Section 1634 of the government’s National Defense Authorization Act for Fiscal Year 2018 now bans federal agencies from using software developed by Moscow-based Kaspersky Lab. The ban became law on Tuesday, December 12, signed by President Donald Trump, after the entire NDAA was introduced as a bill by the House of Representatives in June (H.R. 2810). It also covers plans for Army/Navy/Air Force programs, Reserve Forces, office personnel policy, military justice, and more.
The ban on using anything developed by Kaspersky Lab will begin October 1, 2018. It includes any company that serves as a successor, any company with a major part owned by Kaspersky, and any entity that controls/controlled by/under common control with Kaspersky Lab. Ultimately, the law covers any software that may be remotely related to the Russian computer security firm.
“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part,” the law states.
The government is now investigating the saturation of Kaspersky Lab’s software and services in federal agencies, and will submit a mostly unclassified report to congressional committees within 180 days. It will detail plans regarding the removal of software, prevention of the software, steps taken by supply chain risk management, monitoring information technology networks, and more.
“Considering the grave risk that Kaspersky Lab poses to our national security, it’s necessary that the current directive to remove Kaspersky Lab software from government computers be broadened and reinforced by statute,” said Senator Jeanne Shaheen (D-NH). “The case against Kaspersky is well-documented and deeply concerning.”
Shaheen claimed in September that Kaspersky Lab has “extensive” ties to Russian intelligence. By removing the software and discontinuing services, she believes the government will eliminate a security vulnerability that is possibly in use by Russian intelligence. At her defense are six top intelligence officials, who said during a public hearing that they wouldn’t be comfortable installing Kaspersky Lab software in their agencies. Unfortunately, their reasons are classified.
Shaheen pointed out months ago that Kaspersky Lab founder Eugene Kaspersky was part of the former Soviet Union’s KGB, and then became a software engineer for the Soviet military intelligence. And despite Kaspersky’s claims otherwise, the U.S. government supposedly has evidence that Kaspersky Lab is tied to the KGB successor: Russia’s Federal Security Service.
After Shaheen’s report in September, Kaspersky Lab said it would provide its source code to third parties as part of a new “comprehensive transparency initiative” starting early next year. The company also said it would establish transparency centers across the globe with three located in Asia, Europe, and North America by 2020. Still, Washington wasn’t completely convinced, and is now banning Kaspersky Lab’s software and services.
Naturally, Kaspersky Lab isn’t happy and accuses Congress of singling the company out due to the location of its headquarters. But if Russian intelligence really is using Kaspersky Lab software to gain data from American federal agencies, then Section 1634 is long overdue.