DHS offers new details on Kaspersky ban

The Department of Homeland Security published the full text of its Kaspersky ban in the Federal Register just as the Senate voted to ban the company from federal networks as an amendment to the defense bill.

 

Six days after announcing a ban on Kaspersky products in federal networks, the Department of Homeland Security published a Federal Register notice offering more details on the decision.

The notice includes the text of Binding Operational Directive 17-01 issued Sept. 13 by acting Homeland Security Secretary Elaine Duke. The directive specifies that the order does not apply to Kaspersky code "embedded in the products of other companies" and that it does not apply to services Kaspersky Threat Intelligence and Kaspersky Security Training.

The directive requires agencies to identify any Kaspersky-branded products on federal systems, the number of affected endpoints and the methods used to arrive at the tally of Kaspersky products within 30 days.

The directive also requires agencies to report on whether removing Kaspersky products would affect system compliance with federal information security requirements and whether such removal could put agencies at increased risk for data loss or leakage or make them more susceptible to malware or email spam, affect patch management, software and hardware whitelisting or web content filtering. The directive also seeks information on proposed replacements for Kaspersky products.

The notice was released the same day the Senate passed a ban on Kaspersky products as an amendment to the National Defense Authorization Act.

The DHS directives don't apply to classified national security systems or certain Defense Department systems. However, the Kaspersky products aren't in wide use on the military side. At a May 11 hearing of the Senate Select Committee on Intelligence, the chiefs of the CIA, the FBI, CIA, the Defense Intelligence Agency, the National Geospatial-Intelligence Agency and the director of national intelligence all said under questioning that they would not be comfortable using Kaspersky products.

In a press statement, Kaspersky Lab said it was "disappointed" by the Senate bill. It said that the company "is fully committed to fighting cybercrime and doesn’t have unethical ties to any government."

The company added, "Kaspersky Lab will respond to DHS' binding operational directive shortly, and the company ardently believes Congress should review that response before considering any action…. With the recent U.S. government actions affecting the company, Kaspersky Lab greatly appreciates the opportunity to directly refute the false allegations and inaccurate assumptions during congressional testimony on September 27."

DHS said that it had shared its concerns with Kaspersky and offered to make its correspondence with the company available to any of the firm's business partners. Many big-name global technology firms have licensing deals with Kaspersky to integrate its security products and services into widely used hardware such as PCs and routers. The list includes Microsoft, Amazon Web Services, D-Link and Juniper Networks.

Any firm "that claims its commercial interests will be directly impacted" by the order can seek redress from DHS in writing, according to the directive.  An emailed request to obtain the correspondence from the DHS cyber agency, the National Protection and Programs Directorate, was not immediately answered.