Lawmakers seek answers on agencies' use of Kaspersky tech

A key House panel wants federal agencies turn over any records related to the use of an anti-virus software program supplied by Russian cybersecurity firm Kaspersky Lab.

The software was recently removed from federal acquisition vehicles operated by the General Services Administration and NASA.

Rep. Lamar Smith (R-Texas), chairman of the House Science, Space and Technology Committee, sent a letter to 23 cabinet agencies and departments on July 27, following media reports and comments from law enforcement and intelligence officials questioning whether Kaspersky Lab presents a security risk due to its alleged close relationship to the Russian government.

"Given the increasing prevalence of cybersecurity threats across the nation, the federal government's use of cybersecurity products manufactured by a firm with potential ties to the Russian government is concerning to Congress," Smith wrote.

The committee is asking agencies for any documents related to their use of Kaspersky Lab products, including the purchase, evaluation, implementation and any associated hardware that may have used the vendor's software. Because most anti-virus software operates at the system level and is typically not monitored by other security systems, lawmakers are concerned that a compromised anti-virus system could build or embed backdoors into government IT systems while avoiding detection.

The letter continues: "The Committee is concerned that Kaspersky Lab is susceptible to manipulation by the Russian government, and that its products could be used as a tool for espionage, sabotage or other nefarious activities against the United States."

To date, the government has yet to publicly offer up any concrete evidence that Kaspersky Lab products are compromised or working with Russian intelligence agencies to undermine U.S. system, but during an open Senate Intelligence Committee hearing in May, several U.S. intelligence officials raised concern about using the company’s software. Until recently, Kaspersky Lab was listed as a preapproved vendor on the GSA's Schedule 70 contract and available to most government agencies. However, the firm was removed from the list earlier this month following a review by the White House, the GSA and intelligence agencies.

On July 11, Bloomberg BusinessWeek published a story claiming that internal email communications between CEO Eugene Kaspersky and his staff reveal that the company “has maintained a much closer working relationship with Russia’s main intelligence agency … than it has publicly admitted."

In response, the company has vigorously disputed the allegations in Bloomberg's reporting, blaming hysteria related to the current investigation into whether Russia hacked the Democratic National Committee’s email system in an attempt to influence the 2016 election. The company published a press release the same day listing nine "inaccurate statements" in the article, including the email chain that purports to show a close and potential inappropriate relationship with the FSB.

"Actually, the reported emails show no such link, as the communication was misinterpreted or manipulated to try to make the media outlet’s narrative work," the release stated. "Kaspersky Lab is very public about the fact that it assists law enforcement agencies around the world with fighting cyber threats, including those in Russia, by providing cybersecurity expertise on malware and cyberattacks."

Kaspersky stated on Twitter that the story is "BS brewed on [a] political agenda," and is worried that the allegations could harm the company’s U.S. business sales.

"As far as the publicly available facts are concerned, it’s still difficult to determine if Kaspersky is a bad actor or an innocent bystander in a broader geopolitical squabble," said Trevor Rudolph, a former White House cybersecurity official under the Obama administration, in an email to FCW. "I don't think there’s any doubting that the reputational damage to Kaspersky could be severe."