The U.S. Department of Homeland Security (DHS) told federal agencies to "take actions related to the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities." In a statement, DHS said this decision was prompted by security concerns in Kaspersky's products as well as fears about the company's numerous ties to Russian intelligence agencies.
Kaspersky's connections to Russian intelligence have dipped in and out of the news cycle over the last year. ABC News reported in May that the FBI was investigating the company for those ties, which Kaspersky denied, and in July leaked emails showed that the company helped FSB agents conduct physical raids on suspected hackers. Kaspersky was also said to have worked on tools to allow Russia to "hack the hackers."
None of those concerns are new. People have questioned the Kaspersky-Russia connection for years. But the U.S. government seems to be more interested in those ties than ever before, and as the DHS' Binding Operational Directive (BOD) made clear, it's certainly more willing to act on those fears. Here's what the department said about its decision to bar federal agencies from using products made by or associated with Kaspersky:
The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.
These fears stem from the access that security products have to files and the systems on which they're stored. These products don't work unless they're given the ability to monitor and control many aspects of a system. If those products are compromised—willfully or not—they could be used to gather the sensitive information they were supposed to protect. That's why security products are prime targets for hackers.
Those aren't hypothetical concerns. A security researcher discovered a serious vulnerability in Kaspersky's TLS interception tool in January, and in March, Wikileaks revealed that the CIA had bypassed most major antivirus programs. (Later, though, several said their products had been updated to defend against those intrusions.) The U.S. government knows all too well what kind of data can be gleaned via compromised tools.
DHS said it would give Kaspersky a chance to submit a written statement "addressing the Department’s concerns or to mitigate those concerns" so it could "ensure that the company has a full opportunity to inform the Acting Secretary of any evidence, materials, or data that may be relevant." Businesses affected by the decision will also be able to send their comments about the decision before anything is finalized.
