Kaspersky axed from governmentwide contracts

Cybersecurity software from Russian vendor Kaspersky Lab is no longer available to federal agencies via the largest civilian acquisition contract vehicles, after a review by the White House, the General Services Administration and intelligence agencies.

NASA's Solutions for Enterprise-Wide Procurement contract vehicle and GSA's Schedule 70 have dropped Kaspersky from their list of preapproved vendors out of a concern that the company could become a vector for Russia to attack federal networks.

"GSA's priorities are to ensure the integrity and security of U.S. government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes," a GSA spokesperson told FCW in an emailed statement

Joanne Woytek, NASA SEWP program manager, said, "NASA has collaborated and coordinated with [the Office of Management and Budget], GSA and other government agencies on removal of Kaspersky Lab products from the SEWP contracts."

The move comes after a review that included intelligence chiefs. Adm. Mike Rogers, director of the National Security Agency and Cyber Command leader, told a Senate committee in May that he was "personally involved" in the Kaspersky review. Under questioning, the heads of five intelligence agencies including the CIA said they would not be comfortable using Kaspersky products on their networks.

The ban also applies to Schedule 67, GSA's photographic equipment and related supplies and services vehicle.

The Senate version of the 2018 defense bill currently under consideration includes a blanket ban on the use of Kaspersky products.

Kaspersky Lab denies that it represents any kind of threat or has any connection to the Russian government.

"Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts. The company has a 20 year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy development of technologies, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations," the company said in a statement supplied to FCW.

The company noted that it has offered to provide its source code for an audit and make its CEO available for congressional testimony and meetings with government officials.

According to a July 11 BloombergBusinessweek article citing internal company emails, Kaspersky has designed cybersecurity software to deflect distributed denial-of-service attacks and also deliver to Russian law enforcement the location of possible hackers. The report also alleges that Kaspersky supplies personnel to accompany Russian intelligence and police on raids and arrests. In a press release disputing some of the allegations in the article, Kaspersky noted that employees "might ride along to examine any digital evidence found, but that is the extent of our participation" in Russian police activity.

Kaspersky has a fairly limited profile in the federal space as a contractor. Its products are in use or have been used at the Bureau of Prisons, the Consumer Product Safety Commission and the Comptroller of the Currency at Treasury, but overall spending on the company's products by the federal government is far below $1 million, according to contracting data. The company's products do not appear on GSA's Continuous Diagnostics and Mitigation vehicle, a set of tools and services from vendors vetted by the Department of Homeland Security to provide cybersecurity services to federal agencies.

On the other hand, Kaspersky antivirus solutions are integrated in a range of routers, chip and software products from such household names as Cisco, Juniper, D-Link, Broadcom, Amazon and Microsoft.

"I don't always know what's in the box," one federal information security official told FCW. "The embedded technologies is what we have to figure out -- is it or is it not a problem," the official said.

BloombergBusinessweek reported that $374 million of Kaspersky's $633 million in sales in 2016 were from the U.S. and western Europe, and concerns that the firm has links to Russian intelligence could certainly dent Kaspersky's reputation.

Kremlin spokesperson Dmitry Peskov told reporters on a conference call that the move to block Kaspersky was political, according to a Reuters report.

"This is an absolutely commercial company which provides commercial services which are not only competitive but are super-competitive globally," Peskov said.

This isn't the first time lawmakers and policymakers have gone after foreign IT out of supply chain concerns. Chinese hardware and telecom vendors were the target of an effort in 2013 that resulted in restrictions on certain agencies acquiring tech from firms with strong ties to the Chinese government and military. While some restrictions were loosened, they remain on the books today.