U.S. President Donald Trump on Tuesday signed a bill that prohibits the use of Kaspersky Lab products and services in federal agencies.
The National Defense Authorization Act for FY2018 (H.R. 2810) focuses on Department of Defense and Department of Energy programs, authorizes recruitment and retention bonuses for the Armed Forces, and makes changes to national security and foreign affairs programs.
Section 1634 of the bill bans the use of products and services provided by Russia-based cybersecurity firm Kaspersky Lab. The prohibition will go into effect on October 1, 2018.
“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by (1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership,” the bill reads.
Senator Jeanne Shaheen, who has spearheaded the campaign against Kaspersky, stated, “The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.”
Sen. Shaheen recently sent a letter to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”
The U.S. Department of Homeland Security (DHS) ordered federal agencies to stop using Kaspersky products back in September, and the bill signed on Tuesday reinforces that order. However, the government has yet to provide any evidence of wrongdoing and even Sen. Shaheen’s statements appear to be largely based on various media reports citing anonymous officials.
One of the most recent media reports involving Kaspersky claimed Russian spies exploited the company’s products to steal sensitive files from an NSA contractor’s computer. The contractor in question has been charged and the cybersecurity firm has shared its side of the story.
The UK’s National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky products by government agencies. While the ban is less explicit compared to the US, it is expected to have a similar effect.
Kaspersky has repeatedly denied the accusations and it recently announced the launch of a transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.
UPDATE. Kaspersky Lab has provided the following statement:
“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks. Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”
Related: Kaspersky in Focus as US-Russia Cyber-Tensions Rise
Related: Trust Your Security Vendor, ‘They Have Access to Everything You Do,’ Says F-Secure Research Chief