
DHS Issues BOD Banning Kaspersky from Federal Government - mikehotel
https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01
======
tptacek
This is very bad for Kaspersky. Put aside how much revenue the entire GSA
market represents for a security company (it'll be a double-digit percentage
for a typical company). The bigger problem is that in the wake of this, every
systemically important financial firm will also eject Kaspersky. In addition
to being another significant chunk of revenue, major financial firms set the
buying direction for IT security for the whole industry.

If you're wondering what the backstory is here, well, join the club. Dave
Aitel sums it up: US Senators John McCain and Marco Rubio claim the US IC has
presented them some kind of smoking gun evidence that some kind of line was
crossed. They're not planning to share more information. Anybody who tells you
they know more about what's going on is probably just spreading gossip.

~~~
peterwwillis
If we don't speculate at all, we're left with the following bullet points from
news articles this year:

    
    
      - Michael Flynn was paid by Kaspersky to speak at its seminar (probably nothing, but mildly interesting)
      - US Intel community considers Kaspersky to be an arm of the Russian government
      - Kaspersky employee arrested in sting by Russian government for treason
      - US Intel officials believe Kaspersky employees in US engaged in espionage
      - Kaspersky employees investigated/interviewed in US by FBI
      - Coincidence of a Russian military intelligence unit's ID in a certification for Kaspersky software
      - Kaspersky denies it will ever work with any government on cyberespionage
    

Take all of that, and ask yourself this. Would the US govt, which already had
suspicion to remove them, and had been getting the ball rolling since at least
May or before then, ask them to spy on behalf of the US in Russia, and if they
balk, remove their funding and damage their reputation?

To me that's real reason: they wouldn't play ball.

~~~
BoiledCabbage
I think it's a very interesting timeline you've laid out. The piece I don't
follow is the conclusion.

> Take all of that, and ask yourself this. Would the US govt, which already
> had suspicion to remove them, and had been getting the ball rolling since at
> least May or before then, ask them to spy on behalf of the US in Russia, and
> if they balk, remove their funding and damage their reputation? To me that's
> real reason: they wouldn't play ball.

I'm no expert at this, but I can't think of any circumstance where US
intelligence would both simultaneously believe they are a branch of the
Russian govt and ask them to spy in Russia on their behalf. Almost with 100%
certainty if the US is spying in Russia it is against their geo-political foe
Russia's interest. You wouldn't pass your secretly gathered intelligence
through a branch of the Russian govt before returning it stateside. The secret
intelligence is almost certainly about the Russian govt - no way you'd pass it
through them to get it back to you. At minimum they'd know what you know, at
maximum they'd manipulate it to deceive you. Again this is all speculation on
my part here, but I don't see it supporting that conclusion.

Clearly something changed to cause the sudden urgency to eliminate Kaspersky
from govt computers. Additionally the urgency to me speaks more to eliminating
a threat (of espionage or else) rather than retaliation. 30-90 days in govt
time is pretty much as immediate as it gets.

I think something else changed or was discovered. An option is US intelligence
found out evidence of escalation of alleged actions by Kaspersky either in the
recent past or plans for the near future. Again I've got no evidence of this -
but is what seems like it better fits the points we've seen so far.

~~~
ams6110
> I can't think of any circumstance where US intelligence would both
> simultaneously believe they are a branch of the Russian govt and ask them to
> spy in Russia on their behalf.

Turning a spy is espionage 101, chapter 1.

~~~
BoiledCabbage
Yes, but you don't then punish the entire company for not complying.

Turning a spy would be a covert action. Saying "your company better spy for
us, or else we'll pull our contracts" is absolutely not. The previous poster
was arguing the latter was what is going on.

~~~
peterwwillis
If your company hires someone who openly flaunts a lifestyle which is "morally
repugnant" to some ranking member of a committee which oversees a government
budget, and the company realizes this, they have a decision to make. If the
company keeps the employee, the contract could be pulled, and they lose
millions. If they simply lose the employee, the company stays in business.

This is never an official policy, but it is a de-facto one, in the
intelligence community anyway. Companies sometimes self-police to prevent
these situations. But they will absolutely act to protect their interests, in
one way or another.

------
BoiledCabbage
None of the following is confirmed, but I keep seeing articles online hinting
around this, or implying this. Essentially it sounds like is known in
classified circles that Kaspersky works closely with and supports Russian
Intelligence (FSB).

It seems while the US knew about this it had a spy within Kaspersky and was
their source for finding out what they were up to. The accused spy was
arrested by the FSB recently so likely the US no longer is willing to take on
the risk of allowing Kaspersky to run on us govt machines. Marco Rubio
appeared to hint at some classified info about known govt risks of dealing
with Kaspersky. Additionally the second link mentions Kaspersky is moving into
protecting critical infrastructure, which seems notable giving the sudden
frequency of mentions of the weakness of US infrastructure to network attack.

The problem with classified security stuff is you never find out the full
story. Only bits and pieces around the edges of it. It's almost never in their
best interest to reveal the depths of what they know because it exposes their
methods and awareness.

[https://www.cbsnews.com/news/russia-treason-fsb-spies-
kasper...](https://www.cbsnews.com/news/russia-treason-fsb-spies-kaspersky-
labs-us-intelligence-denies-cia-hacking/)

Earlier article on then working with the FSB.

[https://www.bloomberg.com/news/articles/2017-07-11/kaspersky...](https://www.bloomberg.com/news/articles/2017-07-11/kaspersky-
lab-has-been-working-with-russian-intelligence)

~~~
pvg
You're making a very big leap from 'Russia arrested someone and charged him
with treason' to 'That person was actually a US spy' and even 'The arrest of
this person who was actually a US spy is the driver behind a particular US
policy'. We just don't have any reasonable insight into why Russia arrests
people and what, if anything, they're guilty of.

~~~
BoiledCabbage
> We just don't have any reasonable insight into why Russia arrests people

In the actual article link it quotes Russian govt. officials saying they
arrested them for treason, and for giving secrets to a US Intelligence Agency
that wasn't the CIA.

I do appreciate skepticism in response to claims, but please do read through
the article first before contesting.

~~~
shallot_router
Of course that's what the Russian officials said, but who knows how accurate
that is or what might be omitted from that statement?

------
myth_drannon
Is there some sort clandestine effort by Russian intel agencies to force US
government to install McAfee Antivirus and subsequently cripple the
productivity of said government agencies?

~~~
arkitaip
Maybe it's the Gerasimov Doctrine in action [0], i.e. Chaos All The Things!!!

[0]
[http://www.politico.com/magazine/story/2017/09/05/gerasimov-...](http://www.politico.com/magazine/story/2017/09/05/gerasimov-
doctrine-russia-foreign-policy-215538)

~~~
zmoreira
There is no Gerasimov Doctrine.

------
sailfast
End of (federal fiscal) year is an OK time for this as there may actually
(fingers crossed) be money available to shift away from these products that
can be applied toward licenses.

What a happy, happy windfall for all the Symantec / McAfee sales reps with
Federal accounts. If you're at a bar with one, they're buying :)

------
Stranger43
The US declaring that it think that an government should think hard about what
foreign products to let into it's core infrastructure is going to have
consequences the intended ones.

That is probably great news if your an European, or especially Asian software
vendor trying to compete with any US based company for local government
contracts, as the US have now legitimized any concern about foreign
governments(including the US) forcing back doors into commercial products.

It might not be all that good if your an Californian start up trying to make
money on the European and Asian market as what was a hard sell, now got
harder.

Though it's not a new trend as were heading towards a situation where IT
procurement is getting incredibly political and where the legal department is
increasingly vetoing solutions that otherwise would have gotten selected due
to jurisdiction issue in relationship to stored data.

~~~
syphon7
It's different. EU is in NATO with US (most of EU). Buying from an ally vs a
non ally (or enemy depending, Ukraine for instance) is a very big difference.

~~~
zmoreira
Not really. Ally vs non-ally is not the criteria for spying. Important vs
unimportant is.

------
FatAmericanDev
The fact that they allowed it in the first place is mind boggling, the people
that run Kaspersky love Russia.

~~~
marcoperaza
Tech sovereignty is going to be one of the most important international issues
of the next few decades. The US has mostly lucked out so far, being the home
of the overwhelming majority of major tech firms. But China has very
purposefully taken steps to secure and guarantee their technological
sovereignty, and there is movement in Europe to do the same.

~~~
cinquemb
I wonder where the technological sovereignty of the individual exists in the
midst of this…

~~~
duncan_bayne
Right alongside all the other aspects of individual sovereignty that society
has chosen to abrogate.

------
jk2323
Makes sense. I understand their concerns.

Would also makes sense to ban Microsoft at least in the EU for anything
government or military related and only used a custom tailored Linux. EULinuxs
instead of Red Linux :-)

~~~
syphon7
Not the same. Most EU countries are allied with the US. Most of them hold
negative or downright hostile views towards Russia.

~~~
pera
I am unsure what exactly makes a country an "ally" of America (aside of
diplomatic relations), but the US IC do have history of industrial espionage
against the EU and other trading partners:
[https://theintercept.com/2014/09/05/us-governments-plans-
use...](https://theintercept.com/2014/09/05/us-governments-plans-use-economic-
espionage-benefit-american-corporations/)

~~~
syphon7
If they're in NATO then they're an ally.

Also, interesting you posted a Glenn Greenwald article - he has been accused
by some people in the U.S. of dismissing things Russia has done recently in
these fronts.

------
Overtonwindow
I am deeply suspicious of the criticism heaped on Kaspersky, and I suspect it
might be part of a smoke and mirrors attempt to distract us from actual
threats. The US IC community is deeply ingrained in the antivirus and computer
security industries. NSA employees go to work for these companies, and vice
versa. Foreign governments have just as much to fear from Norton and McAfee,
as we do from Kaspersky.

~~~
3JPLW
How does that conclusion follow your premise?

Premise: US AV companies are deeply connected to the US intelligence
communities.

Conclusion: Deep suspicion of criticism that a Russian AV company may be
connected with Russian intelligence communities?

~~~
rmrfrmrf
Right. As a US citizen, I _guess_ I would pick the US spying on me if I had to
choose between the US and a foreign government.

~~~
21
If the US wants to spy on you, it doesn't matter what software you pick.

See how NSA spied on internal Google networks, even if Google was already in
PRISM.

------
AngeloAnolin
Quote:

"The BOD calls on departments and agencies to identify any use or presence of
Kaspersky products on their information systems in the next 30 days, to
develop detailed plans to remove and discontinue present and future use of the
products in the next 60 days, and at 90 days from the date of this directive"

That number of days could be critical. If they have intel telling them that
Kaspersky can be used as a vector to exploit their systems by Russia, then
this could be used outright to further exploit their systems and possibly (?)
plant more ways to attack, even after Kaspersky has been removed.

I am assuming that DHS will already have in place another security company to
handle other potential scenarios and ensure the security of their system while
the transition process is happening.

~~~
csydas
It could just be an excuse to award a contract to a variety of local security
firms to perform a "Post-Kaspersky Security Audit" at great expense in the
interest of National Security, but that's just baseless cynical speculation.

It's a weird move, and I would like to imagine that there is some solid
reasoning behind the endeavor besides posturing and playing up to hot-button
issues. But it really does just seem like the sort of issue that either ends
up in bureaucratic limbo (e.g., Kaspersky remains installed for months while
agencies look to find a replacement that meets their criteria) or that leaves
the computers unprotected while the search continues.

------
todd8
Is Nginx next? I suppose that it's open source nature mitigates the risks of
an important software infrastructure piece being developed in a country that
might not always be friendly to us.

~~~
shallot_router
Nginx isn't a security company and doesn't make client-side software, so
probably not. (Of course, theoretically nginx could be backdoored to give
valuable information to intelligence agencies, but it's harder due to the fact
it's open source, and even if it was closed source the escalation in response
to banning nginx could start a new Cold War. Imagine the US and Russia
mutually banning use of _any_ of the other side's software and actually trying
to implement it.)

------
0xbear
Coming up next: Russian government bans US software on government machines.
Microsoft delivers large bags of money to McCain (unless he kicks the bucket
by then) and Rubio. Senators recant.

------
diminish
>> The Department is concerned about the ties between certain Kaspersky
officials and Russian intelligence and other government agencies, and
requirements under Russian law that allow Russian intelligence agencies to
request or compel assistance from Kaspersky and to intercept communications
transiting Russian networks.

In 2017 in tech we're progressing towards a fragmented future where
governments don't trust each other and big tech companies hold strong
intelligence power in people's lives.

------
crb002
If Kapersky provides source to NSA then there should be no issue.

~~~
lawnchair_larry
They do. Their source is available for examination by any government.

------
solotronics
the natural progression is state sponsored software and hardware at every
level. China has been working on this for some time the US is foolish to
ignore this.

------
trhway
Bad FSB! No more free access to USG computers for you!

