A senior U.S. official pushed back against a Democratic senator’s criticism Thursday concerning the 90-day timeframe provided by the Department of Homeland Security for federal agencies to uninstall Kaspersky Lab products after the technology was linked to Russian intelligence efforts.
In an open congressional hearing Thursday, Missouri Sen. Claire McCaskill questioned why the Homeland Security Department would offer such a grace period when the threat of foreign espionage is apparently evident. She implied that the Kremlin, if found in a similar situation, would be handling the situation much more rapidly.
“You’re giving them a long time,” said McCaskill. “Do you think if this happened in Russia, if they found a system of ours was looking at all their stuff, that they would give their government 90 days to remove it? Seriously? The point I am making I mean is that why don’t you just say you have to remove it immediately?”
On Sept. 13, the DHS announced a Binding Operational Directive — only the fourth of its kind — to push agencies to “take actions related to the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities,” according to a government statement. The BOD followed months of speculation and media reports connecting the Russian anti-virus maker to the Kremlin’s national security apparatus. BODs exclude national security systems.
The directive was organized into three separate 30-day stages, which began with a review of existing software, followed by a planning period, and then finally the removal process. The first stage ended last week.
In an interview with CyberScoop, Jeanette Manfra, assistant secretary for DHS’s cybersecurity and communications office, said the government was on track to complete the BDO in 90 days — meaning that the first stage had been completed and DHS now had a comprehensive idea for where Kaspersky software was installed.
Christopher Krebs, a senior official performing the duties of the undersecretary for the National Protection and Programs Directorate (NPPD), responded to McCaskill’s criticism by explaining that the process of identifying, removing and replacing Kaspersky from government systems will require a budgetary and technical review in order to avoid unintended security issues.
“You can’t just rip out a system,” Krebs explained. “There are certain vulnerabilities that can be introduced by just turning a critical anti-virus product off. What we need to do is have a process in place that you can replace it with something that is effective. And in the meantime, we are able to put capabilities around anything we do to identify or monitor any sort of traffic.”
One of the challenges facing the government when it comes removing Kaspersky, broadly mentioned by Krebs in his brief response, is that replacing the software could result in a negative consequence if an alternative is not readily available.
Although U.S. intelligence officials unanimously agree that Kaspersky poses a threat, security experts maintain that the company’s anti-virus product is of high quality and can help prevent common computer viruses. As a result, there may be a scenario where the expulsion of Kaspersky would open up an organization to harm from everyday cybercriminals.