The U.S. Department of Homeland Security has directed that every government agency must remove any and all Kaspersky software from their systems within 90 days.
Elaine Duke, the acting secretary of homeland security, issued a Binding Operational Directive this week that calls on U.S. government agencies and departments to find any use of Kaspersky software on their systems within 30 days. Within 60 days, they must develop plans to remove that software. And within 90 days, they must execute those plans to remove Kaspersky software and discontinue its use in the future.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS wrote in a statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
This move by DHS is the latest in a series of actions taken by the U.S. government to vilify the Russia-based antivirus company and get its products away from government information systems. In July, the Trump administration removed Kaspersky Lab from the U.S. General Services Administration approved vendors list, rendering the company ineligible to get government contracts for products and services.
The software has also already been banned from the Department of Defense, and Sen. Jeanne Shaheen (D-N.H.) introduced an amendment to the National Defense Authorization Act this week that would ban Kaspersky software from any federal computer.
The intelligence community — particularly the FBI — has been investigating ties between Kaspersky Lab and the Russian government, but has yet to provide the public with any hard evidence of collusion or influence.
According to the statement from DHS on this latest move to remove and ban the software, this move is not reserved for the Russian company.
“Safeguarding federal government systems requires reducing potential vulnerabilities, protecting against cyber intrusions, and anticipating future threats,” the statement from DHS read. “While this action involves products of a Russian-owned and operated company, the Department will take appropriate action related to the products of any company that present a security risk based on DHS’s internal risk management and assessment process.”
DHS also said it would be open to Kaspersky Lab submitting a written response addressing the concerns the U.S. government has raised. Kaspersky Lab co-founder and CEO Eugene Kaspersky has previously offered to let the U.S. government see the source code of his products on multiple occasions, and he accepted an offer to testify before the House of Representatives in defense of his company.
The concerns about Kaspersky software have not been limited to the government, as retail chain Best Buy announced it is pulling Kaspersky products from its shelves, as well.
In other news:
- The commonwealth of Virginia’s board of elections voted to replace any and all touchscreen voting machines before the upcoming November elections. The voting machines, known as direct recording electronic (DRE) machines, will no longer be used in Virginia’s elections, and the commonwealth is determined to make the change before its gubernatorial election this year. This move comes shortly after a demonstration at the DefCon conference in July proved the extreme vulnerability of electronic voting systems. “This recommendation is being made for multiple reasons,” the board of elections wrote in a memo, “including the current security environment surrounding election administration, recently released public reports with confidential information related to unauthorized access to DREs at DefCon’s ‘Voting Machine Hacking Village,’ the fact that no DREs in use in Virginia have a voter-verifiable paper audit trail (VVPAT), and the initial security assessment review of various DRE equipment conducted by the Virginia Information Technology Agency (VITA).” Approximately 22 localities in the commonwealth still use DREs and will need to switch to new systems, though the specific voting machines that will replace them were not noted.
- A WordPress plug-in was updated with malicious code, affecting around 200,000 sites. Wordfence, WordPress’s plug-in security group, reported this week that the plug-in called Display Widgets was sold by its original author to a third-party in May 2017 for $15,000. The third-party purchaser then released an updated version of the plug-in a month later that showed malicious behavior. Since then, more updates of the plug-in have been released with more malicious behavior. According to Wordfence, the last three versions of Display Widgets have contained code that allows the plug-in owner to publish any content to the WordPress site, essentially creating a backdoor. “The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin,” Wordfence explained. “During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository.” Wordfence suggested anyone with Display Widget installed should remove it immediately.