Key Takeaways:

  • U.S. government departments and agencies have 90 days to remove or discontinue the use of any software products developed by Kaspersky Labs because of concerns about its connections to the Russian government.
  • The Department of Homeland Security’s Binding Operational Directive applies to any government contractors who provide services involving federal information systems.
  • Organizations – especially those that provide any services involving federal information systems – should take immediate steps to examine whether they, or their vendors, use Kaspersky products and services.

On September 13, 2017, the U.S. government banned the use of cybersecurity software products developed by Kaspersky Labs, Inc. from all federal information systems due to its potential espionage ties to Russian intelligence services. Acting Secretary of the Department of Homeland Security (DHS) Elaine Duke issued Binding Operational Directive (BOD) 17-01 requesting that all federal civilian departments and agencies take steps to remove and discontinue the use of any Kaspersky products or services.

Under the BOD, departments and agencies have: (i) 30 days to identify the presence or any uses of Kaspersky products or services on their information systems; (ii) 60 days to develop a plan to remove and discontinue the use of the products and services; and (iii) 90 days to implement the departmental/agency plans to discontinue use and remove the products or services.

Kaspersky Labs, Inc. is a Moscow-based software company specializing in cybersecurity products and services, best known for its popular antivirus software. It was founded in 1997 by Eugene Kaspersky, a former KGB-trained Russian intelligence officer. Kaspersky Labs has more than 400 million users and 270,000 corporate clients, most of which are outside of Russia.

In its press release, DHS expressed concerns “about ties between certain Kaspersky officials and Russian intelligence and other government agencies.” DHS cited additional national security concerns that Russian law may require Kaspersky to cooperate with Kremlin espionage activities, fearing that “the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems.”

The BOD was issued ahead of a Senate vote last week to ban Kaspersky products across the government and amidst the investigation into Russian meddling in the 2016 election. Separately, the U.S. Government Services Administration removed Kaspersky Labs from its list of approved vendors in July 2017. Kaspersky software – through outside vendors – has been used in at least six federal departments and agencies, including the Bureau of Prisons, the Consumer Protection Safety Commission, and even previously in segments of the Defense Department.

DHS states that it will allow Kaspersky Labs, along with “any other entity that claims its commercial interests will be directly impacted,” to submit a written argument along with any evidence or data that could offset the U.S. government’s concerns. Kaspersky Labs has issued its own statement saying that it plans to provide information to refute DHS’ suspicions of any inappropriate ties.

Following the BOD issuance, several major U.S. retailers have also decided to pull Kaspersky products and services from their shelves and websites. Drinker Biddle urges organizations, especially those that provide the U.S. government with any services involving federal information systems, to take immediate steps to examine whether they, or their vendors, use Kaspersky products and services. In addition, for those organizations outside the scope of the BOD, it would be advisable to conduct system reviews to confirm the presence (or absence) of any Kaspersky software (on their systems or those of their vendors) to enable appropriate responsive actions as events on this front continue to develop.