Federal agencies are so far unable to comply with a law banning Kaspersky Lab software from U.S. government networks by October, The Daily Beast has learned. Multiple divisions of the U.S. government are confronting the reality that code written by the Moscow-based security company is embedded deep within American infrastructure, in routers, firewalls, and other hardware—and nobody is certain how to get rid of it.
“It’s messy, and it’s going to take way longer than a year,” said one U.S. official. “Congress didn’t give anyone money to replace these devices, and the budget had no wiggle-room to begin with.”
At issue is a provision of the National Defense Authorization Act (NDAA) enacted last December that requires the government to fully purge itself of “any hardware, software, or services developed or provided, in whole or in part,” by Kaspersky Lab. The law was a dramatic expansion of an earlier DHS directive that only outlawed “Kaspersky-branded” products. Both measures came after months of saber rattling by the U.S., which has grown increasingly anxious about Kaspersky’s presence in federal networks in the wake of Russia’s 2016 election interference campaign.
America’s intelligence chiefs have, too, issued public warnings about Kaspersky software. When asked by Sen. Marco Rubio (R-FL) at an intelligence committee hearing last year whether they would be comfortable using Kaspersky software on their computers, all six of the top intelligence leaders—from the Central Intelligence Agency chief to the director of National Intelligence—had the same answer: No.
While Kaspersky Lab is well respected in security circles, in some quarters of the U.S. national security community the company has long been tainted by perceived ties to Russian intelligence and the Kremlin—charges that the company denies.
Even less hawkish U.S. officials worry that the company could be compelled under Russian law to weaponize their code to spy on U.S. government networks. The company works so closely with Russia’s Federal Security Service, or FSB, that agents are sometimes embedded in the firm’s Moscow headquarters. And like virtually all anti-virus products, Kaspersky’s has complete access to any computer on which it’s running, including the ability to riffle through files and, depending on the configuration, upload them to Kaspersky’s servers in Russia. It can also execute arbitrary instructions transmitted from the company’s headquarters.
But despite company founder Eugene Kaspersky’s training at a KGB-sponsored institute, despite his close parroting of Kremlin rhetoric, and despite his team’s habit of exposing the most sensitive of U.S. cyber-espionage operations, there’s no public, conclusive evidence that these capabilities have ever been co-opted by Moscow. (Eugene Kaspersky frequently points out, accurately, that the company has revealed cyber-espionage campaigns originating from a multitude of countries, including some linked to the Russian government.)
However, the anti-Kaspersky train picked up steam following revelations last year of a bizarre incident in which the company slurped up classified documents and source code from the home computer of a National Security Agency contractor running Kaspersky Internet Security software. That contractor, Nghia Hoang Pho, pleaded guilty last year to willfully mishandling classified material by taking it home.
Kaspersky claimed the incident was an unintended byproduct of its routine malware scanning. The source code was for an NSA hacking tool, which Kaspersky’s product properly flagged for analysis by malware researchers. But because the code was bundled in a ZIP archive with the classified documents, Kaspersky’s software uploaded the entire thing. When Eugene Kaspersky realized what had happened, he ordered his researchers to immediately delete their copy of the documents and code, the company asserted in a blog post last year. “The archive was not shared with any third parties,” the company wrote.
In September, the brewing controversy came to a head when then-acting Homeland Security chief Elaine Duke issued a formal “binding operational directive” (BOD) requiring agencies to remove Kaspersky-branded software from their networks. The BOD followed a legislative push by Sen. Jeanne Shaheen (D-NH) to codify a more extensive Kaspersky ban into law.
The senator’s effort culminated in section 1634 of the NDAA, mandating a full government purge of Kaspersky code by Oct. 1 of this year. Unlike the BOD, this ban is not limited to software bearing the Kaspersky name, which was relatively easy to find and remove. It also extends to any Kaspersky code embedded in third-party products, and specifically includes hardware. Kaspersky filed a lawsuit to try and overturn the ban.
Kaspersky’s website showcases scores of technology partners who’ve used the company’s software development kits to bake Kaspersky code into their own products. That includes big names in services or software like Amazon and Microsoft, and networking hardware firms like D-Link, Check Point, and Allied Telesis—a major government supplier—that have baked Kaspersky’s code into firewall appliances. The networking giant Juniper Networks offered Kaspersky a full range of routers, gateways, and firewalls. Broadcom, which makes everything from Wi-Fi chips to fiber optic components, is listed as a technology partner, though it’s not clear for what product, and Broadcom declined comment.
It’s unclear if the list on Kaspersky’s website is comprehensive—the company isn’t saying—and at press time Kaspersky was redirecting U.S. visitors to an identical webpage without the list of partners.
With a dearth of good information, the picture painted by sources in the executive branch and on Capitol Hill is of an IT directive transformed by uncertainty into a sprawling cyber snipe hunt, with officials looking for Russian code in unlikely places like smartphone chipsets.
Five congressional sources charged with overseeing the government’s compliance with section 1634 told The Daily Beast that they’ve grown concerned in recent weeks that the Department of Homeland Security has not raised red flags about these known hardware issues preventing the department from fully implementing the NDAA provision—leading many of them to doubt whether the government will be able to meet the Oct. 1 deadline.
DHS is responsible for overseeing the ban’s implementation for all agencies except the Pentagon. Homeland Security Secretary Kirstjen Nielsen acknowledged the difficulty of the job during a Senate appropriations subcommittee hearing earlier this month.
“Unfortunately for many of the third-party providers, they weren’t even aware they had Kaspersky on their systems and within their products,” Nielsen said. “It’s very important for us to understand not only who our contractors are contracting with, but when they provide a service or software, what’s embedded there within.”
Nielsen added that the department has conducted “assessments and modeling” to try and pinpoint Kaspersky code. When Shaheen pressed Nielsen for a progress report on the purge, the director replied that she wasn’t prepared with specifics. “I can’t get you the exact figures, which I’m happy to do later today,” she answered in the May 8 hearing.
Two weeks later, Shaheen’s office has not received that information, and the silence is raising alarm among staffers and lawmakers who worry that the U.S. may be incapable of even discovering whose code is running the government’s infrastructure. Two congressional sources who deal with the Kaspersky issue told The Daily Beast that they were uncertain if DHS even maintains data on third-party software and hardware with Kaspersky under the hood.
The Department of Homeland Security declined to comment for this story, citing the pending legal actions by Kaspersky. The Pentagon, which heads the military portion of the Kaspersky ban, was unable to comment before press time.
Kaspersky has filed a separate lawsuit seeking to overturn the NDAA ban. “Kaspersky Lab maintains that these provisions are unconstitutional and unfairly target the company for legislative punishment, without any meaningful fact-finding or evidence,” a company spokesperson said in a statement.
A U.S. official with direct knowledge of the ban’s implementation says there’s plenty of blame to go around in the debacle. The law ordering the full ban didn’t come with an appropriation to replace any products found inexorably entwined with the outlawed code. Moreover, confusion reigns over the entire matter of government cybersecurity.
“There are so many subcommittees claiming jurisdiction over cybersecurity issues that there are different panels of oversight, different pots of money,” said the official. “The executive branch is being torn in different directions… The legislative branch, in their refusal to effectively organize on this issue, shares equal responsibility with the executive for failures in U.S. government cybersecurity.”
In the end, the official said, the U.S. can’t police its infrastructure without more transparency from its vendors about the code they’re selling. “This is not about one particular company… Industry should be leading the way on supply-chain risk management, and if they don’t the government is going to step up to fill that role, and it won’t be elegant.”
Lawmakers have pushed for transparency from third-party vendors, but to no avail. In 2014, Rep. Ed Royce (R-CA) introduced the Cyber Supply Chain Management and Transparency Act, which would have required third-party contractors to disclose “each binary component that is used in the software, firmware, or product.” That legislation never went anywhere and, in the meantime, lawmakers have been exploring other reforms to supplement last year’s NDAA provision.
“Implementation challenges should lead the U.S. government to increase vigilance on supply chain vulnerabilities and cybersecurity,” Shaheen told The Daily Beast. “Similar to the productive cooperation to ban Kaspersky Lab products across the federal government, Congress and this administration should continue to work together to harden federal cyber defenses, and look at reforms to the acquisition process so that we’re not unintentionally inviting adversaries into our most sensitive systems.”
“Juniper is no longer providing Kaspersky in our active products,” said Juniper spokesperson Leslie Moore in an email. “In older products that may have utilized Kaspersky, it was not shipped nor turned on by default—the user had to choose to activate it, and we always provided clear instructions on how to remove it.”