Binding Operational Directive (BOD) 17-01 is a dramatic escalation of a months-long campaign by U.S. intelligence officials, which have expressed concern about the Moscow-based security software vendor’s close ties to Russian spy agencies.
A statement from Homeland Security said that Acting Secretary Elaine Duke determined that continued use of Kaspersky products poses an unacceptable risk to U.S. national security.
“Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems,” DHS said in a statement.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the statement continued. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
DHS has offered Kaspersky Lab – and any other business that might be impacted by the decision – an opportunity to submit additional information that might mitigate the government’s concerns.
In an email to MSPmentor, Kaspersky Lab said it was disappointed by the decision but grateful for the chance to make its case to federal authorities.
“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company,” the company’s statement said. “Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.”
Further, the company says U.S. authorities are misinterpreting Russian policies and laws.
“The laws and tools in question are applicable to telecom companies and Internet Service Providers (ISPs), and contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM), since the company doesn’t provide communication services,” the Kaspersky statement said. “Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates and more.”
The latest business headwinds come a week after the Best Buy retail chain said it would not longer sell Kaspersky Lab products.
The decision also comes at a sensitive time for Kaspersky Lab’s channel push.
In April, the company launched a new partner program for MSPs and VARs, and last month, hired a new North America channel chief.
Eric O’Neill, a former FBI counter-intelligence agent who now works as national security strategist at security software vendor Carbon Black, said that the actions of Russian intelligence are to blame for Kaspersky Lab’s woes.
“Russian Intelligence doesn't play by any rule book,” he said in an email. “If nothing is sacred to spies, and Russia's brazen spy tactics continue, I can't fault the (U.S.) Federal Government for an overabundance of caution.”
“I also hope we are wrong,” O’Neill added. “Kaspersky is great software, but I'd like to know what the U.S. Intelligence community isn't telling us.”