Yesterday, the U.S. President Donald Trump signed a bill which bans the use of Kaspersky Lab products and services in federal agencies.
The National Defense Authorization Act for FY2018 (H.R. 2810) is focused on Department of Defense and Department of Energy programs. It authorizes the recruitment and retention bonuses for the Armed Forces and makes changes to national security and foreign affairs programs.
The Section 1634 of the bill prohibits the use of Kaspersky Lab products and services. The prohibition will go into effect on October 1, next year.
“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by (1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership,” the bill states.
The campaign against Kaspersky was spearheaded by Senator Jeanne Shaheen, who said, “The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.”
A while ago, Sen. Shaheen sent a letter to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”
In September, the U.S. Department of Homeland Security (DHS) ordered federal agencies to stop using Kaspersky products, and yesterday the bill reinforced that order. Nevertheless, the government has not provided any evidence of wrongdoing, and the statements of Sen. Shaheen turn out to be based mostly on media reports citing anonymous officials.
A recent media report which involves Kaspersky stated that Russian spies have exploited the company’s products to steal sensitive files from an NSA contractor’s computer. The contractor has been charged and Kaspersky Lab has shared its version of the story.
At the same time, the UK’s National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky products by government agencies. Despite the fact that the ban is less explicit than the US one, a similar effect is expected.
Kaspersky Lab has denied the accusations many times and announced the launch of a transparency initiative which involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the company’s products.