BOD 17-01 requires all federal executive branch departments and agencies to (1) identify the use or presence of “Kaspersky-branded products” on all federal information systems within 30 days of BOD issuance (i.e., by October 13); (2) develop and provide to DHS a detailed plan of action to remove and discontinue present and future use of all Kaspersky-branded products within 60 days of BOD issuance (i.e., by November 12); and (3) begin to implement the plan of action at 90 days after BOD issuance (i.e., December 12), unless directed otherwise by DHS in light of new information obtained by DHS, including but not limited to new information submitted by Kaspersky.
The Secretary of Homeland Security is authorized to issue BODs, in consultation with the Director of the Office of Management and Budget, for the purpose of safeguarding federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk. I recommended issuing the BOD in the Information Memorandum, and the rationale for issuance of the BOD was summarized in your Decision Memorandum. As described further below, your decision to issue BOD 17-01 was based on three interrelated concerns that rested on expert judgments concerning national security: the broad access to files and elevated privileges of anti-virus software, including Kaspersky software; ties between Kaspersky officials and Russian government agencies; and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting between Kaspersky operations in Russia and Kaspersky customers, including U.S. government customers. Because of these interrelated concerns, you determined that Kaspersky-branded products present a “known or reasonably suspected information security threat, vulnerability, or risk.” In addition, you found that these risks exist regardless of whether Kaspersky-branded products have ever been exploited for malicious purposes. The BOD is a tool for protecting federal information and information systems from any “known or reasonably suspected information security threat, vulnerability, or risk,” and the Department’s authority to issue it does not depend on whether Kaspersky-branded products have been exploited by the Russian Government or Kaspersky to date.
BRG evaluated specific Kaspersky products according to the following objectives:
(1) To evaluate whether it is feasible for an intelligence agency to passively monitor and decrypt traffic between users of Kaspersky-branded products and the Kaspersky Security Network (“KSN”), a cloud-based network that receives and analyzes information about possible threats from installed Kaspersky software;
(2) To determine whether turning KSN off ― or using the Kaspersky Private Security Network (“KPSN”) ― can reliably prevent potentially sensitive data from being transmitted inadvertently to Kaspersky; and
(3) To evaluate whether a malicious actor leveraging KSN can conduct targeted searches of Kaspersky users for specific information.
As explained in the NCCIC Supplemental Assessment, the BRG analysis not only is largely unresponsive to DHS’s security concerns, but also supports DHS’s concerns in certain areas. For example, on objective (1), BRG analyzed only to the security of the connection between the antivirus software and the KSN; BRG did not address the security of communications within the KSN or between KSN and Kaspersky’s non-KSN IT infrastructure, such as Kaspersky offices and datacenters. BRG also evaluated the potential for “passive” interception of communications by intelligence agencies, but DHS is concerned about “active” operations involving access by Russian intelligence to Kaspersky offices and servers in Russia, as discussed in Section III.A.4 below and Part III.E of the Information Memorandum.
3. Kaspersky Ties to the Russian Government
In the Information Memorandum, I described certain ties, past and present, between Kaspersky officials and Russian government agencies. Kaspersky concedes key aspects of this account, such as Eugene Kaspersky’s former studies at an institute overseen by the KGB and other state institutions and his service as a software engineer at a Ministry of Defense institute. It also admits that its officials might have “acquaintances, friends, and professional relationships within the [Russian] government,” although Kaspersky states that, “in itself,” does not mean that these connections were or are “inappropriate” or “improper.” Furthermore, Kaspersky does not deny various connections to Russian intelligence described in the Information Memorandum, including that Eugene Kaspersky has saunas with a group that usually includes Russian intelligence officials; that Kaspersky’s Chief Legal Officer Igor Chekunov manages a team of specialists who provide technical support to the FSB and other Russian agencies; that the team can gather identifying information from individual computers; and that this technology has been used to aid the FSB in investigations
Professor Maggs makes a number of significant conclusions. Specifically, Professor Maggs
(a) Russian law requires FSB bodies to carry out their activities in collaboration with various entities in Russia, including private enterprises, and thus including Kaspersky.
(b) Private enterprises, including Kaspersky, are under a legal obligation to assist FSB bodies in the execution of the duties assigned to FSB bodies, including counterintelligence and intelligence activity.
(c) Russian law permits FSB service personnel to be seconded to private enterprises, including Kaspersky, with the consent of the head of the enterprise and with the FSB personnel remaining in FSB military service status during the secondment.
(d) Kaspersky qualifies as an “organizer of the dissemination of information on the Internet” and, as such, is required (1) to store in Russia and provide to authorized state bodies, including the FSB, metadata currently and content as of July 1, 2018; and, based on this or other laws, (2) to install equipment and software that enables the FSB and potentially other state authorities to monitor all data transmissions between Kaspersky’s computers in Russia and Kaspersky customers, including U.S. government customers.