Trump officials face grilling from lawmakers over Russian cyber firm
Lawmakers are pressing the Trump administration for more information on its effort to crack down on the use of software produced by Moscow-based Kaspersky Lab in the wake of reports that Russian hackers exploited the cybersecurity firm’s anti-virus product to steal U.S. spy secrets.
The issue took center stage Wednesday at the first in a series of House hearings focused on the company, with lawmakers grilling current and former U.S. officials on the potential risks that Kaspersky anti-virus software poses to federal information systems.
Members of the House Science, Space and Technology Committee seized on recent media reports that Russian spies exploited Kaspersky software in order to gain access to top-secret files held on the personal computer of a National Security Agency (NSA) contractor in 2015.
“New revelations regarding cyber espionage continue to surface,” remarked Chairman Lamar Smith (R-Texas), promising that future hearings would allow lawmakers an opportunity “to uncover all aspects of Kaspersky Lab.”
Kaspersky sells anti-virus software to roughly 400 million customers around the world and also produces acclaimed cybersecurity threat research, most recently identifying details about a new variant of ransomware called Bad Rabbit that has been spreading in Ukraine and Russia.
However, the company has attracted scrutiny on Capitol Hill in recent months amid heightened fears over Russia’s interference in the 2016 presidential election.
Kaspersky sought to address questions ahead of the hearing Wednesday, releasing preliminary findings of an internal investigation into the alleged NSA incident that acknowledged its software had taken the NSA source code from a U.S. home computer in 2014.
The company said that the code was submitted to Kaspersky for analysis and later deleted and not shared with any third parties, insisting the findings confirmed that Kaspersky “has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like ‘top secret’ and ‘classified.'”
But the revelation triggered alarm among lawmakers.
“I think the revelation today that Kaspersky is now admitting that they were involved going back to 2014 I think raises a lot of red flags and alarm bells and there’s a lot more, I think, to learn there,” Rep. Darin LaHood (R-Ill.), who chairs the House Science Subcommittee on Oversight, told The Hill following the hearing.
“Today, we begin this process of looking into this, and I think we’ll continue to have further hearings and follow the leads and where the evidence goes.”
In July, the General Services Administration (GSA) moved to restrict government agencies from using products made by Kaspersky, while the Department of Homeland Security (DHS) last month gave federal agencies and departments 90 days to stop using the firm’s software, citing a risk that the Russian government could exploit Kaspersky’s access to infiltrate federal systems.
Sen. Jeanne Shaheen (D-N.H.), who has pushed for a government-wide ban on Kaspersky products, demanded on Wednesday that the administration declassify the information it has on the company.
A major question underlying recent reports about Russia leveraging Kaspersky software has been whether the cybersecurity firm was in any way complicit.
Still, one witness told House lawmakers on Wednesday that proving Kaspersky’s cooperation in any spying operation is not necessary to demonstrate the risk its software poses to government computers.
“The mere fact alone that foreign intelligence agencies have sought access through this implies there is a risk,” said Sean Kanuck, who served as the U.S. national intelligence officer for cyber issues from 2011 to 2016.
“Even without complicity, it is theoretically possible that all Kaspersky Lab corporate communications transiting nodes in Russia could possibly be monitored by the domestic security service on other telecom surveillance logs,” Kanuck said.
Some have wondered how Kaspersky software ended up on federal government computers in the first place.
A GSA official testified that the agency ordered Kaspersky products off of its approved list after discovering in July that three resellers were offering Kaspersky products through its federal contracts without getting the proper approval.
David Shive, the GSA’s chief information officer, said that he knew of conversations about Kaspersky risks dating back to last year.
“GSA became aware that there was some discussion about the risk associated with Kaspersky at the end of last year and then, as news came out, we did a couple of evaluations on the GSA internal enterprise,” Shive said. “When we found that we weren’t running Kaspersky internally, we did no further deep and rich analysis of the technology that Kaspersky uses.”
Republicans sought to pin the blame on the previous administration for failing to act on warnings about Kaspersky, citing articles dating back to 2015 alleging ties between the company and Russian intelligence.
They also pointed to recent reports that the Israeli government notified the NSA in 2015 that its secret hacking tools had been discovered on Kaspersky’s network.
“Frankly, I’m embarrassed,” said Rep. Roger Marshall (R-Kan.). “Even if it was just a potential problem, if it’s a national security issue, we should have been fixing it yesterday, not tomorrow.”
“There are so many aspects of this issue that are so disturbing that I can’t get my hands around it,” said Rep. Barry Loudermilk (R-Ga.). “This happened in the previous administration. Hopefully we’re cleaning up some of the looseness we’ve had in the intelligence community.”
Democrats are pushing the Trump administration to move more quickly on the issue.
Sen. Claire McCaskill (D-Mo.) wrote to DHS on Tuesday asking why its officials only directed agencies to stop using Kaspersky in September, when top intelligence officials had expressed public concerns about the company’s products during a Senate Intelligence Committee hearing in May.
House Science, Space and Technology Committee members are planning multiple hearings on the Russia-based cyber firm. Wednesday’s hearing, which was rescheduled from September, was supposed to feature testimony from Eugene Kaspersky, the company’s CEO, but the committee decided against inviting him when the date was moved.
LaHood signaled that the committee could call witnesses from the Department of Homeland Security and the NSA to testify at a future hearing, but would not say definitively whether Kaspersky would be invited.
“I think we’ve just touched the surface in terms of where this could go,” LaHood told The Hill. “I think there is still a lot of information we need to learn to help make sure that in our oversight role, that we are doing everything we can to protect government entities as it relates to intelligence and security.”