Federal agencies have three months to identify and begin removing all products from the Russian anti-virus software firm Kaspersky Labs from their systems, according to a Homeland Security Department directive issued Wednesday.
The directive comes after a months-long campaign by top government security officials highlighting the Moscow-based firm’s possible Kremlin ties. It also comes two months after the General Services Administration removed Kaspersky products from its schedule of pre-approved vendors.
“This is a risk-based decision we needed to make,” White House Cybersecurity Coordinator Rob Joyce said during the Billington Cybersecurity Conference.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The Trump administration considered the possibility the Russian government may push back against U.S. companies, Joyce said, but “had to make some tough decisions."
Kaspersky responded in a statement that the company “is disappointed with the decision” and “doesn’t have inappropriate ties with any government.”
Federal officials have not produced any public evidence that Kaspersky is in thrall to the Russian government or has compromised any U.S. systems, either government or corporate. Kaspersky has vehemently denied all allegations of collusion with the Kremlin saying such collusion would put the company out of business.
Wednesday’s binding operational directive from acting Homeland Security Secretary Elaine Duke highlights both the outsized power of anti-virus systems to inspect the computers they protect and Russian laws that might compel Kaspersky to assist Russian intelligence.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” the directive states.
Joyce made a similar argument during remarks at the Billington conference, saying “what you need to understand is, under Russian law, they must collaborate with the FSB,” a reference to one of Russia’s main intelligence agencies.
“Contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools,” the company said. The company also stressed that all customer information it receives is protected both legally and digitally, including with encryption and digital certificates that would make it difficult for a government to examine it undetected.
Anti-virus systems have broad access to monitor and even modify the systems they protect, which means they could be especially powerful if exploited by a U.S. adversary. Anti-virus systems also typically beacon back to company servers—in the case of Kaspersky, those servers are in Moscow—to collect new indicators of digital compromise and to inspect possibly compromised files.
The directive comes amid a boiling tit-for-tat conflict between the U.S. and its former Cold War adversary, based partly on Russia’s digital meddling in the 2016 presidential election as well as Russian belligerence in Ukraine and aid to Syrian dictator Bashar Assad.
The Homeland Security directive downplayed any connection to those broader tensions, noting that “while this action involves products of a Russian-owned and operated company, the department will take appropriate action related to the products of any company that present a security risk based on DHS’s internal risk management and assessment process.”
Kaspersky is not used on vital military and national security systems, officials have said, but is common on non-national security systems, including at U.S. embassies. Kaspersky is typically cheaper than other major anti-virus firms and also is especially effective against cyber crime organizations operating out of eastern Europe, analysts say.
Under the directive, agencies would have 30 days to identify all instances of Kaspersky on their systems and 60 days to create plans to remove Kaspersky from those systems. After 90 days, agencies would be required to start implementing those plans unless directed otherwise by Homeland Security.
The department is inviting Kaspersky to provide a written response to its concerns and to describe any effort the company is making to mitigate them, the directive states.
Kaspersky is “grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded,” the company said.
The Senate version of a major defense policy bill that’s being debated on the floor this week would similarly ban Kaspersky products from defense systems.
Also on Wednesday, Sen. Amy Klobuchar, D-Minn., wrote to Duke asking for information about Kaspersky software on U.S. election systems and other critical infrastructure, such as airports and energy plants.
The retail giant, Best Buy, based in Klobuchar’s home state, said Tuesday it will no longer stock Kaspersky products.