The US government’s effort to ban Kaspersky Lab, the Russian security software protecting its networks from malicious viruses, seems to have hit a major snag.
Officials speaking to the Daily Beast said that the legislation signed into law by President Trump last December banning Kaspersky Lab from government computers may actually be impossible to implement, with the company’s code said to be buried too deep in government computer infrastructure.
“It’s messy, and it’s going to take way longer than a year,” one flustered official said. “Congress didn’t give anyone money to replace these devices, and the budget had no wiggle-room to begin with.”
Another official with direct knowledge on the ban’s implementation said that US government’s jurisdiction over cybersecurity is a tangled mess, making the process of purging the Russian software a nightmare.
“There are so many subcommittees claiming jurisdiction over cybersecurity issues that there are different panels of oversight, different pots of money,” the official said. “The executive branch is being torn in different directions. … The legislative branch, in their refusal to effectively organize on this issue, shares equal responsibility with the executive for failures in US government cybersecurity,” the source added.
The National Defense Authorization Act, enacted in December, requires all US government organizations to remove Kaspersky software by October 1, 2018. The ban came amid (thus far unsubstantiated and unproven) fears that the software can be used by Russian intelligence services. The task has been left to the Department of Homeland Security (DHS).
However, according to the Daily Beast’s sources, even a full-scale purge including hardware could not fully ensure the presence of Kaspersky code. Complicating the matter is the use of the Russian software company’s code in third-party products, including Amazon, Microsoft, as well as hardware firms D-Link, Check Point, Allied Telesis, Broadcom and others. While the security applications themselves can be uninstalled relatively easily, the code used in such third party software and hardware is harder, if not impossible to remove.
Two congressional sources said they aren’t even certain whether the DHS even has a list of software and hardware with Kaspersky code embedded. The DHS itself declined to comment.
Interestingly, the Daily Beast’s article features the Russian word for “sh**” in red above the headline. It’s not immediately clear what the word was meant to signify in this context.
Screengrab of the Daily Beast story, featuring the odd swear word for a tag.
The odd inclusion of the swear word prompted at least one inquisitive reporter to ask why the Daily Beast felt the need to include it.
Kaspersky Lab is one of largest privately owned companies in the world, with a portfolio including 400 million users and 270,000 corporate clients. The Moscow-based company has vehemently denied claims made by US officials about its alleged cooperation with Russian security services and promised to share its code with security specialists searching for vulnerabilities that could be used by intelligence services, Russian or otherwise. In January, the US Treasury included company CEO Eugene Kaspersky in its so-called “Kremlin Report,” consisting of Russian officials and businessmen who may be targeted by sanctions.