WASHINGTON — The Department of Homeland Security has ordered federal agencies to stop using software made by Kaspersky Lab over concerns about the company’s ties to Russian intelligence, DHS announced Wednesday.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS said in a statement.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” it said.
The move came after mounting concerns about Kaspersky, which is the subject of an ongoing FBI counterintelligence investigation. FBI agents in June paid visits to at least a dozen employees at home, asking questions about that company’s operations as part of the inquiry, multiple sources familiar with the matter told NBC News.
Best Buy announced last week it would stop selling Kaspersky products over concerns about the company’s Russian government ties.
The company’s cybersecurity software is widely used in the United States, and its billionaire owner, Eugene Kaspersky, has close ties to some Russian intelligence figures, according to U.S. officials. He graduated in 1987 from the Soviet KGB-backed Institute of Cryptography, Telecommunications and Computer Science.
Kaspersky Lab paid former national security adviser Michael Flynn $11,250 in 2015 for cybersecurity consulting, according to public documents, but that was not a focus of the FBI questioning, multiple sources said.
A former senior official at the company told NBC News that the company’s U.S. federal government business is small, but the reputational damage from a federal ban would be huge. He said American employees had been leaving the company at a rapid pace in recent weeks.
It will take some time to stop the government from using Kaspersky products. The binding directive issued by Acting Secretary of Homeland Security Elaine Duke ordered federal departments to identify any use or presence of Kaspersky products on their information systems in the next 30 days and to implement plans to remove them within 90 days, DHS said.
“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems,” the statement added.
DHS added that it is providing an opportunity for Kaspersky to submit a written response addressing the department’s concerns or to mitigate those concerns.
Kaspersky Lab said in a statement that it doesn’t have inappropriate ties with any government, and is disappointed with the DHS decision.
“No credible evidence has been presented publicly by anyone or any organization,” the company said, adding that the DHS accusations “are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company. Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.”
The company added, “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues. The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.”
A DHS official told NBC News that DHS itself does not use Kaspersky software.