By Joe Alecci, IT Senior Manager
In September 2017, the Acting Secretary of Homeland Security issued what is known as a Binding Operational Directive (BOD) that compels Executive Branch departments and agencies to identify and remove Kaspersky Lab products from their systems. Kaspersky Anti-virus products provide access to files and elevated privileges on systems that have this software installed, which can be exploited to compromise said systems. At the time of this Directive, there were concerns about the ties between certain Kaspersky officials and Russian Intelligence agencies. Russian agencies, under Russian laws and in collaboration with Kaspersky, could potentially utilize access provided by these products to compromise federal systems and affect national security.
Fast forward to December 12th, President Trump signed into law the National Defense Authorization Act -- the defense spending bill for the 2018 fiscal year that includes a provision which stems from the September Directive banning the use of Kaspersky products within the U.S Government, including both civilian and military networks. Reuters noted that Kaspersky denied any ties or involvement with cyber espionage and offered to submit the source code for software and future updates for inspection by third parties. U.S. officials apparently responded with a "Нет, спасибо" in Russian or "no, thank you."
So what does this this mean for financial institutions? Any organization using Kaspersky should start to develop a plan to remove and replace any Kaspersky Anti-virus applications or products in an expedient manner. Although I have not seen anything from the regulators, I would not tempt fate. On a final note, it just dawned on me, why would the Federal Government be using any Russian or foreign government software for cybersecurity-related protection in the first place? Hmm...
To learn about P&G's IT/Cybersecurity Audit & Risk Management Services, please email WhatsYourRisk@pandgassociates.com or call 877-651-1700.
Joseph Alecci, CISA, CISM, CISSP, CRISC
Senior Manager – IT Audit & Information Security
Joseph Alecci leads the IT/Cybersecurity Audit & Risk Management Group at P&G Associates. He has over 20 years of experience in information systems and auditing management and is a member of the ISACA N.J. Chapter Board of Directors.