Kaspersky Lab software fully removed from federal systems while contractors pursue purge

The federal government has purged its computers of Kaspersky Lab products, a Democratic senator revealed Tuesday, but contractors and other third-party providers are still ridding their systems of the Russian company’s software and services, the head of the Department of Homeland Security added.

Officials offered the update on the government’s Kaspersky ban near the end of a hearing on Capitol Hill held between members of the Senate Appropriations Committee’s Homeland Security panel and DHS Secretary Kirstjen Nielsen.

“I was pleased to hear recently that all federal agencies were able to comply with DHS’s directive to remove Kaspersky Lab products from their systems,” said Sen. Jeanne Shaheen, New Hampshire Democrat.

While agencies have adhered to a DHS directive ordering them to detect and delete the Moscow-based anti-virus company’s software and services, however, Ms. Nielsen said that federal contractors are still in the process of probing their systems for any potential products to purge.

“Generally what we’re doing is we’re looking at it from a supply-chain perspective, so it’s very important for us to understand not only who our contractors are contracting with, but when they provide a service or software, what’s embedded there within,” Ms. Nielsen said.

“Unfortunately, for many of the third-party providers, they weren’t even aware that they had Kaspersky on their systems and within their products,” she continued.

Efforts currently underway to completely remove Kaspersky products are “pretty advanced,” Ms. Nielsen added, and DHS is working “to determine how to be more forward pushing in consequences” with regards to contractors that don’t comply.

“It has to be that we can pause and turn off contracts the moment we have a concern — if someone’s been hacked, if someone is vulnerable, or someone is using software that we know will put us at risk,” she said. “We are doing a full review and working within the authorities we have to find out ways to do that.”

Issued last September, the DHS Binding Operational Directive 17-01 ordered federal departments and agencies to identify and begin eradicating any Kaspersky Lab products on their information systems within 90 days, “based on the information security risks presented by the use of Kaspersky products.”

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS explained at the time. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

A federal defense spending bill signed by President Trump in December, meanwhile, extended the Kaspersky ban to cover government contractors and other third-party providers.

Kaspersky has denied accusations involving its alleged ties to Russian intelligence, and the company has sued the federal government in D.C. federal court over both the DHS directive and defense bill provision.