The US Department of Homeland Security on Wednesday ordered all US government agencies to stop using Kaspersky Lab software, citing reports that the cyber security company is linked to Russian intelligence agencies.
US agencies were told to identify any Kaspersky products on their networks within 30 days and to begin removing them in 90 days, according to the directive signed by Elaine Duke, the acting DHS chief.
“The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” Ms Duke wrote.
Kaspersky, a London-based holding company, reported an unaudited $644m in revenues last year. The maker of anti-virus software claims 400m users worldwide, including 270,000 corporate clients.
Kaspersky rejected the DHS allegations as “completely unfounded” and said “it does not have unethical ties or affiliations with any government, including Russia”.
The four-paragraph statement continued: “Kaspersky Lab has never helped, nor will help, any government in the world with its cyber espionage or offensive cyber efforts and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”
US-Russian relations have steadily soured over the past year. In January, US intelligence agencies concluded that Russian president Vladimir Putin had ordered a campaign of cyber attacks and propaganda “fake news” to influence last year’s US presidential election, hoping to boost Donald Trump’s White House hopes.
“In the hostile environment we’re in now, we are in the middle of a cyber war,” said Eric O’Neill, a former Federal Bureau of Investigation agent and now a national security strategist for cyber security company Carbon Black.
The DHS directive is just the latest sign of mounting US concern about the Russian cyber security company. In July, the General Services Administration dropped Kaspersky from a list of approved vendors for certain future purchases.
At a Senate intelligence committee hearing in May, the director of national intelligence along with the heads of the Central Intelligence Agency, National Security Agency and FBI all said they would not be comfortable with Kaspersky software on their computers.
The official concern stems from the nature of anti-virus software, which offers an ideal mechanism for pilfering information from computers. Such applications operate in “God mode”, enjoying access to every part of a user’s hard drive and transmitting digital information back and forth to a remote server controlled by the anti-virus provider.
In theory, the Russian government could direct Kaspersky to sabotage US government computers via a malicious software update.
“If it were controlled by a malicious cyber actor, because of the technology, he’s going to have access to every single file on your computer,” said Anthony Ferrante, senior managing director of FTI Consulting in Washington.
This summer, FBI agents interviewed several Kaspersky employees in what the bureau described as a routine counter-intelligence investigation.
- John Thornhill: The battlefield is everywhere in the digital age
- Comment: Merkel must stand up to Putin over the hacking of democracy
- Licensed to hack: the rise of the cyber privateer
US counter-intelligence agents have been tracking Kaspersky for several years. Around 2012, the FBI investigated an informant’s tip that the company had compromised the US government’s encrypted telephone system, according to a former agent involved in the case.
Eugene Kaspersky, the company founder, was interviewed by FBI agents seeking to identify any links between the company and the Russian intelligence service known as FSB. Mr Kaspersky’s background has long given rise to suspicions about his loyalties despite his denials. He was educated at a KGB-backed technical college and briefly worked for a Russian defence ministry scientific institute.
“He wouldn’t help us at all,” said the former FBI agent. “From the early 2000s, it was felt Kaspersky was an FSB guy and everything he’d developed was just a huge front.”
Kaspersky’s non-government business may also suffer as a result of the DHS order on Wednesday if US banks abandon the company’s products, according to Dave Aitel, chief executive of Immunity Inc. “This could have widespread repercussions (as almost all banks are tightly connected and that is a huge market to lose for Kaspersky),” Mr Aitel, a former NSA official, wrote on his blog.
Cyber insurance providers might also require customers to move away from Kaspersky products in order to retain their coverage, he added.
James Lewis of the Center for Strategic and International Studies called US reliance upon Russia for cyber security a legacy of better relations in the immediate aftermath of the end of the cold war.
“The Russians were supposed to be our friends,” he said. “There’s a lot of leftovers in US policy since the time we thought the world would all be happy market democracies.”
Additional reporting by Leslie Hook in San Francisco
Follow David J Lynch on Twitter: @davidjlynch