The Department of Homeland Security on Thursday pushed back on criticism from lawmakers regarding the agency’s response to removing Kaspersky Lab Inc. software from government computers.
Members of Congress this week expressed concerns that the time frame for agencies to remove Kaspersky products from their systems may be too long. Those remarks followed a Sept. 13 directive from DHS that ordered federal agencies to stop using Kaspersky Lab software, but gave agencies 90 days to uninstall and remove the software and products.
An agency official on Thursday said the three-month period was needed to identify products within 30 days, develop a plan for removal within 60 days, and begin removing products within 90 days, “unless agencies are directed otherwise by DHS based on new information.”
“The timing was based on risk management and assessment process and review of available information,” the official said in a Thursday email. “Operational decisions about the integrity and security of U.S. government systems occur regularly as information about risks are received and thoroughly reviewed and analyzed.”
If I was in charge, no subcontractor would be allowed to use Kaspersky systems, no government employee would be allowed to use Kaspersky systems, and a broad warning would go out into the private sector advising them to divest themselves from Kaspersky products.
Rep. Clay Higgins (R-La.)
Rep. Don Beyer (D-Va.) — ranking member on the House Science, Space and Technology oversight subcommittee — voiced concerns about that time frame after a hearing Wednesday, suggesting it could be exploited by agents in the FSB, Russia’s Federal Security Service.
“If I’m in the FSB or whatever, and I’m in Moscow right now, I’m working three shifts a day, getting as much as I can out of the U.S. government through Kaspersky before mid-December,” Beyer said in an interview.
Rep. Clay Higgins (R-La.), a member of the oversight subcommittee, added that the current steps being taken by DHS to remove Kaspersky Lab software might come too late.
“If I was in charge, no subcontractor would be allowed to use Kaspersky systems, no government employee would be allowed to use Kaspersky systems, and a broad warning would go out into the private sector advising them to divest themselves from Kaspersky products,” Higgins said in an interview following the hearing.
“The procedures begin with the people — the people in charge,” Higgins added. “And I think the culture has to change.”
Some Democratic senators have also expressed their concerns about Kaspersky in the past week.
During a Senate Armed Services Committee hearing on Oct. 19, Sen. Claire McCaskill (D-Mo.) criticized the agency’s 90-day directive, telling DHS official Christopher C. Krebs that “you’re giving them a long time.”
On Oct. 24, Sen. Jeanne Shaheen (D-N.H.) sent a letter to DHS Acting Secretary Elaine Duke and Director of National Intelligence Daniel Coats asking that the agencies “declassify information on Kaspersky Lab and its products in order to make informed decisions about risks to their privacy and security.”
DHS said that, as a matter of policy, it does not comment on correspondence with the agency’s secretary.
A Kaspersky spokesperson denied that the cybersecurity firm has ties to Russia or any government, saying “the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.”
“We reiterate our willingness to work alongside U.S. authorities to address any concerns they may have about our products, and respectfully request any relevant information that would enable the company to begin an investigation at the earliest opportunity,” the spokesperson said in a Tuesday email.