The Trump administration Wednesday ordered all federal agencies to stop using software produced by Kaspersky Lab, dealing a major blow to the Russian computer security company that has been trying to make inroads into the US market from its local headquarters in Woburn.
In issuing the edict, acting Homeland Security Director Elaine Duke cited ties between Kaspersky officials and the Putin government, as well as a requirement that Russian companies cooperate with that country’s intelligence agencies. She said “malicious cyber actors” could use Kaspersky software to access government files.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products’’ imperils US national security, Duke said in a statement.
Homeland Security did not say whether the United States has evidence that Kaspersky products have compromised the security of federal networks. The agency directed federal offices to begin removing Kaspersky software from their systems within 90 days.
The company has consistently disputed allegations it is a stooge of the Russian government, saying its US critics have never proved any connections to foreign intelligence agencies.
Kaspersky “does not have unethical ties or affiliations with any government, including Russia,” the company said in a statement Wednesday. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”
It’s unclear how many Kaspersky programs are installed in US government computers. The company said its federal contracts are not a major source of its business.
Robert Westervelt, an analyst for IDC Corp., said Kaspersky’s mainstay is selling consumers and companies tools to protect computers, phones, and other devices that connect to networks from hacking and infection. He estimated Kaspersky’s total US sales on such services at $150 million a year and predicted they will remain flat or decline this year amid the controversy.
Its US operations are relatively modest, with 300 employees. Kaspersky is a much bigger name in Europe and worldwide claims 270,000 clients and 400 million individual users.
Westervelt said most government business is conducted on machines protected by American companies, and Kaspersky’s push to win federal contracts had largely fizzled before the company got caught up in the Russian espionage controversy.
Whether the new US government ban will lead to further losses of American customers is unclear. Earlier in September, the big national retailer Best Buy dropped Kaspersky, a spokesman told the Minneapolis Star-Tribune newspaper. But Westerfelt predicted that most customers that have Kasperksy products installed on their machines will be unlikely to remove them.
“These headlines come and go. There’s been so many different security vendors that got hit with security breaches over the years, and those headlines came and went, and they are still standing strong,” he said. “I don’t think it’s going to be any different for Kaspersky. Plus they know the political situation, and I’m sure they were expecting something like this.”
In Massachusetts, neither the state government nor the city of Boston use Kaspersky in their cybersecurity arsenals. At a cybersecurity event he attended Wednesday, Governor Charlie Baker said the state is likely to heed alarms raised by the US government.
“In instances where the feds say that certain folks ought not to be part of our procurement system, unless we have a really good reason, we typically take them off,” said Baker.
The company’s founder, computer scientist Eugene Kaspersky, learned his trade at a school sponsored by the Soviet Union’s intelligence service, the KGB. He started his company in 1997.
Suspicion of the company mounted after allegations that Russian interests interfered with the US presidential election in 2016, including the damaging release of hacked e-mails of the Democratic National Committee. In May, all six of the chief of US intelligence agencies said at a public hearing they would not recommend using Kaspersky products, and in July the General Services Administration, which oversees federal government purchases, had dropped Kaspersky from its list of approved vendors.
The US Senate is scheduled to vote within days on legislation filed by Democratic US Senator Jeanne Shaheen of New Hampshire that would prohibit the federal government from using Kaspersky products.
On Wednesday, she praised Homeland Security’s decision to drop Kaspersky from federal computers. “The strong ties between Kaspersky Lab and the Kremlin are very alarming and well-documented,” Shaheen said in a statement.
With the signals out of Washington, D.C., increasingly unfavorable, Kaspersky on Tuesday announced it would try to expand its consumer business in North America by opening offices in Chicago, Los Angeles, and Toronto in 2018.
Homeland Security said it will allow Kaspersky to present a written response to address the agency’s concern that its products can be used to infiltrate the US government. The company said it intends to try to convince the agency its products are trustworthy.Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab. Andy Rosen can be reached at email@example.com. Follow him on Twitter at @andyrosen.