The Pentagon’s intelligence agency flagged Russian software company Kaspersky Lab as a potential threat as far back as 2004, 13 years before the Department of Homeland Security banned the government from using its products, The Wall Street Journal reported Friday.
Kaspersky producers were the subject of a Pentagon-wide threat assessment circulated by the Defense Intelligence Agency in 2013, according to an email sent from the Department of Defense this week to the House Committee on Science, Space and Technology, The Journal reported after reviewing the message.
The DIA “began producing threat reporting referencing Kaspersky Lab as a threat actor as early as 2004,” the email said, suggesting the government’s suspicions about the antivirus vendor started well before recent reports linking it to Russian intelligence.
The DHS recently issued a directive on September 13 ordering federal agencies to audit their systems for Kaspersky products and remove them within 90 days, citing “information security risks.”
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the directive said.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
News reports published after the directive was issued allege that Russian hackers exploited Kaspersky products in order to steal data from customers’ computers, including at least one instance that resulted in the compromise of classified U.S. national security documents.
Kaspersky has denied colluding with the Russian government, but acknowledged a case where its software accidentally siphoned U.S. state secrets.
Kaspersky remains “ready to work with the U.S. government to address any and all concerns and further collaborate to mitigate against cyber threats, regardless of their origin or purpose,” the company told The Journal in response to the DIA’s assessment, adding, “we maintain that there has yet to be any credible evidence of the risks presented by the company’s products.”
Roughly 15 percent of federal agencies subsequently found traces of Kaspersky software on their computer systems, Jeanette Manfra, the DHS assistant secretary for cybersecurity and communications, told the House panel’s oversight subcommittee earlier this week.
Essye Miller, the Pentagon’s top cybersecurity official, testified during the same hearing that the Pentagon hasn’t used Kaspersky products based on intelligence information.
“Kaspersky Lab Antivirus software (KL AV) is not on the DoD approved products list, nor do we have any contract awards listed for this software in our Federal Procurement Data System,” she wrote in her prepared testimony.