DHS says Kaspersky decision based on ‘open source’ information

DHS says Kaspersky decision based on ‘open source’ information
© Wikimedia Commons

The Department of Homeland Security’s (DHS) decision to bar federal agencies and departments from using Kaspersky Lab software was primarily based on open-source information, a department official said Tuesday. 

“That determination was based on the totality of evidence, including on the most part open-source information,” said Christopher Krebs, a senior cybersecurity official at DHS, during a House Homeland Security Committee hearing. 

ADVERTISEMENT

In mid-September, the department issued a public operational directive telling agencies to come up with “detailed plans” to remove Kaspersky software from their systems, citing ties between Kaspersky officials and Russian intelligence and potential risks to U.S. national security. 

The announcement prompted questions about why DHS would issue such a public announcement without producing evidence to back it up. Kaspersky, which has headquarters in Moscow but operations worldwide, has long fought allegations in the media of ties to the Russian government.

The issue has caught the attention of Capitol Hill in light of concerns about Russian interference in the presidential election. 

On Tuesday, Rep. Jim Langevin (D-R.I.) asked Krebs, who is performing the duties of undersecretary at the National Protection and Programs Directorate (NPPD), to specify “what analysis led to the removal of Kaspersky from federal networks.” 

Though Krebs answered that the department primarily relied on “open-source” information to make the decision, he indicated that he would be willing to address the topic in a closed session. DHS officials typically brief committee members in a classified setting on a monthly basis.

Jeannette Manfra, another DHS cybersecurity official who was at the hearing, later told reporters on the sidelines of a Washington cybersecurity summit that Elaine Duke, the department’s acting secretary, “made her decisions based off of a variety of sources and information, much of which is unclassified.”

“We talked about how we arrived at those conclusions in the press statement concurrent to the issuance of the binding operational directive,” Manfra said. “We also are enabling the company and any other impacted entities to provide any additional material that we should consider. So we are in that process now."

The Sept. 13 directive, which came from the very top of the department, raised an alarm that Kaspersky could wittingly or unwittingly allow the Russian government to compromise U.S. systems.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the directive said. 

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” it said. 

Lawmakers on both sides of the aisle expressed support for the decision.   

Kaspersky has described the allegations as unfounded and said that it will take DHS up on its offer to provide a written statement assuaging concerns about its anti-virus software. 

While the federal government has never produced evidence demonstrating ties between Kaspersky and the Russian government, the FBI is said to be pressing forward with a longstanding probe into the company.

Meanwhile, Eugene Kaspersky, the company’s founder, had been asked to testify before Congress in September, but the hearing before the House Science Committee has been postponed indefinitely.