Acting Secretary of the Department of Homeland Security (DHS) Elaine Duke has issued a Binding Operational Directive (BOD 17-01) directing federal executive branch departments and agencies to take actions related to the use or presence of information security products, solutions and services supplied directly or indirectly by AO Kaspersky Lab or related entities. The directive requires all federal departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days; to develop detailed plans to remove and discontinue present and future use of the products in the next 60 days; and at 90 days from September 13, 2017, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems.
This directive is the result of an interagency review and analysis pertaining to potential information security risks presented by using this Russian entity’s products due to connections between Kaspersky Lab officials and Russian intelligence agencies. Under Russian law, Russian intelligence agencies are allowed to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. DHS determined that “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” DHS has indicated that Kaspersky Lab will be provided the opportunity to submit a written response addressing the department’s concerns or to mitigate those concerns.
This directive comes just months after the General Services Administration removed the company from its list of approved vendors and after high-profile news reports concerning potential Russian interference in the 2016 U.S. presidential election. In addition to any national security implications, trade analysts also see this decision as another form of sanctioning Russia. The U.S. government’s banning of Kaspersky products from its departments and agencies has the potential to significantly undermine Kaspersky Lab’s market position in the United States and probably elsewhere.