DHS finds Kaspersky software at 15 percent of agencies

A DHS official told Congress that 96 out of 102 federal agencies have complied with a directive aimed at banning Kaspersky Lab products, and that 15 percent reported that the vendor's software had been found on their networks.

Jeanette Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, gave the public the clearest picture to date of how federal agencies are responding to a September 2017 directive to identify and remove products made by Russian cybersecurity firm Kaspersky Lab.

In testimony at a House Science, Space and Technology hearing Nov. 14, Manfra indicated that in most cases Kaspersky Lab products were not specifically procured but instead came pre-installed on hardware that was purchased in bulk by government agencies.

"Often what we see is that [Kaspersky] software was bundled in other purchases. So, you buy a computer and the antivirus was installed…they weren't necessarily aware that they were explicitly purchasing [Kaspersky products]," said Manfra.

In previous instances, DHS officials have been vague around the specific number of agencies who have responded and how many reported finding the vendor's software on their networks.  The Sept. 13 directive gave agencies 30 days to scan their systems for Kaspesky software, 60 days to plan for its removal and 90 days to begin purging Kaspesky software from their networks.

The six remaining agencies who did not make the reporting deadline were described by Manfra as "very small agencies who just don't have the resources." She indicated that DHS is assisting them in complying with the directive. Manfra declined to name the agencies under questioning, insisting that they lacked the dedicated personnel and expertise to fulfill the request and that outing them would not be "helpful."

She added that naming them also could signal current potential cyber vulnerabilities to malicious actors.

Much of what is publicly known about transgressions purportedly committed by Kaspersky Lab come from press reports, specifically an Oct. 5 Wall Street Journal story that reported a 2015 theft of NSA hacking tools and strategies by hackers utilizing Kaspersky antivirus software.

The federal government has yet to publicly confirm or deny the veracity of those reports.

However, when pressed by Rep. Lamar Smith (R-Texas) on whether she knew of any national security breaches related to Kaspersky Lab products, Manfra gave a series of conflicting answers.

At first, she declined to comment, but Smith insisted that he was not asking about specific incidents or to reveal classified information, simply whether the company's products have led to national security breaches. Manfra eventually said DHS does "not currently have conclusive evidence that networks have been breached." When asked whether the NSA contractor breach reported by the Wall Street Journal counted as a breach, she admitted she was "aware" of the story and repeatedly referred lawmakers to the NSA for further detail.

During her opening statement and in exchanges with legislators, Manfra also floated the possibility that Kaspersky Lab may be considering legal action against the government in response to the ban. The DHS directive gave the vendor, which has substantial business in the United States and international markets, an opportunity to provide a written response to address or mitigate the government's concerns.

Manfra told lawmakers that decision was reached after "extensive review" of the process by DHS legal counsel. She also confirmed that the department received a "substantial" response from Kaspersky Lab on Nov. 10 and is currently reviewing it.

"I don't fear any action from [Kaspersky Lab], but they could potentially take action and I want to ensure that we are in a position to address any concerns that a judge may have," Manfra said in response to questioning.

Kaspersky Lab founder Eugene Kaspersky has long denied any wrongdoing and has offered to testify in front of Congress and open up the company's source code for the government to review. The firm has conducted its own investigation into the 2014 NSA contractor breach that is believed to be the origin of U.S. government concerns about Kaspersky software and launched a transparency initiative designed to help clear its name.

A spokesperson for Kaspersky Lab confirmed that the company submitted a written response to DHS and did not rule out the possibility of legal action down the road.

"Kaspersky Lab appreciates the opportunity to participate in the administrative process and address concerns expressed by [DHS]," a company spokesperson said. "The company hopes that DHS will reconsider the repercussions of its Directive in light of the facts presented, and Kaspersky Lab continues to consider all of its possible options."