kaspersky Lab has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy technology development,” the company added.

The DHS’s order comes after the U.S. General Services Administration, the agency that handles government purchasing contracts, removed Kaspersky Lab from its list of approved vendors. Just before the DHS’s ban, electronics retailer Best Buy also announced that it had stopped selling the Russian company’s products due to concerns regarding ties to Russian intelligence.

The links between Kaspersky Lab Founder Eugene Kaspersky and Russian intelligence have often been debated, with numerous news articles being published over the past years. Despite the lack of any clear evidence showing that the use of the company’s products poses a risk to the U.S. or any other government, media coverage claiming to show inappropriate connections to Russian intelligence has intensified in the past few months.

One U.S. senator even proposed an amendment to the National Defense Authorization Act to prohibit the use of Kaspersky Lab products.

Despite the negative media coverage, Kaspersky announced recently its plans to open an additional three offices in North America next year, namely in Chicago, Los Angeles and Toronto. The company pointed out that it already has three operational offices in the region, employing nearly 300 people.

“Given that U.S. government sales have not been a significant part of the company’s activity in North America, Kaspersky Lab is exploring opportunities to better optimize the Washington D.C. office responsible for threat intelligence offerings to U.S. government entities,” the company said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.