In a move likely to escalate tensions between Washington and Moscow, the Department of Homeland Security has ordered all federal agencies to stop using software made by the Russian cybersecurity firm Kaspersky Lab, citing concerns that the Moscow-based firm’s software could give the Kremlin a foothold into the U.S. government.
The directive gives federal agencies 30 days to scrub their networks for Kaspersky software, then develop a plan and start removing the software within 90 days.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” the department said in a statement.
Russia indicated in June that it might retaliate if the U.S. took such a step.
Rumors have long swirled around Kaspersky and its possible links to the Kremlin. The company’s founder, Eugene Kaspersky, and several other top employees are former Russian intelligence officers. And recent reports have alleged the company has links to the Kremlin — something Kaspersky vehemently denies.
Still, the intelligence community and many lawmakers have been worried about Kaspersky for years because of these possible ties. Those fears have only heightened after U.S. intelligence officials accused Moscow of orchestrating a massive digital campaign meant to undermine the 2016 U.S. election.
In July, the General Services Administration removed Kaspersky from a list of pre-approved technology products that agencies can buy, making it harder for government offices to purchase the Russian firm’s products.
In its statement, DHS said it was concerned with “requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
A DHS spokesman told POLITICO the agency had briefed congressional committee staffers on the decision. Some lawmakers have been considering legislative tweaks to reduce the government’s use of Kaspersky software. The upcoming annual defense policy bill may bar the Pentagon from employing the firm’s products.
The Trump administration’s top cyber adviser, Rob Joyce, applauded the move.
“Great work on the part of DHS to look at the threats to our networks and the implications,” he said, speaking at the Billington CyberSecurity Summit in Washington. “The idea of a piece of software that’s going to live on our networks, going to touch every file on those networks, going to be able to — at the discretion of the company — decide what goes back to their cloud in Russia. … For us in the government, that was an unacceptable risk.”
Kaspersky did not immediately respond to a request for comment. The company has previously offered to turn over its code for government inspection to prove it is not tainted.
DHS issued its order under what’s known as a “binding operational directive.” Congress gave DHS the authority to issue these mandatory directions to other agencies during a 2014 update of a government information security law.