For contractors late on Kaspersky cleanup, DHS considers consequences

Secretary of Homeland Security Kirstjen Nielsen told lawmakers during a Senate Appropriations committee hearing that the Department of Homeland Security is looking to extend a ban on Kaspersky Lab products to federal contractors and third-party providers and floated the possibility of punishment for noncompliant companies.

Nielsen was questioned by Sen. Jeanne Shaheen (D-N.H.), who has been one of the leading proponents of purging all traces of Kaspersky products from federal networks. Shaheen stated that DHS had recently confirmed that all federal agencies were in compliance with Binding Operational Directive 17-01, which instructed all agencies to put plans in place to identify and remove the company's software from their networks.

However, the directive did not state whether federal contractors were also covered under the BOD, and when the National Defense Authorization Act of 2018 codified the Kaspersky ban into law, lawmakers included language specifying that anyone doing business on behalf of the federal government also adhere to the directive.

Nielsen told Shaheen that the department was looking at the issue from a supply chain perspective and found that some companies had Kaspersky software on their systems without even knowing it.

"It's very important for us to understand not only who our contractors are contracting with but when they provide a service or software, what's embedded there within," said Nielsen. "So, we've done a lot of assessment and modeling to understand where it can be found. Unfortunately for many of the third-party providers, they weren't even aware they had Kaspersky on their systems and within their products."

Nielsen floated the possibility of imposing "consequences" for noncompliant contractors.

"It has to be that we can pause and turn off contracts the moment we have a concern. If someone's been hacked, if someone is vulnerable or someone is using software that we know will put us at risk," said Nielsen.

What form those consequences take and what authorities DHS would leverage to punish contractors is not clear. The Cybersecurity Act of 2015 gives the department the power to issue binding directives to federal agencies, but Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications, acknowledged in January that –at least when it comes to federal agencies – the department lacks the authority to meaningfully punish noncompliance.

"It says [BOD's are] binding. I'm not exactly sure what sort of enforcement mechanism I have in place to make it binding," said Manfra. "We don't have the authority to slap some fine on, and we're not going to kick some federal agency off the Internet," said Manfra.

Nielsen told lawmakers that DHS is currently reviewing what authorities it has to punish contractors who are found to be using Kaspersky. When asked by FCW after the hearing whether the Cybersecurity Act of 2015 gives the department the necessary authority, she responded: "We're looking at all of our options."

Nielsen also gave an update on a pair of cybersecurity programs, Continuous Diagnostics and Mitigation and EINSTEIN, that are designed to protect federal information networks. Lawmakers expressed concern that overall funding requests for cybersecurity priorities at the National Protection and Programs Directorate were "stagnant" this year despite an increased threat landscape. Nielsen explained that both programs required large upfront investments and now that they were up and running, the department was shifting to maintenance mode.

Following the hearing, she told FCW that the department wants to pivot the CDM program towards data governance but acknowledged that unfinished work remains to bring federal agencies into compliance.

"We want to get to data governance, data protection. So we're still evolving as we go, but we are still…making sure that all departments are using it the best that they can," she said.