Senator wants Kaspersky out of U.S. voting systems

A U.S. senator has linked two of the hottest tech policy stories around – efforts by U.S. agencies to blacklist cybersecurity vendor Kaspersky Lab and concerns about the vulnerability of voting systems used by cities and states.

Sen. Amy Klochubar (D-Minn.) who sits on a committee with authority over federal elections, is concerned that Kaspersky could be in a position to provide Russian intelligence agencies access to state and local election data, by virtue of connections to computers involved in managing election activities.

"Given recent revelations regarding how Russia used Kaspersky software to breach our systems, it is important to prioritize state critical infrastructure systems in conjunction with efforts currently underway at the federal level," Klochubar wrote in an Oct. 12 letter to Acting Homeland Security Secretary Elaine Duke.

"The potential threat posed to our election infrastructure by the use of Kaspersky software appears to be significant and it is essential to ensure that future elections are safeguarded from foreign interference," Klochubar wrote.

The letter comes in the wake of the Oct. 10 release of a report from security group DEF CON warning of supply chain uncertainties that could render voting machines susceptible to hacking at scale. The report also details the ease with which hackers at a Las Vegas event this summer were able to crack into machines to which they had physical access.

In early September, the state of Virginia took the step of decertifying electronic-only voting equipment used in 22 localities in the wake of a security assessment by the Virginia Information Technology Agency.

Kaspersky Lab has been in the sights of U.S. policy makers in recent weeks. In July, Kaspersky was cut from a pair of prominent governmentwide acquisition vehicles and in September, federal agencies were ordered to stop using Kaspersky products entirely.

In her letter, Klochubar called the DHS move to ban Kaspersky products "an important first step towards addressing the potential vulnerabilities our networks face," adding, "we must also ensure that state and local government officials are aware of these threats and have the guidance and resources needed to remove Kaspersky software from their networks. This is especially necessary where officials maintain cyber networks related to critical infrastructure, like our election systems."

Klochubar's inquiry comes amid press reports that link Kaspersky Lab to a breach of a National Security Agency employee's home computer that intelligence officials said resulted in Russian hackers obtaining classified documents.

In a blog post, company founder Eugene Kaspersky suggested that the classified NSA documents may have included exploits that presented as malware to Kaspersky's anti-virus software.

It's not clear what connections Kaspersky Lab has to electronic voting machine systems, but the software is in frequent use in the background of state and local computer systems, and such systems main contain voter registration data and other election data. The company also has expressed an interest in supporting the development of secure online voting systems. In December 2016, the company awarded $18,000 to three teams of developers looking at solutions to the problem of identity verification and online voting.

"The challenges of cybersecurity mean the next generation of experts face a changing frontier – there will be plenty of things to work on and securing digital voting systems for national elections is just one example," Kaspersky said in a statement at the time.