In this occasional series, we will bring you up to speed on the biggest national security stories of the week.
On Wednesday, the U.S. government declared that federal agencies must identify a popular brand of security software on their networks and prepare a plan to remove it because of its creator’s potential ties to Russia’s cyberespionage activities. Kaspersky Lab, the software company, is used by at least a half-dozen federal civilian agencies to some degree, according to U.S. officials. There may also be other agencies in which the software is being used without the knowledge of that agency’s chief information security officer. However, officials have not publicly disclosed which agencies exactly are using Kaspersky products.
Here’s what you need to know about the software company:
What is Kaspersky?
Kaspersky is a Russian software company founded in 1997 by Eugene Kaspersky, a decade after he had graduated from a KGB-supported cryptography school and worked in Russian military intelligence. Today, most of its business comes from outside Russia, and the company boasts 400 million users and 270,000 corporate clients worldwide.
Kaspersky offers software that can detect malicious computer viruses or help a company keep track of cybersecurity data being gathered on different portions of its network.
What did the U.S. government actually do?
The acting homeland security secretary, Elaine Duke, issued an order Wednesday that federal civilian agencies identify Kaspersky software on their networks. After 90 days, unless otherwise directed, they must remove the software, on the grounds that the company has connections to the Russian government and its software poses a security risk. The order does not apply to military networks. However, the Defense Department and intelligence agencies generally do not use Kaspersky software and have not for a number of years.
Nonetheless, Congress is considering legislation that would implement a government-wide ban on Kaspersky products.
In July, the General Services Administration, the agency in charge of government purchasing, removed Kaspersky from its list of approved vendors. In doing so, the GSA suggested a vulnerability exists with Kaspersky products that could give the Kremlin surreptitious access to the systems using the software.
What is the U.S. government worried about?
The U.S. government is worried that Kaspersky products provide a covert means of spying on American networks.
What has Kaspersky said?
Kaspersky adamantly denies it is spying on behalf of Moscow. In a statement Wednesday, it said it “doesn’t have inappropriate ties with any government” and that “no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company.”
“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,” the company said in a statement.
DHS said in a statement Wednesday that Russian law allows Russian spy agencies to compel assistance from Kaspersky and to intercept communications transiting Russian networks.
DHS has given Kaspersky 90 days to provide proof that its products are not facilitating espionage for Russia or to offer mitigating measures. If the company fails to do so, DHS will implement the ban.