Homeland Security bans Russian Kaspersky Lab software

[rmstock]

An employee walks by a wall at the Moscow headquarters of Internet security giant Kaspersky Lab last October. (Kirill Kudryavtsev/AFP/Getty Images)
National Security
U.S. moves to ban Kaspersky software in federal agencies amid concerns of Russian espionage
By Ellen Nakashima and Jack Gillum September 13 [2017]
https://www.washingtonpost.com/world/national-security/us-to-ban-use-of-kaspersky-software-in-federal-agencies-amid-concerns-of-russian-espionage/2017/09/13/36b717d0-989e-11e7-82e4-f1076f6d6152_story.html

  "The U.S. government on Wednesday moved to ban the use of a Russian
   brand of security software by federal agencies amid concerns the
   company has ties to state-sponsored cyberespionage activities.
   
   In a binding directive, acting homeland security secretary Elaine Duke
   ordered that federal civilian agencies identify Kaspersky Lab software
   on their networks. After 90 days, unless otherwise directed, they must
   remove the software, on the grounds that the company has connections to
   the Russian government and its software poses a security risk.
   
   The Department of Homeland Security "is concerned about the ties
   between certain Kaspersky officials and Russian intelligence and other
   government agencies, and requirements under Russian law that allow
   Russian intelligence agencies to request or compel assistance from
   Kaspersky and to intercept communications transiting Russian networks,"
   the department  said in a statement. "The risk that the Russian
   government, whether acting on its own or in collaboration with
   Kaspersky, could capitalize on access provided by Kaspersky products to
   compromise federal information and information systems directly
   implicates U.S. national security."
   
   The directive comes months after the federal General Services
   Administration, the agency in charge of government purchasing, removed
   Kaspersky from its list of approved vendors. In doing so, the GSA
   suggested a vulnerability exists with Kaspersky that could give the
   Kremlin backdoor access to the systems the company protects.
   
   [Local governments keep using this software that might be a back door for Russia]
   
   

   [Video : Decoding Internet Security: Cyberweapons]
   Here's what you need to know about what cyberweapons are and when they
   have been used in the past. (Dani Player, Sarah Parnass/The Washington
   Post)
   
   The company said in a statement Wednesday that it "doesn't have
   inappropriate ties with any government, which is why no credible
   evidence has been presented publicly by anyone or any organization to
   back up the false allegations made against the company."
   
   It also said that the Russian law requiring assistance does not apply
   to the company.
   
   "Kaspersky Lab has never helped, nor will help, any government in the
   world with its cyberespionage or offensive cyber efforts, and it's
   disconcerting that a private company can be considered guilty until
   proven innocent, due to geopolitical issues," Kaspersky said. "The
   company looks forward to working with DHS, as Kaspersky Lab ardently
   believes a deeper examination of the company will substantiate that
   these allegations are without merit."
   
   The department is giving Kaspersky 90 days to prove its products are
   not a security risk or to mitigate the concerns.
   
   "We've determined that [Kaspersky software] poses an unacceptable
   amount of risk based on our assessment," said Christopher Krebs, a
   senior DHS official in the National Protection and Programs
   Directorate. "If they want to provide additional information or
   mitigation strategies, our door is open."
   
   The directive comes in the wake of an unprecedented Russian operation
   to interfere in the U.S. presidential election, with Russian spy
   services hacking the networks of the Democratic National Committee and
   other political organizations and releasing damaging information.
   
   [Obama's secret struggle to punish Russia for Putin's election assault]
   
   At least a half-dozen federal agencies run Kaspersky on their networks,
   U.S. officials said, although there may be other networks where an
   agency's chief information security officer — the official ultimately
   responsible for systems security — might not be aware it is being used.
   
   The order applies only to civilian government networks. The Defense
   Department, which includes the National Security Agency, does not use
   Kaspersky software, officials said.
   
   Meanwhile, the directive may also put pressure on state and local
   governments that use Kaspersky products. Many had been left to
   speculate about the risks of sticking with the company or abandoning
   taxpayer-funded contracts, sometimes at great cost. In July, The
   Washington Post found several state and local agencies that used
   Kaspersky's anti-virus or security software had purchased or supported
   the software within the past two years.
   
   The U.S. intelligence community has long assessed that Kaspersky has
   ties to the Russian government. The company's founder, Eugene
   Kaspersky, graduated from a KGB-supported cryptography school and had
   worked in Russian military intelligence.
   
   Rob Joyce, the White House cybersecurity coordinator and a former NSA
   official, hailed the move. The idea that data collected by software on
   government networks could wind up with Russian spy agencies "was an
   unacceptable risk," he said Wednesday at the Billington CyberSecurity
   Summit in Washington.
   
   Concerns about Kaspersky software had been brewing for years. Federal
   law enforcement officials warned some congressional staffers as early
   as November 2015 not to meet with employees from Kaspersky, because of
   concerns about electronic surveillance. The concerns mounted in recent
   months, and DHS officials saw an opportunity to take action. Last week,
   Best Buy announced it would stop selling Kaspersky products, because of
   fears of ties to Russian government.
   
   Sen. Jeanne Shaheen (D-N.H.), an outspoken critic of Kaspersky, said
   the DHS announcement is "a significant step forward in improving our
   national security and protecting against such vulnerabilities on
   federal systems." She has proposed amendments to the 2018 National
   Defense Authorization Act that would ban the use of Kaspersky products
   at the Defense Department and across the government.
   
   In announcing its July decision, the GSA underscored that its mission
   was to "ensure the integrity and security of U.S. government systems
   and networks" and that Kaspersky was delisted "after review and careful
   consideration." The action removed the company from the list of
   products approved for purchase on federal systems and at discounted
   prices for state governments.
   
   Joseph Lorenzo Hall, chief technologist at the Center for Democracy and
   Technology, said he is concerned the public has not seen evidence of
   malfeasance by Kaspersky but only "intelligence-community rumblings
   about the potential for back doors" — a reference in the tech world to
   holes in software that allow unauthorized parties to gain access to a
   program or system.
   
   But intelligence agencies have information that leads them to believe
   Kaspersky products are essentially conduits for Russian espionage,
   officials say privately. At a Senate Intelligence Committee hearing in
   May, the chiefs of six major U.S. spy agencies all said they would not
   use Kaspersky software on their computers.
   
   Aaron C. Davis contributed to this report
   1.3K Comments
   
   Ellen Nakashima is a national security reporter for The Washington
   Post. She focuses on issues relating to intelligence, technology and
   civil liberties.  Follow @nakashimae
   Jack Gillum is a reporter on the investigative team at The Washington
   Post.  Follow @jackgillum "



Security
Homeland Security drops the hammer on Kaspersky Lab with preemptive ban
Government departments have 90 days to rip and replace
By Iain Thomson in San Francisco 13 Sep 2017 at 20:08
http://www.theregister.co.uk/2017/09/13/homeland_security_bans_kaspersky_products/

   Despite pending legislation to ban US federal government offices from
   using Kaspersky Lab security software, Homeland Security has issued a
   Binding Operational Directive demanding that the products be removed
   within 90 days.
   
   The directive gives government IT managers 30 days to identify which –
   if any – of their systems have Kaspersky software installed, 60 days to
   develop a plan to get rid of it, and by the 90-day mark it must be
   uninstalled, unless the DHS advises them otherwise in the meantime.
   
   "The Department is concerned about the ties between certain Kaspersky
   officials and Russian intelligence and other government agencies, and
   requirements under Russian law that allow Russian intelligence agencies
   to request or compel assistance from Kaspersky and to intercept
   communications transiting Russian networks," the agency said in a
   statement.
   
   "The risk that the Russian government, whether acting on its own or in
   collaboration with Kaspersky, could capitalize on access provided by
   Kaspersky products to compromise federal information and information
   systems directly implicates US national security."
   
   Red Panic grips US

   Only last week, US Senator Jeanne Shaheen (D-NH) introduced legislation
    to do exactly the same job, but the DHS isn't waiting for Congress to
   act and went ahead with the directive. On Friday, US big-box retailer
   Best Buy pulled Kaspersky software from its shelves, although it
   declined to say why.
   
   Not that Eugene Kaspersky is all that bothered. On Tuesday he said that
   the firm doesn't really have much in the way of sales to the US
   government, but that it was opening three new offices in the Land of
   the FreeTM to cope with customer demand.
   
   The DHS did say that it would like Kaspersky to get in contact with its
   officers to provide evidence that their software is all kosher and
   correct. That's rather odd, since Kaspersky has repeatedly offered to
   let government inspectors look through its source code to check for any
   backdoors.
   
   "Given that Kaspersky Lab doesn't have inappropriate ties with any
   government, the company is disappointed with the decision by the DHS,
   but also is grateful for the opportunity to provide additional
   information to the agency in order to confirm that these allegations
   are completely unfounded," a spokesperson from Kaspersky told The
   Register.
   
   "No credible evidence has been presented publicly by anyone or any
   organization, as the accusations are based on false allegations and
   inaccurate assumptions, including claims about the impact of Russian
   regulations and policies on the company. Kaspersky Lab has never
   helped, nor will help, any government in the world with its
   cyberespionage or offensive cyber efforts, and it's disconcerting that
   a private company can be considered guilty until proven innocent, due
   to geopolitical issues."
   
   US intelligence agencies have been briefing politicians and trusted
   businesspeople in private about the supposed dangers of the Russian
   firm's code for months now, but haven't offered up a jot of evidence to
   back up their claims in public. Much like Iraqi weapons of mass
   destruction, we're being asked to trust them on this one.
   
   There are two possibilities here:
   
   1. Kaspersky is a tool of the FSB and the intelligence community has hard
      evidence of this. If that's so, then they should make it public so that
      ordinary consumers can make their choices from a position of knowledge.
   
   2. The other option, mooted by some in the security community, is that the
      US government is pissed off because Kaspersky has found and reported on
      multiple instances of malware that appear to have been created by the
      men and women of the NSA. In the current climate, Russia-bashing is
      popular and the theory goes that the US intelligence community wants a
      bit of payback.
   
   The move against Kaspersky might be popular in the US, but President
   Putin is reportedly pissed off at a Russian firm being targeted in the
   US. Last week he told technology executives in Russia that they should
   avoid foreign software and use only Russian code.
   
   It's worth noting that China banned Kaspersky software from government
   contracts in 2014. But it also banned Symantec's code from its systems
   as well. Only Chinese security software is on the approved purchasing
   list. ®
   75 Comments  "