The Defense Department is following a DHS directive to remove the Russian anti-virus from its systems but it’s not clear if the software was there in the first place.
The Defense Department is doing a thorough review to ensure software from the embattled Russian anti-virus firm Kaspersky does not touch any military systems, a Defense spokeswoman tells Nextgov.
The move follows a September order from the Homeland Security Department directing all civilian government agencies to remove Kaspersky software from their systems within three months. That directive cites intelligence community concerns that the Russian firm is too closely tied to the Kremlin.
That order does not apply to the Defense Department, which is outside Homeland Security’s jurisdiction, but the Pentagon plans to “follow the intent of the directive” and the department’s top information security officer is assessing what changes need to be made, if any, Defense Spokeswoman Heather Babb said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Babb declined to say whether the Pentagon has determined that Kaspersky is currently running on any military systems or has in the past, citing operational security.
The Defense Department funded a contract for Kaspersky anti-virus on 150 computers at the U.S. Embassy in Cairo in late 2014, but it’s not clear if the software was actually installed on military computers or if the contract was renewed.
“The department actively reviews and ensures the security of its systems through a thorough screening process of all products to be used on the DOD information network,” she said.
Assistant Secretary of Defense for Homeland Defense and Global Security Kenneth Rapuano told lawmakers during a Senate Armed Services hearing Thursday that officials “have instructed the removal of Kaspersky from all DOD information systems.”
Anti-virus software is among the most powerful digital tools because, unlike most other security tools, it operates directly on computers rather than on the periphery of a network. It can also scan nearly any file on a computer and beam malicious seeming files back to the anti-virus makers’ headquarters for review. In Kaspersky’s case, that headquarters is in Moscow.
Intelligence officials have said Kaspersky does not run on any intelligence community systems. The Defense Department, however, has a much larger and more sprawling information technology operation that’s much less self-contained.
Within the civilian government, Kaspersky has been installed on computers at the Consumer Product Safety Commission, the Treasury Department and the National Institutes of Health among other locations, contracting data shows.
Government officials have not publicly demonstrated a direct, malicious link between Kaspersky and Russian intelligence operations nor shown that Kaspersky anti-virus has been a conduit for Russian government-linked hackers.
The Homeland Security Department’s Sept. 13 directive barring the company from civilian systems states only that the department is “concerned about the ties between certain Kaspersky officials and Russian intelligence” and about a Russian law requiring certain Russian companies to share source code with the government.
Company founder Eugene Kaspersky has vehemently asserted the company’s innocence, saying it would be akin to professional suicide for a global anti-virus firm to cooperate with any nation’s intelligence service.
The company also said U.S. officials misunderstood the Russian law and that it does not apply to Kaspersky.
The dispute comes in the wake of Russia’s digital meddling in the 2016 election, which has put the U.S. government in a higher state of cyber alert. The Kaspersky ban is one of several binding cybersecurity directives the Homeland Security Department has issued since the election aimed at shoring up government systems.
A military-wide ban on Kaspersky was included in the Senate’s version of a must-pass annual defense policy bill that’s now being negotiated between the House and Senate and in separate, standalone legislation introduced in June.
Kaspersky announced Monday that it will launch a transparency initiative that includes independent reviews of its source code and security practices by information security experts. The company also pledged to raise the top payout it gives to independent security researchers who discover vulnerabilities in Kaspersky systems to $100,000.
Eugene Kaspersky previously offered to open up the company’s source code for U.S. government officials to review.
The closest thing to a smoking gun implicating Kaspersky software came in an Oct. 5 Wall Street Journal article, which described a successful Russian hacking operation that leveraged Kaspersky anti-virus to steal National Security Agency hacking tools from an agency contractor’s home computer.
It’s not clear if Kaspersky was complicit in the operation, according to the Journal report.
Anti-virus’ main purpose is to scan computers for malware, including malware exploited by intelligence agencies. So—if the Journal story is accurate—it’s possible Kaspersky scooped up the NSA hacking tools as part of a legitimate security review and then Russian intelligence stole the tools from Kaspersky without the company’s knowledge.
It’s against NSA policy—and frequently illegal—for NSA employees or contractors to remove classified information such as hacking tools from government facilities.
Kaspersky criticized the Journal story for not providing hard evidence and being based on anonymous sources.