The U.S. Department of Homeland Security (DHS) is ordering federal agencies and departments to remove software sold by the Russia-based IT firm Kaspersky Lab, citing the cybersecurity company's alleged ties to the Russian government and vulnerability to intrusion by Russian intelligence.
The order on Wednesday by acting DHS Secretary Elaine Duke directs the executive branch to identify Kaspersky products within 30 days and begin to phase out their use entirely within 90 days.
Kaspersky was founded in 1997 by current CEO Eugene Kaspersky, who once served in Russia's Ministry of Defense and graduated from a school with links to Russian intelligence. The company has a vast global presence with 400 million customers around the world andto the Russian government.
The U.S. government has expressed concern about the possibility that Russian intelligence could access sensitive data and compromise systems using Kaspersky products, which are meant to guard against cyber intrusions.
Rob Joyce, the Trump administration's cybersecurity coordinator,that he does not use Kaspersky products and would discourage others from doing so.
"I worry that as a nation state Russia really hasn't done the right things for this country and they have a lot of control and latitude over the information that goes to companies in Russia. So I worry about that," Joyce said.
In its order on Wednesday, DHS cited Russian laws requiring companies to assist the Russian government and intelligence agencies.
"The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks," DHS said in a statement announcing the actions.
Kaspersky denies that the Russian government has the authority to compel its cooperation, saying the relevant law applies to telecoms and communications companies.
The U.S. General Services Administration, an agency that helps manage federal offices, removed Kaspersky from its preferred vendors list in July.
DHS said Wednesday it was taking action to phase out remaining Kaspersky products because of the risk that the Kremlin could infiltrate federal systems "whether acting on its own or in collaboration with Kaspersky."
DHS said it would allow Kaspersky to submit a written response to its order "addressing the Department's concerns or to mitigate those concerns."
In a statement, Kaspersky said it was "disappointed" in the department's decision and denied any "inappropriate" ties to any government.
"No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company," the company said, adding it was "grateful for the opportunity" to provide more information to DHS.