The Trump administration on Wednesday told U.S. government agencies to remove Kaspersky Lab products from their information systems, saying it was concerned the Moscow-based cyber security firm was vulnerable to Kremlin influence. The Department of Homeland Security issued a directive to agencies ordering them to identify Kaspersky products on their information systems within 30 days, develop plans to remove and discontinue the products within 60 days, and begin discontinuing their use within 90 days.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said in a statement.
Kaspersky did not immediately respond to a request for comment. The company has repeatedly denied that it has ties to any government and said it would not help a government with cyber espionage. It said there is no evidence for accusations by U.S. officials and lawmakers that its antivirus software may be used to provide espionage services to the Kremlin.
The decision by the Trump administration came as the U.S. Senate was planning to vote as soon as this week on a defense policy spending bill that includes language that would ban Kaspersky Lab products from being used by U.S. government agencies. Rob Joyce, the White House cyber security coordinator, said Wednesday at the Billington CyberSecurity Summit that the Trump administration made a “risk-based decision” to order Kaspersky Lab’s products removed from federal agencies. Asked by Reuters whether there was a smoking gun showing Kaspersky had provided intelligence to the Russian government, Joyce replied: “As we evaluated the technology, we decided it was a risk we couldn’t accept.”
The direct financial impact of the decision will likely by minimal for Kaspersky Lab, one of the world’s leading anti-virus software companies that was founded in 1997 and now counts over 400 million global customers. Federal contracting databases reviewed by Reuters show only a few hundred thousand dollars in purchases from Kaspersky, and an employee told Reuters in July the company’s federal government revenue was “miniscule.” But Kaspersky also sells to federal contractors and third-party software companies that incorporate its technology in their products, so its technology may be more widely used in government than it appears from the contracting databases, U.S. officials say.