Despite the blanket ban issued last week on the U.S. government’s use of products from Russian cybersecurity firm Kaspersky Labs, there’s still broad uncertainty over how widespread the use of the potentially compromised software is on federal networks.
That’s not true for all agencies, some of which were able to provide an accounting of Kaspersky’s presence on their systems. The Transportation Department and the Environmental Protection Agency, for example, were both able to confirm that Kaspersky software was not deployed on their networks. A State Department spokesman told National Journal that the agency entered into three contracts for Kaspersky antivirus software since fiscal 2012, which together totaled less than $9,000. The spokesman added there were no confirmed instances of Kaspersky software loaded onto the State Department’s OpenNet enterprise network, which links together the department’s various computer systems around the globe.
But other agencies are a virtual black hole when it comes to Kaspersky, a popular Moscow-based company suspected of threatening U.S. network security through its alleged close ties with Russian intelligence agencies. Citing “operational security,” a Defense Department spokeswoman said the Pentagon could not answer questions regarding its use of Kaspersky products or services. The Treasury Department did not respond to a request for comment, and the Department of Justice declined to comment (though evidence from a federal website that tracks government spending indicates that over the past two years, the Justice Department has entered into several contracts with Kaspersky worth hundreds of thousands of dollars in total).
Even the agency spearheading the Kaspersky ban seems unclear about the Russian firm’s presence on its own networks. In last Wednesday’s government-wide order, the Homeland Security Department laid out a plan for each agency to identify any Kaspersky Labs products on its networks over the next 30 days. But when asked if Homeland Security had spent money on Kaspersky in the last five years, or if any sub-agencies were currently operating Kaspersky products, a DHS official told National Journal that the department “will follow its own guidance and complete the process required to identify the use of these products. If any are found, DHS will develop a plan as directed.”
The ongoing uncertainty is not for want of asking. Lawmakers have been seeking answers on the use of Kaspersky by federal agencies since at least May, after top U.S. intelligence officials told the Senate Intelligence Committee they would be uncomfortable using the firm’s software on their networks. Later that month, then-Homeland Security Secretary John Kelly admitted his department was likely running Kaspersky on some of its systems, prompting Democratic Sen. Joe Manchin to demand a complete report on the Russian company’s presence at Homeland Security. In late July, Rep. Lamar Smith, the chairman of the House Science, Space, and Technology Committee, put in a similar request to each of the Cabinet-level agencies.
But a Smith spokeswoman says the chairman has so far only received responses from some federal agencies (she didn’t say which). Manchin’s office did not respond to repeated requests asking whether the senator has received the promised Homeland Security report. And a DHS spokesman confirmed that despite the ban, the department does not yet have information on the full extent of Kaspersky use across the federal government.
David O’Brien, a senior researcher at Harvard University’s Berkman Klein Center for Internet and Society, believes most federal agencies won’t have a complete record of their use of Kaspersky products for some time. “I look a little bit skeptically at having hard and fast numbers in a 30-day period, or within a couple of months,” he said, adding that most federal networks are sprawling, byzantine entities that will take some time to comb through thoroughly. He also noted that old procurement documents will paint only a partial picture, since agencies are likely to have purchased hardware containing pre-installed Kaspersky products or contracted with third-party vendors who still use Kaspersky. “Just from knowing how disorganized government IT can be, my guess is it’s going to take much longer than they think,” he said.
But there are still steps agencies can take to prevent unwanted espionage while they work to find and remove Kaspersky products. “Just because the software is on the system doesn’t mean that the risks that it poses can’t be mitigated in some other way,” O’Brien said. Agencies will need to monitor network traffic in real time, and perhaps add additional layers to their cybersecurity systems, while they expunge Kaspersky from their networks, he said.
In the meantime, Congress plans to continue pressuring federal agencies on Kaspersky. A provision in the National Defense Authorization Act is set to codify the Kaspersky ban into federal law. And Jeanette Manfra, the acting DHS deputy undersecretary of cybersecurity and communications, is slated to testify before the House Science Committee on Sept. 27. A committee spokeswoman said one key question at the hearing will be the extent to which the federal government uses Kaspersky products.
Eugene Kaspersky, the Russian-born founder of Kaspersky Labs, is also set to testify before the House committee on Sept. 27. Kaspersky has vehemently denied any untoward connection between his firm and the Kremlin, instead blaming rising international tensions and Russophobia for the crackdown against his company.
What We're Following See More »
"The Department of Health and Human Services is spearheading an effort to establish a legal definition of sex under Title IX, the federal civil rights law that bans gender discrimination in education programs that receive government financial assistance, according to a memo obtained by The New York Times. The department argued in its memo that key government agencies needed to adopt an explicit and uniform definition of gender as determined 'on a biological basis that is clear, grounded in science, objective and administrable.' The agency’s proposed definition would define sex as either male or female, unchangeable, and determined by the genitals that a person is born with."
"Saudi Arabia said Saturday that Jamal Khashoggi, the dissident Saudi journalist who disappeared more than two weeks ago, had died after an argument and fistfight with unidentified men inside the Saudi Consulate in Istanbul. Eighteen men have been arrested and are being investigated in the case, Saudi state-run media reported without identifying any of them. State media also reported that Maj. Gen. Ahmed al-Assiri, the deputy director of Saudi intelligence, and other high-ranking intelligence officials had been dismissed."
"Special counsel Robert Mueller’s investigation is scrutinizing how a collection of activists and pundits intersected with WikiLeaks, the website that U.S. officials say was the primary conduit for publishing materials stolen by Russia, according to people familiar with the matter. Mr. Mueller’s team has recently questioned witnesses about the activities of longtime Trump confidante Roger Stone, including his contacts with WikiLeaks, and has obtained telephone records, according to the people familiar with the matter."
"Special Counsel Robert Mueller is expected to issue findings on core aspects of his Russia probe soon after the November midterm elections ... Specifically, Mueller is close to rendering judgment on two of the most explosive aspects of his inquiry: whether there were clear incidents of collusion between Russia and Donald Trump’s 2016 campaign, and whether the president took any actions that constitute obstruction of justice." Mueller has faced pressure to wrap up the investigation from Deputy Attorney General Rod Rosenstein, said an official, who would receive the results of the investigation and have "some discretion in deciding what is relayed to Congress and what is publicly released," if he remains at his post.