This week’s efforts on Capitol Hill to ban the U.S. military from using software made by a Moscow-based company under FBI investigation received bipartisan support from top senators.
But those efforts would have an impact far beyond the Defense Department, according to congressional sources and others told of the proposal’s details.
“That’s the intent,” one congressional source said.
U.S. lawmakers have grown increasingly concerned about what one senator called “alarming” ties between the Russian government and the software company, Kaspersky Lab, whose products are embedded in countless American homes, businesses and government systems.
There is now “a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure,” Jeanne Shaheen, a New Hampshire Democrat and key member of the Senate Armed Services Committee, said in a statement Thursday after introducing an amendment to a Pentagon spending bill.
Kaspersky Lab has dismissed such concerns as “unfounded conspiracy theories,” insisting it poses no threat to customers and has no “bad” ties with the Russian government.
Nevertheless, as the Senate committee’s “executive summary” described it, Shaheen’s amendment “prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab.”
An ABC News investigation earlier this year found that — largely through outside vendors — Kaspersky Lab software has been procured by some segments of the Defense Department.
Details of Shaheen’s amendment have not yet been released publicly, but ABC News was able to review a draft copy of the amendment.
No “element of the Department of Defense may use, whether directly or through work with or on behalf of another … [element] of the United States Government, any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership,” the amendment’s preliminary language states.
It continues, “The Secretary of Defense shall ensure that any network connection between … the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed.”
Shaheen crafted that language “to [tell] the rest of the federal government that if you’re going to connect to DOD, you can’t use this stuff either,” one congressional source said. “That was absolutely the intent.”
It’s “a big move” with potential for a “giant, giant impact” on federal agencies outside the Defense Department, according to Richard Ledgett, who until two months ago was deputy director of the National Security Agency.
For example, the Justice Department, State Department and Department of Homeland Security are connected to Defense Department networks because they are all part of the U.S. intelligence community. The way the amendment is currently drafted would then force all four departments to look at whether – and where — their own systems may be using Kaspersky Lab products, according to Ledgett and the congressional source.
If the current language becomes law, “that would influence a lot of people that the secretary of defense does not have under his control,” said Ledgett, now an ABC News contributor.
The Defense Department would have until October of next year to fully implement it, according to the draft version of the amendment.
In the “executive summary” of the Senate spending bill, the chairman of the Senate Armed Services Committee, Sen. John McCain, R-Ariz., said his committee “believes the United States must do more to deter Russian aggression, whether across its borders or in cyberspace.”
While Senators have been concerned about Kaspersky Lab for some time, Shaheen announced her proposed amendment one day after sources said the FBI had interviewed about a dozen U.S.-based employees of the company.
As ABC News reported more than a month ago, the FBI launched a counterintelligence investigation of Kaspersky Lab several years ago, and the agency has recently been taking new steps to assess Kaspersky Lab’s relationship with Russian intelligence services.
On Tuesday, FBI agents approached employees at their homes outside Washington, D.C., and Boston, where Kaspersky Lab’s U.S. subsidiary is based, sources told ABC News.
U.S. officials worry that state-sponsored hackers could try to exploit Kaspersky Lab’s anti-virus software to steal and manipulate users’ files, read private emails or attack critical infrastructure in the United States — and they point to Kaspersky Lab executives with previous ties to Russian intelligence and military agencies as reason for concern.
In February, the Department of Homeland Security issued a secret report on the matter to other government agencies. And two months ago, the Senate Intelligence Committee sent a secret memorandum to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions, demanding that they address “this important national security issue.”
The issue was brought into public view in recent months by members of the Senate, who began asking questions about Kaspersky Lab during open hearings on worldwide threats.
Just two weeks ago, a member of the Senate Intelligence Committee, Sen. Tom Cotton, R-Ark., proposed legislation that would impose substantial sanctions on Kaspersky Lab and its employees, including freezing its business inside the United States and blocking Kaspersky Lab’s foreign employees from even entering the country. That proposal didn’t move forward.
Kaspersky Lab has repeatedly insisted it poses no threat to U.S. customers and would never allow itself to be used as a tool of the Russian government.
“As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts,” Kaspersky Lab said in a statement. “The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations.”
“Kaspersky Lab is available to assist all concerned government organizations with any ongoing investigations, and the company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded,” the statement added.
In fact, the FBI and other agencies in the U.S. intelligence community have yet to publicly present any evidence connecting company executives with Russian security services.
“For 20 years, Kaspersky Lab has been focused on protecting people and organizations from cyberthreats, and its headquarters’ location doesn’t change that mission,” Kaspersky Lab said in its statement. “[J]ust as a U.S.-based cybersecurity company doesn’t allow access or send any sensitive data from its products to the U.S. government, Kaspersky Lab products also do not allow any access or provide any private data to any country’s government.”
In an interview with ABC News, Kaspersky Lab CEO Eugene Kaspersky said, “My response if I’m asked to spy on anyone coming from any state, any government — not only Russian — will be definite ‘no.'”