The Russia connectionAntivirus but not anti-spy

The late senator William Proxmire of Wisconsin (he died in 1989) made a name for himself for his Golden Fleece Awards — awards given each year to the most wasteful U.S. government programs.

Senator James Lankford (R-Oklahoma), continuing in Proxmire’s tradition, has just released the third volume of his annual of his Federal Fumbles: 100 Ways the Government Dropped the Ball

One of the U.S. federal government’s major fumbles has been the way it has dealt with Russian cybersecurity firm Kaspersky Lab, a company founded by Yevgeny Kaspersky, a veteran of the GRU, Russia’s military intelligence branch. The GRU, its hackers, and the hacker groups it finances – like Fancy Bear — conducted the Kremlin’s successful cyber campaign to help Donald Trump win the 2016 election.

The U.S. intelligence community has long suspected that Kaspersky Lab was using its popular antivirus software – used not only by individuals and corporations, but also by U.S. government agencies – to collect sensitive information from the computer systems on which the software was installed, and deliver that information to the GRU and the FSB, the KGB’s successor agency.

Lankford’s Federal Fumbles reports:

With the spread of computer viruses, hacking, and other cyber threats, many entities around the globe turn to antivirus and security software to protect networks and safeguard personal and proprietary information. Unfortunately, one of those software companies may actually allow the Russian government to spy on other governments and citizens.

For years, many have suspected that the Russian government uses the popular antivirus company, Kaspersky, to spy on the American government through its installed software (see Eric Geller, “DHS bars government from using Russia-based Kaspersky software,” Politico, 13 September 2017). However, it took DHS several years to study the software before a determination was made that Kaspersky’s software should be removed from federal agency computers (Geller, “DHS bars government from using Russia-based Kaspersky software”). That came more than a year after the FBI informed private companies of the threat from Kaspersky software and encouraged alternative software to secure networks and computers (see Patrick Howell O’Neill, “FBI pushes private sector to cut ties with Kaspersky,” Cyberscoop, 17 August 2017).

The federal government knew or should have known of the potential threat from Kaspersky software for at least three years before the order for its removal from government computers. That means Russia had three additional years of access or potential access to highly sensitive federal records, plans, and information.

To keep our networks and computers safe from any type of cyber-attack, DHS and intelligence agencies should not take several years to study a potential problem before making a decision. Those who had knowledge of a problem with Kaspersky or good reason to believe there was a problem should have moved much more quickly to notify others and ensure the software was removed from computers. With the ongoing threat from Russian hackers, the American government should not use any software from Russian companies. Russia may always want to spy on the American government; we should not make their job easier.