US agencies ordered to stop using Russian company’s software

A sign above the headquarters of Kaspersky Lab in Moscow, Russia. (AP Photo/Pavel Golovkin)

WASHINGTON (AP) — The U.S. on Wednesday banned federal agencies from using computer software supplied by Kaspersky Lab because of concerns about the company’s ties to the Kremlin and Russian spy operations.

The directive issued by acting Homeland Security Secretary Elaine Duke comes as various U.S. law enforcement and intelligence agencies and several congressional committees are investigating Russian meddling in the 2016 presidential election.

Kaspersky said in a statement that it was disappointed by the directive and insisted “it does not have unethical ties or affiliations with any government, including Russia.”

Duke directed all U.S. federal agencies and departments to stop using products or services supplied directly or indirectly by the Russian-owned and operated company. The directive gives agencies 30 days to determine whether they are using any Kaspersky products. The software must be removed from all information systems within 90 days.

“The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies,” the directive said. It said the department also is concerned about Russian laws that would permit Russian spy agencies to compel Kaspersky to provide assistance or intercept communications transiting Russian networks.

“The risk that the Russian government — whether acting on its own or in collaboration with Kaspersky — could capitalize on access provided by Kaspersky products (in order) to compromise federal information and information systems directly implicates U.S. national security,” the directive said.

The directive provides Kaspersky an opportunity to respond or mitigate the department’s concerns.

Kaspersky said the company was happy to have an opportunity to provide information to show that the allegations are unfounded.

“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company,” Kaspersky said.

Kaspersky said it is not subject to the Russian laws cited in the directive and said information received by the company is protected in accordance with legal requirements and stringent industry standards, including encryption.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,” Kaspersky said.

Electronics retailer Best Buy has removed Kaspersky products from its shelves, although it declined to explain why. Amazon, which sells Kaspersky software, declined to comment. Staples and Office Depot, both of which sell the software, didn’t immediately return messages seeking comment.

The chief executive of the software company, Eugene Kaspersky, is a mathematical engineer who attended a KGB-sponsored school and once worked for Russia’s Ministry of Defense. His critics say it’s unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin.

At a Senate intelligence committee hearing in May, top U.S. officials were asked whether they would be comfortable with Kaspersky software on their computers.

“No” was the reply given by then-acting FBI Director Andrew McCabe, CIA Director Mike Pompeo, National Intelligence Director Dan Coats, National Security Agency Director Adm. Mike Rogers, National Geospatial-Intelligence Agency Director Robert Cardillo and Defense Intelligence Agency Director Lt. Gen. Vincent Stewart.

Democrats on Capitol Hill applauded the decision.

Minnesota Sen. Amy Klobuchar, the ranking Democrat on the Senate Rules Committee, sent a letter to Duke asking the department for information about the government’s use of Kaspersky products, especially on critical infrastructure and election systems.

“While our intelligence agencies may not use Kaspersky software, other federal agencies do,” Klobuchar wrote. “Public contracting reports show that Kaspersky Lab software has been used by the Department of Justice, the Treasury Department, the Department of State and several other agencies.

“Given that our intelligence officials would not use Kaspersky Lab software, it is alarming that essential U.S. government agencies do. This is especially concerning because the Russian government is actively trying to undermine our democracy.”

Sen. Jeanne Shaheen, D-N.H., who has been voicing concern about Kaspersky for months, said the directive was a positive step. She called the company’s ties with the Kremlin “alarming.”

Shaheen has been working to pass a government-wide ban on Kaspersky software, which would effectively make the directive the law. In June, she successfully amended the defense policy bill to ban the Defense Department from using Kaspersky software. Since then, she’s offered another amendment to the bill, which is being debated on the Senate floor, to extend the ban to the entire federal government.

Rep. Bennie Thompson, D-Miss., the ranking member of the House Homeland Security Committee, said that since the election, questions have intensified about federal information networks use of the Russian company’s software.

“To date, DHS had only issued four binding operational directives to federal agencies and they’ve done so quietly,” Thompson said. “It is clear that DHS’s decision to issue this directive, in a very public way, is significant.”