Did agencies suffer a data breach by using Kaspersky? DHS says no ‘conclusive’ evidence, yet

House lawmakers raised new questions Tuesday about the threat of Kaspersky Lab products and why the civilian agencies didn’t act more quickly to remove the company’s products.

Rep. Lamar Smith (R-Texas), chairman of the Science, Space and Technology Committee, pressed Jeanette Manfra, the Homeland Security Department’s assistant secretary for Cybersecurity and Communications in the National Protection and Programs Directorate, about whether Kaspersky products stole federal agency data.

“I can’t discuss that in this forum,” Manfra said. “I’d prefer to have that discussion in a classified hearing.”

Smith interrupted Manfra, saying a classified setting wasn’t necessary because he wasn’t asking for specifics, just whether or not a breach has occurred.

Advertisement

Manfra said DHS still is working through the process to identify whether or not a breach occurred.

Smith interrupted Manfra again, saying that answer was “sufficient.”

“It’s not conclusive at this time,” Manfra said. “We do not currently have conclusive evidence that there has been a breach. I want to do a thorough review to ensure that we have a full picture.”

Manfra said later in the hearing that she was aware of the allegations of a breach reported in the press that the National Security Agency may have suffered. She said if the Intelligence Community finds those allegations to be true then that would be evidence of a data breach.

Lawmakers left the hearing with several less than satisfactory answers about the threat of Kaspersky and how agencies are addressing this potential threat, including the data breach.

Another focus of the Oversight Subcommittee was why the civilian agencies, particularly DHS, didn’t react more quickly when concerns about Kaspersky Lab products arose as early as 2012.

Essye Miller, deputy chief information officer for cybersecurity at DoD, told the subcommittee the Pentagon made a decision not to use Kaspersky products based on intelligence information.

Smith said that was back in 2012, but Miller said she had to check on that date.

When lawmakers pressed Manfra on why DHS or other agencies didn’t take the same steps, she pointed to the sharing of classified information as an inhibitor.

“I first became aware of concerns in the 2014 timeframe,” Manfra said. “Some agencies such as DHS did engage in an effort to remove Kaspersky software from their systems. What we identified was largely agencies who were more security focused or had the ability to receive classified briefing were removing the software. Where there was a gap was in the civilian agencies where they didn’t have the infrastructure necessarily in place where they could rely on classified information to make procurement decisions.”

She said that is why DHS issued the Binding Operational Directive in September.

But lawmakers weren’t left wanting more on all their questions.

Manfra said 94 percent of all the agencies large and small met the 30 day deadline under the BOD to report to DHS any use of Kaspersky products on their systems or networks. She said only six very small agencies haven’t and DHS is helping them.

Additionally, Manfra said only 15 percent of all agencies reported having Kaspersky products on their networks.

DoD’s Miller and NASA CIO Renee Wynn, both of whom testified Tuesday, said their agencies didn’t use Kaspersky and found limited or no evidence of the software being embedded in other systems.

“Kaspersky Lab Antivirus software (KL AV) is not on the DoD approved products list, nor do we have any contract awards listed for this software in our Federal Procurement Data System,” Miller told the committee in her written testimony. “Although the Department of Homeland Security Binding Operational Directive 17-01 ‘Removal of Kaspersky-Branded Products’ does not apply to statutorily defined ‘National Security Systems’ nor to certain systems operated by the DoD, the department has implemented the intent of the directive. Prior to the BOD’s release, on August 3, 2017, Joint Force Headquarters-DoD Information Network (JFHQ-DODIN) issued Task Order 17-0207 KASPERSKY ACTIVITY to mitigate threats to the DODIN potentially posed by adversaries leveraging KL products installed on DODIN infrastructure.”

Wynn said NASA used continuous diagnostics and mitigation (CDM) tools to scan its network and identify any implementations of Kaspersky products. She said the space agency found no “active installations” of Kaspersky.

Manfra also said DHS is reviewing the response from Kaspersky Lab about why it shouldn’t be banned from federal work.

DHS gave the company an extra week to respond so it only received Kaspersky’s response on Nov. 10.

But Manfra told the committee that reviewing Kaspersky’s source code — something the company offered the government to do — would not necessarily alleviate the government’s concerns.

Finally, Manfra also re-confirmed and added more details to Rep. Darin LaHood (R-Ill.) about how the BOD applies to government contractors.

“Every agency is responsible for defining what contractors constitute their federal information system and reporting that up to us. What we see is what the agencies report to us,” she said. “We also have sensors deployed both internal to agency networks as well as at the perimeter that can identify what agencies may be calling out to Kaspersky IP addresses so that would indicate that they probably have it on their systems as well. So we are looking at a variety of avenues to identify whether they have it.”

She added that DHS feels confident that all of the largest agencies have done an assessment of government and contractor networks.

Miller said DoD has had discussions with the defense industrial base to make sure they understand risks with using Kaspersky Lab.

“The Defense Security Service has directed all of them to remove the products especially for our classified systems,” she said. “We are working with our vendors in the unclassified arena with a Defense Federal Acquisition Regulations clause we put in place to help them not only understand the risk, but understand the products that they are using and their responsibility to protect government information and the government network as they relate to mission operations.”