In a move likely to escalate tensions between Washington and Moscow, the Department of Homeland Security has ordered all federal agencies to stop using software made by the Russian cybersecurity firm Kaspersky Lab, citing concerns that the Moscow-based firm's software could give the Kremlin a foothold in the U.S. government.
The directive gives federal agencies 90 days to start removing the software from their networks.
Story Continued Below
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” the department said in a statement.
Russia indicated in June that it might retaliate if the U.S. took such a step. Washington and Moscow are already engaged in an mushrooming back-and-forth over Russia's alleged cyberattacks targeting last year's presidential election. The U.S. slapped sanctions on Moscow and evicted scores of the country's diplomats, prompting the Kremlin to curtail the number of American diplomats in Russia.
Rumors have long swirled around Kaspersky and its possible links to the Kremlin. The company's founder, Eugene Kaspersky, and several other top employees are former Russian intelligence officers. And recent reports have alleged the company has links to the Kremlin — something Kaspersky vehemently denies.
Still, the intelligence community and many lawmakers have been worried about Kaspersky for years because of these possible ties. Those fears have only heightened after U.S. intelligence officials accused Moscow of orchestrating a massive digital campaign meant to undermine the 2016 U.S. election.
In July, the General Services Administration removed Kaspersky from a list of pre-approved technology products that agencies can buy, making it harder for government offices to purchase the Russian firm's products.
In its statement, DHS said it was concerned with “requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
A DHS spokesman told POLITICO the agency had briefed congressional committee staffers on the decision. Some lawmakers — Republicans and Democrats — have been considering legislative tweaks to reduce the government's use of Kaspersky software. The upcoming annual defense policy bill may bar the Pentagon and other agencies from employing the firm's products.
Wednesday's move received bipartisan praise among policymakers.
Sen. Jeanne Shaheen (D-N.H.), who is pushing to forbid the Defense Department and entire government from utilizing Kaspersky products, said the 'strong ties between Kaspersky Lab and the Kremlin are very alarming,' calling Wednesday's decision 'a significant step forward.'
The Trump administration's top cyber adviser, Rob Joyce, explained that officials had decided the risks were simply too high, given that Kaspersky sends some data back to its Moscow headquarters.
'The idea of a piece of software that’s going to live on our networks, going to touch every file on those networks, going to be able to — at the discretion of the company — decide what goes back to their cloud in Russia. ... For us in the government, that was an unacceptable risk,' he said, speaking at the Billington CyberSecurity Summit in Washington.
Joyce said the Trump administration considered potential Moscow retaliation — including the Kremlin restricting American companies' access to the Russian market — when weighing its decision.
'It encompassed all the elements of the risk, and that incorporated both implications to the U.S. and close partners, and allies’ commercial equities as well as our own,' he told reporters after his speech.
As it has before, Kaspersky vigorously disputed the allegations and concerns that led to the DHS decision, saying it was 'disappointed' and that the move had been made 'based on false allegations and inaccurate assumptions.'
Kaspersky 'does not have unethical ties or affiliations with any government, including Russia,' the company said in a statement.
The company said it would present its case to DHS 'to confirm that these allegations are completely unfounded.'
DHS issued its order under what's known as a 'binding operational directive.' Congress gave DHS the authority to issue these mandatory directions to other agencies during a 2014 update of a government information security law.
Under Wednesday's directive, agencies have 30 days to scan their networks for any Kaspersky software, and 60 days to develop a plan to eradicate it.