Kaspersky Lab is once again in the news as questions are being raised about the role of Kaspersky software in a reported hack of the National Security Agency. The story repeats the all-too-frequent scenario of an employee—in this case a government contractor—transferring files from work to his home computer and that action leading to the disclosure of sensitive information. In this case the data is said to have included “highly classified U.S. cyber secrets” and Russian hackers are alleged to have accessed the employee’s home computer through Kaspersky software. Kaspersky software, including popular antivirus tools, is developed by a company with alleged ties to the Russian government.
Last month the U.S. Department of Homeland Security (DHS) announced plans for the federal government to terminate “the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.” The federal government’s decision on Kaspersky reflects long-standing concerns about the company’s ties to the Russian Government and, in particular, to the Russian intelligence and security agency known as the Federal Service Bureau. U.S. media reports have highlighted worries that Kaspersky software and tools might be able to collect or otherwise be utilized to create opportunities for Russian cyber operations. Last week’s report about the hacking of the National Security Agency adds fuel to that fire, and it builds on tensions that have been exacerbated by Kaspersky’s efforts to publicly attribute certain cyber activities to the U.S. Government (which, it should be pointed out, Kaspersky has done in relation to other States as well).
The U.S. Government’s decision to remove Kaspersky software from government systems occurs against the backdrop of a heightened focus on cybersecurity across the federal government, including an Executive Order, additional Defense Department information security standards, and other new compliance requirements to be included in most federal contracts. DHS required a plan to be developed by all federal agencies to remove the software within 90 days. What might this decision mean for government contractors currently using the software and/or tasked with removing the software from government systems?