A sign above the headquarters of Kaspersky Lab in Moscow.
Pavel Golovkin / AP
The Department of Homeland Security is banning US government agencies from using any products or services created by Kaspersky, an industry-leading Russian cybersecurity company.
Issuing a binding operational directive, DHS instructed all federal agencies to identify the Kaspersky products in use on government systems within the next 30 days, and to be prepared to remove those products within 90 days.
The move is the culmination of months of distrust of Kaspersky from figures in Washington, all tinged with the allegation that company has inappropriate ties with or can be compromised by Russian intelligence agencies.
Sen. Jeanne Shaheen (D-NH), citing classified information, has pushed for legislation to ban the government from using Kaspersky software. At a Senate Intelligence Committee hearing in May, six of the US’s top intelligence officials, including the directors of the Central Intelligence Agency and the National Security Agency, said they would not be comfortable personally using Kaspersky software.
In July, Bloomberg Businessweek published internal emails from 2009 in which founder and CEO Eugene Kaspersky told executives that the company was embarking on a new project at the behest of the FSB, the Russia's primary state security agency. Kaspersky responded that it and its employees “do not have inappropriate ties with any government. The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime.”
On Friday, after news broke that the FBI had reportedly urged American retailers to stop selling Kaspersky products, Best Buy became the first major American retailer to stop selling them. Several other retailers that carry Kaspersky, including Amazon and Newegg, declined to confirm to BuzzFeed News that they were committed to continue to selling the firm's products. A spokesperson for Target said that “we currently carry Kaspersky products in Target stores and are reviewing this, given today’s news.”
Executives at some American cybersecurity companies questioned the blacklisting of one of the world's most renowned cybersecurity companies. The executives told BuzzFeed News that there was little evidence that Kaspersky was inappropriately beholden to the Russia government.
David Kennedy, founder of Cleveland-based TrustedSec, told BuzzFeed News, that there has “never” been any evidence presented publicly that Kaspersky has direct ties to the Russian government, though he said some evidence might have been presented in private.
“The truth is we don’t know if Kaspersky has direct ties,” he said.
Others suggested that whatever ties Kaspersky might have to the Russian government were similar to US firms' ties to the US government.
“The reason all this drama is happening is because there were articles that came out indicating that Kaspersky had ties to the Russian government,” said Dan Tentler, founder of Phobos Group. “And while there haven't been articles that have come out saying the same thing about US based companies, you have to understand that it's gotta be true of us here as well.”
In a statement provided to BuzzFeed News after the DHS announcement, Kaspersky said that it “has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”
But it hasn’t given up. “The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit,” the statement said.
Reached for comment soon after the DHS statement, a Kaspersky spokesperson indicated that despite grumblings from the US, it caught the company off guard.
“It’s such a tight turnaround for us! This is amazing. I can’t believe we didn’t get more advance [notice],” she said.