June 18, 2019

June 17, 2019

Subscribe to Latest Legal News and Analysis

U.S. Government Restricts the Use of Kaspersky Cybersecurity Software

Key Takeaways:

  • U.S. government departments and agencies have 90 days to remove or discontinue the use of any software products developed by Kaspersky Labs because of concerns about its connections to the Russian government.

  • The Department of Homeland Security’s Binding Operational Directive applies to any government contractors who provide services involving federal information systems.

  • Organizations – especially those that provide any services involving federal information systems – should take immediate steps to examine whether they, or their vendors, use Kaspersky products and services.

On September 13, 2017, the U.S. government banned the use of cybersecurity software products developed by Kaspersky Labs, Inc. from all federal information systems due to its potential espionage ties to Russian intelligence services. Acting Secretary of the Department of Homeland Security (DHS) Elaine Duke issued Binding Operational Directive (BOD) 17-01 requesting that all federal civilian departments and agencies take steps to remove and discontinue the use of any Kaspersky products or services.

Under the BOD, departments and agencies have: (i) 30 days to identify the presence or any uses of Kaspersky products or services on their information systems; (ii) 60 days to develop a plan to remove and discontinue the use of the products and services; and (iii) 90 days to implement the departmental/agency plans to discontinue use and remove the products or services.

Kaspersky Labs, Inc. is a Moscow-based software company specializing in cybersecurity products and services, best known for its popular antivirus software. It was founded in 1997 by Eugene Kaspersky, a former KGB-trained Russian intelligence officer. Kaspersky Labs has more than 400 million users and 270,000 corporate clients, most of which are outside of Russia.

In its press release, DHS expressed concerns “about ties between certain Kaspersky officials and Russian intelligence and other government agencies.” DHS cited additional national security concerns that Russian law may require Kaspersky to cooperate with Kremlin espionage activities, fearing that “the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems.”

The BOD was issued ahead of a Senate vote last week to ban Kaspersky products across the government and amidst the investigation into Russian meddling in the 2016 election. Separately, the U.S. Government Services Administration removed Kaspersky Labs from its list of approved vendors in July 2017. Kaspersky software – through outside vendors – has been used in at least six federal departments and agencies, including the Bureau of Prisons, the Consumer Protection Safety Commission, and even previously in segments of the Defense Department.

DHS states that it will allow Kaspersky Labs, along with “any other entity that claims its commercial interests will be directly impacted,” to submit a written argument along with any evidence or data that could offset the U.S. government’s concerns. Kaspersky Labs has issued its own statement saying that it plans to provide information to refute DHS’ suspicions of any inappropriate ties.

Following the BOD issuance, several major U.S. retailers have also decided to pull Kaspersky products and services from their shelves and websites. We urge organizations, especially those that provide the U.S. government with any services involving federal information systems, to take immediate steps to examine whether they, or their vendors, use Kaspersky products and services. In addition, for those organizations outside the scope of the BOD, it would be advisable to conduct system reviews to confirm the presence (or absence) of any Kaspersky software (on their systems or those of their vendors) to enable appropriate responsive actions as events on this front continue to develop.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved


About this Author

Kenneth Dort, Drinker Biddle Law Firm, Intellectual Property and Data Security Attorney, Chicago

Kenneth K. Dort counsels clients on information technology and intellectual property law issues—specifically, software development and licensing, systems development and integration, data security and privacy, trade secret protection and patent/copyright/trademark licensing and protection. He is chair of the firm’s Technology Committee.

Ken is CIPP/US, CIPP/E and CIPP/C certified and advises clients throughout the United States, the European Union and Canada on their data security and privacy practices and compliance needs...

Anand Raj Shah, Drinker Biddle Law Firm, Cybersecurity Attorney

Anand Raj Shah counsels clients on issues relating to cybersecurity, information governance, privacy, eDiscovery and data analytics. He assists clients in proactively evaluating and managing risks associated with their information practices, particularly during breach response or cybercrime investigations. Anand advises clients on a wide range of federal laws and regulations, including CFAA, ECPA, HIPAA, GLB, FISMA, CAN-SPAM, VPPA, COPPA, FCRA, and CISA, along with international and state data protection and breach notification laws. He guides clients on the implementation of information sharing practices, such as the DHS’s Automated Indicator Sharing initiative, and industry standards, such as the NIST Cybersecurity Framework. Anand assists in crafting incident response plans, vulnerability assessment tools, information security agreements, corporate policies, and product design reviews that are tailored to meet the needs of companies and boards seeking to safeguard their data.