-- The Senate is looking to mandate a full, government-wide ban on the use of all products made by one of the world's most respected cybersecurity firms, Moscow-based Kaspersky Lab, according to congressional sources.
The move would be the U.S. government's most drastic response yet to growing concerns that Kremlin-backed hackers could try to exploit the firm’s anti-virus software to steal and manipulate users’ files, read private emails or attack critical infrastructure in the U.S.
The proposed ban, which Senate aides say is expected to pass as an amendment to a defense policy bill widely considered to be must-pass legislation, defines the prohibition in specific terms, stating, “No department, agency, organization, or other element of the United States Government may use, whether directly or through work with or on behalf of another organization or element of the United States Government, any hardware, software, or services developed or produced, in whole or in part by Kaspersky Lab.”
This action comes amid growing scrutiny of the Russia-based company, which U.S. officials worry has ties to Russian intelligence and military agencies. The U.S. government, however, has not publicly offered any information to support that case, and the company has strenuously denied the accusation.
Still, the amendment’s sponsor, Sen. Jeanne Shaheen, D-N.H., tells ABC News, “The strong ties between Kaspersky Lab and the Kremlin are very alarming and well-documented. While much of this information is classified, there is ample publicly available information to justify Congress passing my amendment to ban the use of Kaspersky across the federal government.”
The senator, a senior member of the Armed Services Committee, added, “Using Kaspersky software on federal computers is a national security vulnerability and invites further Russian cyber intrusion.”
Nearly a decade ago, the FBI launched a counterintelligence investigation looking into the nature of Kaspersky Lab’s relationship to the Russian government, and last year FBI officials communicated potential concerns about Kaspersky Lab to a select group of private-sector leaders, ABC News reported in May.
In February, the Department of Homeland Security issued a secret report on the matter to other government agencies, ABC News was told.
The concerns came to light the following month in a public hearing, as all five heads of the U.S. intelligence community declared that they would not use Kaspersky antivirus technology, with Adm. Mike Rogers, director of the National Security Agency, telling the Senate Intelligence Committee he was “personally aware and involved” in “national security issues” associated with Kaspersky Lab.
In late June, FBI agents interviewed several employees of the firm as part of its investigation, a source familiar with the matter told ABC News.
One cybersecurity expert, Nicholas Weaver, described the concern in a Lawfare blog post, saying, “Antivirus software ... generally runs with elevated privileges, effectively ‘God mode.’ This means that if an attacker is able to take control of antivirus software, they gain control over the victim’s computer.”
Kaspersky Lab has repeatedly insisted it poses no threat to U.S. customers and would never be -- or allow itself to become -- a tool of the Russian government.
"As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts,” the firm said in a statement to ABC News. "The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations."
Products from Kaspersky Lab are widely used in homes and businesses throughout the U.S. But ABC News found, largely through outside vendors, that Kaspersky Lab software has also been procured by such federal agencies as the U.S. Bureau of Prisons, the Consumer Product Safety Commission and even some segments of the Defense Department.
The company has been removed from two General Services Administration’s lists of approved technology vendors, a move aimed at severely limiting the ability of Kaspersky Lab to sell its products to the federal government. A Shaheen spokesman called the GSA move “an important development” but said, “It doesn’t get at current software usage, subcontracts etc.” The senator’s amendment “is about purging Kaspersky from federal government usage which delisting doesn’t begin to do,” the spokesman added.
Debate on the defense policy bill, to which the Kaspersky ban is expected to be attached, is scheduled to begin just after Labor Day as the Senate returns from a month-long recess, according to a senior Senate Republican leadership aide.
The House-passed version of the defense policy bill does not contain an explicit ban on Kaspersky Lab products. House members did, however, vote to prohibit the Defense Department from procuring or obtaining technologies used in “nuclear command, control, and communications systems” made by any “entity that the Secretary of Defense reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government” of the Russian Federation.
The final Senate-passed legislation would need House approval.