After careful consideration of available information and consultation with interagency partners, Acting Secretary of Homeland Security Elaine Duke today issued a Binding Operational Directive (BOD) directing Federal Executive Branch departments and agencies to take actions related to the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.
(American government agencies are now banned from using software created by the Russian cybersecurity firm Kaspersky Lab. Courtesy of Wochit News and YouTube)
The BOD calls on departments and agencies to:
- Identify any use or presence of Kaspersky products on their information systems in the next 30 days
- To develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and
- At 90 days from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems.
This action is based on the information security risks presented by the use of Kaspersky products on federal information systems.
Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems.
(The FBI warned about the popular anti-virus software linked to Russia’s government back in August. Kaspersky Lab products are widely used by businesses and some government offices across the country. Federal officials are concerned the software may be feeding user information to Russian intelligence. Courtesy of CBS This Morning and YouTube. Posted on Aug 23, 2017)
The Department is concerned about:
- Ties between certain Kaspersky officials and Russian intelligence and other government agencies, and
- Requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.
The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.
The Department’s priority is to ensure the integrity and security of federal information systems.
Safeguarding federal government systems requires reducing potential vulnerabilities, protecting against cyber intrusions, and anticipating future threats.
While this action involves products of a Russian-owned and operated company, the Department will take appropriate action related to the products of any company that present a security risk based on DHS’s internal risk management and assessment process.
(American officials have been meeting with private companies to discourage them from doing business with cybersecurity firm Kaspersky Lab because of links to the Kremlin. Courtesy of CBS News and YouTube. Posted on Aug 22, 2017)
DHS is providing an opportunity for Kaspersky to submit a written response addressing the Department’s concerns or to mitigate those concerns.
The Department wants to ensure that the company has a full opportunity to inform the Acting Secretary of any evidence, materials, or data that may be relevant.
This opportunity is also available to any other entity that claims its commercial interests will be directly impacted by the directive.
Further information about this process will be available in a Federal Register Notice.