[Note: This item comes from friend Shannon McElyea. DLH]
In an Era of Russian Hacks, the US Is Still Installing Russian Software on Government Systems
By JOSEPH MARKS
Jun 14 2017
Congressional concern is climbing—not for the first time—about government agencies using an anti-virus tool made by the respected but Russia-based security firm Kaspersky Lab. The dustup is a case study in why securing government systems is devilishly complicated.
The fracas comes as congressional Democrats are squaring off against President Donald Trump over possible collusion between Russian intelligence agencies and members of his campaign. It also follows a presidential campaign upended by a Russian government influence operation and amid a deluge of leaks from U.S. intelligence agencies.
The competing priorities of security, intelligence, diplomacy and budget constraints play a role in the melee. So, too, do the rival power centers of a government that’s struggled for years, often unsuccessfully, to manage cybersecurity and technology buying in a unified way.
This is the basic paradox: On one hand, top intelligence officials at the FBI, CIA and the National Security Agency tell members of Congress that Kaspersky Lab can’t be trusted, that they wouldn’t put its products on their personal computers, let alone the nation’s. On the other hand, federal agencies still use the Moscow-headquartered anti-virus software. During the past decade, it’s plugged into systems at the Consumer Product Safety Commission, the Treasury Department, the National Institutes of Health and U.S. embassies, among other locations, contracting data shows.
Kaspersky anti-virus also frequently protects state, local and tribal government computers, former officials told Nextgov.
It may even be on some non-national security systems at the Homeland Security Department, according to testimony from Homeland Security Secretary John Kelly, though it’s generally barred from intelligence and national security systems throughout government, according to official testimony.
This disparity between official concern about the Kaspersky company and the prevalence of the firm’s anti-virus on government systems highlights two fundamental facts.
First, anti-virus is both immensely useful and extremely powerful. If used for nefarious purposes, it’s capable of pilfering nearly any file from a computer system or loading malware onto that same system. It can do all of this undetected unless a system administrator is monitoring it extremely closely and perhaps not even then.
Second, despite widespread alarm over government data breaches at the White House, the State Department, the Pentagon and the Office of Personnel Management, the government is a long way from being able to impose uniform security standards on all of its computers.