President Trump has signed into law legislation banning the U.S. government from using products made by Kaspersky Lab, a Russian cybersecurity company accused of having ties with the Kremlin and facilitating its international espionage efforts.
The annual defense spending bill signed by the president on Tuesday [Dec. 12] includes a provision, Section 1634, prohibiting the federal government from using hardware, software or services developed or provided by Kaspersky Lab, reinforcing a multi-agency directive issued in September by the Department of Homeland Security amid concerns involving the company's antivirus software.
Following the DHS directive and a warning issued earlier this month by the U.K.'s top cybersecurity official, Mr. Trump's signature marks the latest effort by the U.S. and its allies to cut ties with Kaspersky as concerns swell surrounding its supposed ties to Russian intelligence, as tensions worsen between former Cold War foes.
Officials in both the U.S. and Britain have said they fear that Russia may exploit Kaspersky products to compromise information from targeted networks. Neither nation has provided specific examples, but recent reporting has indicated that Russian state-sponsored hackers leveraged a Kaspersky bug at least once to siphon classified secrets off the personal computer of a former U.S. National Security Agency employee.
"The case against Kaspersky is well-documented and deeply concerning," said Sen. Jeanne Shaheen, New Hampshire Democrat, a key proponent of the ban.
"This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems," she said in a statement.
Kaspersky has denied being in cahoots with Russian intelligence, but conceded that its antivirus software incidentally swept up an NSA hacking tool during a routine malware scan of a customer's computer in 2014.
"Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks," the company said in a statement Tuesday.
"All software, including various products more widely deployed in government networks than Kaspersky Lab software, can have vulnerabilities exploited by a malicious cyber actor," the firm said in a follow-up statement Wednesday. "Yet, Congress failed to address this fact or take a comprehensive look at federal IT sourcing policies to determine what improvements, if any, Congress could make to existing statutory and administrative authorities related to protecting government networks."
Section 1634 requires federal departments, agencies and organizations to cut ties with Kaspersky, and it mandates the Pentagon to submit a review of their progress within 180 days.
A Trump administration official testified previously that the DHS determined that only "a very small number" of federal agencies had installed Kaspersky products prior to September's directive being issued.
Rep. Lamar Smith , the chairman of the House Science, Space and Technology Committee, asked DHS last week for an update on the federal government's efforts to identify Kaspersky software and discontinue use.
"The federal government needs to leverage all resources to ensure that Kaspersky products on federal systems have been completely removed," said the Texas Republican. "The Committee's investigation is consistent with its broader goal of uncovering all risks associated with Kaspersky. This includes identifying all necessary actions needed to eliminate the risk, even beyond the risk to federal systems."
© 2018 Washington Times under contract with NewsEdge/Acquire Media. All rights reserved.
Image credit: Kaspersky Labs.