A top Department of Homeland Security cybersecurity official says she has seen no decisive proof that Kaspersky Lab's security software had been exploited to breach federal government information systems.
"We do not currently have evidence, conclusive evidence, that they have been breached," Jeanette Manfra, DHS assistant secretary for cybersecurity and communications, told a House panel Tuesday. "I want to do a thorough review" before reaching a final conclusion.The House Science, Space and Technology Oversight Subcommittee held a hearing on whether federal agencies are complying with a Sept. 13 DHS directive that federal agencies determine whether they're using Kaspersky Lab security software, and if so, remove it from their computers (see Kaspersky Software Ordered Removed From US Gov't Computers).
Russia-based Kaspersky's founder and CEO, Eugene Kaspersky, had been trained by and has formerly worked for Russian intelligence. A DHS statement published with the issuance of the directive contends Russian spies could capitalize on access provided by Kaspersky products to compromise federal information and could threaten U.S. national security. Kaspersky denies his company has any current ties to Russian intelligence.
Genesis of Security Concern
The Kaspersky scrutiny was originally sparked by reports that the company's software plucked exploitation tools from the home computer of an NSA employee who for some reason took the agency's most sensitive tools home from work and copied them onto his home PC. His computer was allegedly targeted by Russian intelligence, which may have been monitoring Kaspersky Lab's malware-tracking pipeline or received a tipoff from the security firm, potentially via moles (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software).
Then the New York Times reported that Israeli intelligence discovered at least two years ago that Russia had its hooks in Kaspersky Lab's software and was using it as the equivalent of a search engine for classified data on U.S. intelligence programs (see Will Kaspersky Lab Survive Russia Hacking Scandal?)
Manfra said about 15 percent of agencies reported that Kaspersky security software had been found on their systems, although the applications were not installed on the vast majority of their computers. She said in many instances, these agencies did not directly acquire the software but it came bundled with other software in PCs they purchased and got installed when the computers were set up.
That was the case at NASA, which discovered a small number of machines - workstations and mobile devices - were running Kaspersky software. NASA CIO Reneé Wynn told the committee that the space agency also discovered Kaspersky software on computers of third-party international partners as well as users' bring-your-own devices that were not connected to NASA's internal network.
"Kaspersky Lab software is not part of the agency's enterprise-licensed, core-load anti-virus software," Wynn testified, adding that since 2010, NASA has contracted with Symantec for its anti-virus protection. "The existence of any alternative anti-virus software on agency hardware is considered to be a violation of agency IT standards and will be immediately removed or its usage blocked unless a specific waiver is on file based on a risk assessment performed."
Another witnesses, Essye Miller, the Defense Department's deputy chief CIO for cybersecurity, said DoD uses McAfee and Symantec anti-virus products. "Kaspersky is not part of the DoD solution," she testified.
Except for a half dozen small agencies, which don't have the resources and are receiving help from DHS, the remainder of 102 federal agencies have met the first deadline to identify and uninstall Kaspersky Labs software, Manfra said.
Democrats Seek Wider Inquiry
For the most part, Democratic members of the committee seemed less focused on whether agencies are complying with the directive and more interested in pursuing a broader investigation of Russian use of the internet and social media to cause political disruption in the United States.
"It seems that in holding a second oversight hearing on solely Kaspersky Lab products, we're missing the forest for the trees," said Rep. Don Beyer, D-Va., the subcommittee's ranking member. "Kaspersky products are not the biggest security risk we face from Russia. ... Instead of focusing just on Kaspersky Lab software, we should be examining how enemies of democracy are using communication technologies in new, precise and powerful ways to disrupt our democratic institutions and influence the American public."
The subcommittee held another hearing on Kaspersky Lab nearly three weeks ago (see Dearth of Support for Kaspersky at Congressional Hearing).