The top Democrat on the Senate homeland security committee wants to know how the elimination from government computers of a popular anti-virus software, whose maker has suspected ties to Russian intelligence, is being handled.
Sen. Claire McCaskill, D-Mo., the ranking Democrat on the Homeland Security and Governmental Affairs Committee, sought answers to nearly a dozen questions about the removal of products manufactured by Kaspersky Lab, a Russian company, in a letter Tuesday to Acting Homeland Security Secretary Elaine Duke.
Duke last month ordered all federal executive branch departments and agencies to remove Kaspersky software from their systems by mid-December.
Among other questions, McCaskill wants to know why the Department of Homeland Security waited so long. Several top national security officials warned the Senate Intelligence Committee last spring about the use of Kaspersky products.
McCaskill also asked Duke whether her department knows the full extent of Kaspersky use throughout the federal government; how it is ensuring that agencies are complying with her order; and what is it doing to make sure local and state governments that work with the federal government, as well as private businesses and government contractors, are aware of the concerns about Kaspersky software.
“Kaspersky products present a clear security threat to the U.S.,” McCaskill wrote.
Scott McConnell, a spokesman for the Homeland Security Department, declined to comment about the letter. The department has also declined to state how many federal agencies use Kaspersky products.
Spokesmen for several agencies that do use Kaspersky, including the National Institutes of Health and the Consumer Products Safety Commission, would only say that they are following the directives from the Homeland Security Department.
Though the Defense Department is not included under Duke’s order, a Pentagon spokesman told Nextgov that it was scrutinizing its software to ensure that Kaspersky was not employed in any military systems.
The concerns over the federal use of Kaspersky software has been growing and has reached a crescendo in recent months as the ongoing probes by Congress and Special Counsel Robert Mueller continue to dig into the role Russia played in the 2016 presidential election, and whether it colluded with President Donald Trump’s campaign to help him win.
Several former national security and intelligence officials have long been suspicious of the company, with 400 million users worldwide, given that its founder, Eugene Kaspersky, attended a school run by the KGB, the former Soviet spy agency, now succeeded by the Russian FSB. The company has repeatedly denied having any connections to Russian spy services.
McClatchy reported in July that documents appear to show a link between the company and the FSB. Given that Kaspersky software, which scans computer data to eliminate viruses, provides access to computers embedded with the software, there’s a nagging concern that Russian security services would gain access as well.
“If people aren’t concerned, they should be,” said Michael Sulmeyer, former director of Plans and Operations for Cyber Policy for the secretary of Defense.
Sulmeyer is currently director of the Belfer Center Cyber Security Project Director at Harvard University’s Kennedy School. He and other cyber experts said removing Kasperksy might not be that simple. Just hitting “un-install”might not be enough.
“The more realistic scenario is that there will be a lot of manual work to determine where Kaspersky actually exists and the impact of removing those impacts would be,” said Trevor Rudolph, former chief of the Cyber and National Security Unit at the Office of Management and Budget. “For instance, if Kasperksy is the sole anti-malware on a particular device, if you were just to remove it, you would leave the device vulnerable,” unless you were going to immediately replace it with another software product, he said.
Paul Rosenzweig, a cyber expert and former assistant Homeland Security secretary for policy, quipped, “Changing anti-virus software is like changing your underwear.” But he also said that sophisticated cyber enterprises are complex and individualized systems.
“Any good anti-virus software…is tailored to the system it’s protecting,” Rosenzweig said. “The programming is deeply integrated and figuring out how to remove, and more importantly, replace is not a trivial exercise.”
Concerns over Kaspersky heightened recently when the Wall Street Journal reported that in 2015, the personal computer of a National Security Agency contractor who used the Russian software was compromised by Russian hackers. Eugene Kaspersky denied that his company was involved.
In addition, The New York Times reported earlier this month that Israeli alerted U.S. authorities two years ago that Russian hackers had breached computers around the world in a hunt for the code names of American intelligence efforts, and used Kaspersky software to gain access.
In an attempt to overcome the mistrust, Kaspersky this week said it would open up the source code of its software for review by computer security experts and government officials.
Sen. Jeanne Shaheen, D-N.H., whose measure to ban the use of Kaspersky software across the federal government passed the Senate last month, said in agencies should leave “no proverbial stone unturned” in identifying and eliminating the Russian software.
“At the end of this process, there should be confidence that Kaspersky has been completely removed,” she said.