The U.S. Department of Homeland Security (DHS) has directed federal agencies to end their use of Kaspersky software amid concerns over the company's ties to the Russian government, The Washington Post reports. Agencies will have 30 days to "identify any presence of Kaspersky products on their information systems," 60 days to develop plans to remove and discontinue use of the products, and 90 days to implement said plans.
This follows increasing scrutiny Kaspersky products have faced in recent months amid heightened concerns around potential Russian-borne cyber threats. The DHS directive states:
This action is based on information security risks presented by the use of Kaspersky Products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The Risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.
For its part, Kaspersky has denied any nefarious ties to the Russian government, but a Bloomberg report from July alleged that the Moscow-based cybersecurity firm had been working with Russian intelligence. In recent months, U.S. government officials have also drafted legislation that would ban Kaspersky software on government machines. The uncertainty surrounding Kaspersky products also caused Best Buy to pull its software from shelves this past week.
DHS says that Kaspersky will have an opportunity to submit a written response to address or attempt to mitigate the department's concerns.