Local and state government agencies from Oregon to Connecticut say they are using a Russian brand of security software despite the federal government’s instructions to its own agencies not to buy the software over concerns about cyberespionage, records and interviews show.
The federal agency in charge of purchasing, the General Services Administration, this month removed Moscow-based Kaspersky Lab from its list of approved vendors. In doing so, the agency’s statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it. Kaspersky has strongly denied coordinating with the Russian government and has offered to cooperate with federal investigators.
The GSA’s move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost. The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity.
Interviews suggest that concerns in recent months from Congress and in the intelligence community about Kaspersky are not widely known among state and local officials, who are most likely to consider purchasing the Russian software. Those systems, while not necessarily protecting critical infrastructure, can be targeted by hackers because they provide access to troves of sensitive information.
U.S. intelligence chiefs in May told a Senate panel that they wouldn’t use the company’s software during a broader hearing investigating Russia’s alleged meddling in the U.S. presidential election. It was not the first time Congress had heard that message: A former U.S. official told The Washington Post that congressional staff was advised by law enforcement in late 2015 to stop meeting with Kaspersky representatives over national security concerns.
“People need to know that they can trust software updates,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, a digital advocacy group. About the GSA’s decision, he said: “We need more public information.”
In the weeks since Kaspersky’s delisting, The Post found that it continues to be used on government computers in jurisdictions ranging from Portland, Ore., to Fayetteville, Ga., where an official said they have a year-to-year contract.
Kaspersky also has been purchased for use by the federal government in recent years, including the Bureau of Prisons and the Consumer Product Safety Commission. Both agencies said last week that they needed additional time to determine whether the software is still in use.
To identify the agencies, The Post reviewed state, local and federal government websites to obtain documents that listed Kaspersky or its programs, including city council agendas, annual agency reports and government procurement records. Officials interviewed in nine jurisdictions all said they had purchased or supported software made by Kaspersky within the past two years. Nearly all said they had no immediate plans to replace the software.
“We use it, and I think it works well,” said John Morrisson, systems manager for the Connecticut Division of Public Defender Services. “I don't have any problems, and we don't have any viruses. And it's doing the job I require of it.”
Morrisson said the concerns about Kaspersky are speculative, but he said he would consider jettisoning the Russian brand if specific vulnerabilities are identified.
In the District, a spokesman for the city’s chief technology officer said that most city agencies use anti-virus software made by McAfee, a Kaspersky competitor. But District employees who connect to the network remotely are allowed for now to use home computers equipped with Kaspersky.
In Picayune, Miss., Kaspersky is scheduled to be installed soon as the firewall on a new wireless system for all public schools. Network administrator Jason Wheat said he hadn’t seen the news about the GSA’s decision or received any warning from the state about not using Kaspersky. But he said he wasn’t worried about the software because employee Social Security numbers are stored on a separate server maintained by the state.
In Oregon, Kaspersky is used with other anti-virus software by Portland city government to scan for malicious emails. Connecticut’s public defender said that as of early 2016 its office had hundreds of computers that ran Kaspersky. And San Marcos, Tex., last month approved a $46,620 contract for Kaspersky’s anti-virus protection; a spokeswoman said the city has held a contract with Kaspersky for many years and renewed the software in June before the delisting notice was issued by the U.S. government.
In announcing its decision, the GSA said that its mission is to “ensure the integrity and security of U.S. government systems and networks” and that Kaspersky was delisted “after review and careful consideration.” The action removed the company from the list of products approved for purchase on federal systems and at discounted prices for state governments.
The GSA included a reference to “System of Operational-Investigative Measures,” or SORM — a national Russian electronic eavesdropping network that the U.S. government publicly warned about in advance of Americans traveling to the 2014 Winter Olympics in Sochi, Russia.
At the time, the State Department advised travelers to assume that cellphones could be turned into listening devices and laptops could be infiltrated if connected to Russian networks. The GSA statement this month said “applicability” of SORM to Kaspersky “supported GSA’s decision to exercise the cancellation clause.”
A former senior U.S. law enforcement official, who works in cybersecurity and spoke on the condition of anonymity, said he thinks that the reference to SORM indicates the “GSA is saying there is some kind of vulnerability that gives the [Russian] government access.”
Representatives for the FBI and the Department of Homeland Security referred questions about Kaspersky to the GSA, which declined to comment beyond the original statement.
Kaspersky officials declined interview requests, referring reporters to a statement denying wrongdoing that was issued after the GSA’s announcement.
“Kaspersky Lab has no ties to any government, and the company has never helped, or will help, any government in the world with its cyberespionage efforts,” the company said. “Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game.”
Kaspersky Lab was founded in 1997 by Eugene Kaspersky, a decade after he had graduated from a KGB-supported cryptography school and had worked in Russian military intelligence agencies.
The company became an international success, sometimes promoting Kaspersky’s background in Russian intelligence. By 2010, it claimed to be the most widely used anti-virus software in Europe. In the United States, for example, Kaspersky was among the anti-virus software packaged with computers sold at Best Buy. Today, Kaspersky boasts 400 million users and 270,000 corporate clients worldwide.
Kaspersky has tried to advance the company into potentially lucrative government markets. The company created a subsidiary, Kaspersky Government Security Solutions, or KGSS, and began hosting an annual cybersecurity summit in Washington.
In 2015, the keynote address at the annual conference was delivered by Michael Flynn, then the recently departed head of the Defense Intelligence Agency who would go on to briefly become President Trump’s national security adviser. Flynn was paid more than $11,000 for the appearance, which he initially failed to disclose this year when he joined the White House.
The company never became a major player in U.S. government markets. Popular American firms, often with executives who had their own ties to U.S. intelligence agencies, routinely beat out Kaspersky for the largest federal contracts and defense work.
Three current and former defense contractors told The Post that they knew of no specific warnings circulated about Kaspersky in recent years, but it has become an unwritten rule at the Pentagon not to include Kaspersky as a potential vendor on new projects.
Another former U.S. official said some congressional staffers were warned by federal law enforcement officials as early as November 2015 not to meet with employees from Kaspersky over concerns of electronic surveillance.
The officials spoke on the condition of anonymity because they were not authorized to speak publicly about the matter.
Skepticism of Kaspersky became public in May when a panel of U.S. intelligence community leaders testified before Congress that they wouldn’t use the firm’s software on their own computers. Sen. Marco Rubio (R-Fla.) noted the widespread use of the software and asked, “Would any of you be comfortable with the Kaspersky Lab software on your computers?”
“A resounding no from me,” said acting FBI director Andrew McCabe. CIA Director Mike Pompeo, Director of National Intelligence Daniel Coats and National Security Agency Director Adm. Michael S. Rogers also said they would not use Kaspersky.
The government’s unease about Kaspersky follows the conclusion by U.S. intelligence agencies that Russian President Vladimir Putin last year ordered a campaign of cyberattacks to undermine the election. The Justice Department has named a special counsel to investigate possible coordination between Trump’s associates and Russian officials during the campaign.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said “it's difficult, if not impossible” for a company like Kaspersky to be headquartered in Moscow “if you don't cooperate with the government and the intelligence services.”
Kaspersky has worked to protect its image since the GSA decision. It said this month that it would be willing to turn over its software source code to federal investigators.
The Senate Armed Services Committee this month unanimously adopted an amendment by Sen. Jeanne Shaheen (D-N.H.) that would force the government to strip Kaspersky from any government systems connected to defense networks. In a statement, Shaheen said the Trump administration and Congress should go further and require all government systems to drop Kaspersky.
“The ties between Kaspersky Lab and the Kremlin are very alarming,” Shaheen said.
Correction: This story has been updated. An earlier version of this story incorrectly noted the contract in San Marcos, Tex., was $92,744. The contract amount was $46,620.