U.S. President Donald Trump on Tuesday signed a bill that prohibits the use of Kaspersky Lab products and services in federal agencies.
The National Defense Authorization Act for FY2018 (H.R. 2810) focuses on Department of Defense and Department of Energy programs, authorizes recruitment and retention bonuses for the Armed Forces, and makes changes to national security and foreign affairs programs.
Section 1634 of the bill bans the use of products and services provided by Russia-based cybersecurity firm Kaspersky Lab. The prohibition will go into effect on October 1, 2018.
“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by (1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership,” the bill reads.
Senator Jeanne Shaheen, who has spearheaded the campaign against Kaspersky, stated, “The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.”
Sen. Shaheen recently sent a letter to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”
The U.S. Department of Homeland Security (DHS) ordered federal agencies to stop using Kaspersky products back in September, and the bill signed on Tuesday reinforces that order. However, the government has yet to provide any evidence of wrongdoing and even Sen. Shaheen’s statements appear to be largely based on various media reports citing anonymous officials.
One of the most recent media reports involving Kaspersky claimed Russian spies exploited the company’s products to steal sensitive files from an NSA contractor’s computer. The contractor in question has been charged and the cybersecurity firm has shared its side of the story.
The UK’s National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky products by government agencies. While the ban is less explicit compared to the US, it is expected to have a similar effect.
Kaspersky has repeatedly denied the accusations and it recently announced the launch of a transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.
UPDATE. Kaspersky Lab has provided the following statement:
“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks. Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”
Related: Kaspersky in Focus as US-Russia Cyber-Tensions Rise
Related: Trust Your Security Vendor, ‘They Have Access to Everything You Do,’ Says F-Secure Research Chief

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
