The Department of Homeland Security (DHS) is ordering federal agencies and departments to stop using software produced by Russian firm Kaspersky Lab, citing potential risks to U.S. national security.
The department says it’s concerned about ties between certain Kaspersky employees and the Russian government.
Elaine Duke, the department’s acting secretary, issued a binding operational directive on Wednesday ordering federal executive bodies to identify any Kaspersky products on their information systems within the next 30 days and come up with “detailed plans” to remove the security software.
Kaspersky has come under intense scrutiny in recent months amid news reports alleging connections between the firm and Russian intelligence. Eugene Kaspersky, the cybersecurity firm’s founder, has also been scrutinized for his education at a Soviet-era computer science institute backed by the KGB.
The multinational company, which has headquarters in Moscow but locations across the globe, has long maintained that it has no ties to the Russian government. But Kaspersky has attracted increased attention in the wake of Russia’s interference in the U.S. presidential election.
Homeland Security cited “information security risks” posed by the presence of Kaspersky software on federal information systems, explaining that Kaspersky products “provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems.”
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS said Wednesday.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
Rob Joyce, President Trump’s cybersecurity coordinator, applauded DHS on Wednesday, calling the move a “risk-based decision.”
“For us, the idea of a piece of software that’s able to live on our networks and touch every file on those networks, going to be able to at the discretion of the company decide what goes back to their cloud in Russia, and then what you really need to understand is under Russian law, the company must collaborate with the FSB,” Joyce, speaking at a cybersecurity conference in Washington, said.
“For us in the government, it was an unacceptable risk.”
The U.S. government has not publicly produced evidence of links between Kaspersky and Russian intelligence. However, the FBI is said to be pursuing a probe into the company, interviewing some employees at their homes earlier this year.
Kaspersky has also attracted attention on Capitol Hill. In May, top intelligence officials testified that they would not be comfortable with Kaspersky software on their computers.
Sen. Jeanne Shaheen (D-N.H.) has introduced an amendment to annual defense policy legislation that would bar federal agencies from using Kaspersky products on their systems. On Wednesday, she applauded DHS for “heeding” her call, labeling Kaspersky a “direct threat to national security.”
The company, which produces lauded anti-virus software, boasts more than 400 million customers worldwide.
Agencies and departments are to begin removing Kaspersky products from their systems in three months.
DHS is giving Kaspersky the opportunity to submit a written response addressing the concerns raised or to mitigate concerns spelled out in the directive.
A spokesman for Kaspersky did not immediately respond to a request for comment.
Recently, Best Buy, the largest electronics retailer in the U.S., stopped selling Kaspersky software in its stores and on its website.