House science chairman dives into Kaspersky cyber investigation

The 16-term lawmaker from San Antonio is framing his oversight as part of a broader examination that could provide important guidance for future cyber policy development. But science panel Republicans are particularly focused on why it took so long to ban the the Moscow-based company ‘s products in the first place.

The Pentagon declared in 2013 that it wouldn’t purchase anything from Kaspersky and shared its concerns with other federal agencies, the Department of Defense informed the science committee in November.

The General Services Administration dropped Kaspersky as an approved vendor for federal agencies in July. In September, the Department of Homeland Security issued a Binding Operational Directive, or BOD, mandating that Kaspersky products be removed from all civilian agencies’ systems, with that process beginning no later than mid-December.

Kaspersky tried to reverse that decision through a DHS appeals process, although the company announced last week that it is closing its office in Washington, D.C.

“[We] now know that officials in the previous administration knew about the risk of Kaspersky Lab and concerns were raised by multiple agencies,” Smith said. “Two questions that still need to be answered are how and why the previous administration approved the use of Kaspersky Lab software on government systems and why the known risk of Kaspersky software was not acted upon government-wide. The Committee will continue its investigation and oversight to get the answers to these questions.”

A former Obama administration security official, speaking on background, said, “My view is that they weren’t banned earlier because the intelligence community refused to provide unclassified information about why they were a threat, and [the General Services Administration] and others couldn’t take action without information.”

But, the source noted, “it was known and widely discussed that Kaspersky was a concern in both classified and unclassified circles and anyone with clearance wouldn’t have an excuse at all for using a Kaspersky product.”

As for the immediate efforts, Smith in a letter to the Department of Homeland Security last week sought detailed information on the process of identifying and removing the Kaspersky software from government systems.

DHS cybersecurity official Jeanette Manfra testified at a November science committee hearing that the government is on track for all agencies to meet the mid-December deadline.

“The committee wants to ensure that the BOD is fully and effectively implemented,” science committee spokesman Brandon VerVelde told InsideCybersecurity.com. “There’s also a lot that can be learned from each agency’s implementation of the BOD, including how they looked at their systems, what tools they used to remove the software and any challenges they encountered. Those lessons can inform future policy and provide insights into other entities looking at Kaspersky software on their systems, such as state and local governments.”

The oversight is generally supported by science panel Democrats, although they want the committee to look more broadly at Russian interference in the 2016 elections.

Science ranking member Eddie Bernice Johnson, D-Texas, and Rep. Don Beyer, D-Va., “have also both pointed out that the Committee and Chairman Smith have taken a very narrow approach to the cybersecurity concerns regarding Kaspersky Labs,” a source close to committee Democrats said.

But Smith’s focus is clear and more hearings on Kaspersky seem likely in the months ahead, including on why its products were installed and remained on government systems, who was responsible, and what it means for federal information technology acquisition in the future.

Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.