House Cyber Leader Wants to Give Equifax the Kaspersky Treatment

A congressional cyber leader wants the Homeland Security Department to use the same authority it used to ban Kaspersky software from government systems to cancel a $7 million IRS contract with the breached credit rating agency Equifax.

Equifax, which recently disclosed a data breach that compromised information about more than 140 million Americans, “displayed cybersecurity negligence of epic proportions,” Rep. John Ratcliffe, R-Texas, said.

He urged Homeland Security “in the strongest possible terms” to use powers outlined in the 2015 Cybersecurity Act and a 2014 update to the Federal Information Security Management Act to “address this troubling development.”

A spokeswoman clarified that Ratcliffe, who chairs the House Homeland Security Committee’s cybersecurity panel, was referring to Homeland Security’s power to issue “binding operational directives” that force federal agencies to improve their cybersecurity.

The spokeswoman would not say whether Ratcliffe wants Homeland Security to ban Equifax from all government systems as it did with Kaspersky software in September or to do something less severe.

“He’s calling on DHS to use its authorities to address this development,” she said.

Homeland Security officials made the unprecedented move to ban software from the Russian antivirus maker Kaspersky Lab from all U.S. government computer systems last month following months of concerns that the company might be doing the bidding of Kremlin officials.

The decision to ban Kaspersky was based largely on public reports about ties between the company and top Russian officials, a Homeland Security cyber official said Tuesday.

There is no definitive public evidence of collusion between Kaspersky and the Russian government and the company has vehemently denied any such connection.

IRS awarded the $7 million identity management contract to Equifax on Sept. 30, about three weeks after the company first announced the massive data breach.

Equifax, which won an earlier generation of the contract, had protested IRS’s decision to award a follow-on portion of the contract to another vendor.

Because the Government Accountability Office, which adjudicates government contract disputes, had not issued a decision in that case before the original contract expired, IRS granted Equifax a $7 million bridge contract to retain identity management services until the GAO decision comes down, IRS Deputy Commissioner Jeffrey Tribiano said Wednesday.

Such protests and delays are extremely common on high value government contracts.

The Equifax breach compromised the Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers of about half of all Americans. Former Equifax CEO Richard Smith, who resigned in the wake of the breach, is scheduled to appear before a quintet of congressional committees this week.

“Americans place their faith in federal agencies – the IRS most certainly included – to safeguard vast amounts of their highly sensitive personal information,” Ratcliffe said. “As the lead civilian cybersecurity agency, DHS should play an important role in ensuring federal agencies engage in responsible cybersecurity behavior, so we can maintain the confidence of the American people.”