Pulling the Plug on Kaspersky

The Department of Homeland Security has issued Binding Operational Directive 17-01, ordering all federal departments and agencies to discontinue use of any software made by the Russian cybersecurity firm Kaspersky Lab.  According to the directive, DHS is “…concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies…,” as well as “…requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky…”

The directive gives all federal branches 30 days to identify and report the presence of any Kaspersky product on government information systems and networks, followed by an additional 30 days to develop detailed plans for removing all software produced by the company.  The process of ensuring full deletion is expected to take a further 30 days.

If all goes as planned, all traces of Kaspersky software should be purged from U.S. government IT assets no later than 90 days after issuance of the directive.

The announcement comes in the wake of persistent rumors about the company’s alleged links to the Kremlin.  While solid proof of these allegations hasn’t (yet) been made public, we do know that the company's founder, Eugene Kaspersky, is a former Russian intelligence officer, as are several other key employees of the company.

Kaspersky representatives have fervently denied any such connections to the Kremlin.

The current DHS ban only applies to civilian branches of government, but Senator Jeanne Shaheen (D-N.H.) is spearheading an effort to extend the ban to the Department of Defense and any elements of the government not already subject to Binding Operational Directive 17-01.  Calling the directive "a significant step forward," Senator Shaheen added that, “the strong ties between Kaspersky Lab and the Kremlin are very alarming."