Government’s Kaspersky Use Still a Mystery, Even After Ban

Congress and Homeland Security are still grappling with the extent of the Russian cybersecurity firm’s presence on federal systems.

AP Photo/Raphael Satter
Sept. 18, 2017, 8 p.m.

Despite the blanket ban issued last week on the U.S. government’s use of products from Russian cybersecurity firm Kaspersky Labs, there’s still broad uncertainty over how widespread the use of the potentially compromised software is on federal networks.

That’s not true for all agencies, some of which were able to provide an accounting of Kaspersky’s presence on their systems. The Transportation Department and the Environmental Protection Agency, for example, were both able to confirm that Kaspersky software was not deployed on their networks. A State Department spokesman told National Journal that the agency entered into three contracts for Kaspersky antivirus software since fiscal 2012, which together totaled less than $9,000. The spokesman added there were no confirmed instances of Kaspersky software loaded onto the State Department’s OpenNet enterprise network, which links together the department’s various computer systems around the globe.

But other agencies are a virtual black hole when it comes to Kaspersky, a popular Moscow-based company suspected of threatening U.S. network security through its alleged close ties with Russian intelligence agencies. Citing “operational security,” a Defense Department spokeswoman said the Pentagon could not answer questions regarding its use of Kaspersky products or services. The Treasury Department did not respond to a request for comment, and the Department of Justice declined to comment (though evidence from a federal website that tracks government spending indicates that over the past two years, the Justice Department has entered into several contracts with Kaspersky worth hundreds of thousands of dollars in total).

Even the agency spearheading the Kaspersky ban seems unclear about the Russian firm’s presence on its own networks. In last Wednesday’s government-wide order, the Homeland Security Department laid out a plan for each agency to identify any Kaspersky Labs products on its networks over the next 30 days. But when asked if Homeland Security had spent money on Kaspersky in the last five years, or if any sub-agencies were currently operating Kaspersky products, a DHS official told National Journal that the department “will follow its own guidance and complete the process required to identify the use of these products. If any are found, DHS will develop a plan as directed.”

The ongoing uncertainty is not for want of asking. Lawmakers have been seeking answers on the use of Kaspersky by federal agencies since at least May, after top U.S. intelligence officials told the Senate Intelligence Committee they would be uncomfortable using the firm’s software on their networks. Later that month, then-Homeland Security Secretary John Kelly admitted his department was likely running Kaspersky on some of its systems, prompting Democratic Sen. Joe Manchin to demand a complete report on the Russian company’s presence at Homeland Security. In late July, Rep. Lamar Smith, the chairman of the House Science, Space, and Technology Committee, put in a similar request to each of the Cabinet-level agencies.

But a Smith spokeswoman says the chairman has so far only received responses from some federal agencies (she didn’t say which). Manchin’s office did not respond to repeated requests asking whether the senator has received the promised Homeland Security report. And a DHS spokesman confirmed that despite the ban, the department does not yet have information on the full extent of Kaspersky use across the federal government.

David O’Brien, a senior researcher at Harvard University’s Berkman Klein Center for Internet and Society, believes most federal agencies won’t have a complete record of their use of Kaspersky products for some time. “I look a little bit skeptically at having hard and fast numbers in a 30-day period, or within a couple of months,” he said, adding that most federal networks are sprawling, byzantine entities that will take some time to comb through thoroughly. He also noted that old procurement documents will paint only a partial picture, since agencies are likely to have purchased hardware containing pre-installed Kaspersky products or contracted with third-party vendors who still use Kaspersky. Just from knowing how disorganized government IT can be, my guess is it’s going to take much longer than they think,” he said.

But there are still steps agencies can take to prevent unwanted espionage while they work to find and remove Kaspersky products. “Just because the software is on the system doesn’t mean that the risks that it poses can’t be mitigated in some other way,” O’Brien said. Agencies will need to monitor network traffic in real time, and perhaps add additional layers to their cybersecurity systems, while they expunge Kaspersky from their networks, he said.

In the meantime, Congress plans to continue pressuring federal agencies on Kaspersky. A provision in the National Defense Authorization Act is set to codify the Kaspersky ban into federal law. And Jeanette Manfra, the acting DHS deputy undersecretary of cybersecurity and communications, is slated to testify before the House Science Committee on Sept. 27. A committee spokeswoman said one key question at the hearing will be the extent to which the federal government uses Kaspersky products.

Eugene Kaspersky, the Russian-born founder of Kaspersky Labs, is also set to testify before the House committee on Sept. 27. Kaspersky has vehemently denied any untoward connection between his firm and the Kremlin, instead blaming rising international tensions and Russophobia for the crackdown against his company.

What We're Following See More »
Mueller: No Evidence of Collusion
10 hours ago

"The investigation led by Robert S. Mueller III found that neither President Trump nor any of his aides conspired or coordinated with the Russian government’s 2016 election interference, according to a summary of the special counsel’s findings made public on Sunday by Attorney General William P. Barr. The summary also said that the special counsel’s team lacked sufficient evidence to establish that President Trump illegally obstructed justice, but added that Mr. Mueller’s team stopped short of exonerating Mr. Trump." Read Barr's summary here.

Barr Releases Mueller Summary Letter to Congrees
10 hours ago
Mueller Reports
2 days ago

"The special counsel, Robert S. Mueller III, has delivered a report on his inquiry into Russian interference in the 2016 election to Attorney General William P. Barr ... Barr told congressional leaders in a letter late Friday that he may brief them within days on the special counsel’s findings. 'I may be in a position to advise you of the special counsel’s principal conclusions as soon as this weekend,' he wrote in a letter to the leadership of the House and Senate Judiciary committees. It is up to Mr. Barr how much of the report to share with Congress and, by extension, the American public. The House voted unanimously in March on a nonbinding resolution to make public the report’s findings, an indication of the deep support within both parties to air whatever evidence prosecutors uncovered."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.