Earlier this summer the House Science Committee sent letters to 22 US government agencies requesting information on their use of Kaspersky Lab security products.
As the federal government continues to investigate claims of ties between the Trump administration and Russia, officials in Washington have expressed concern that the government’s use of software from Kaspersky Lab—a well-known security vendor based in Russia—could compromise domestic intelligence. This request represents the most recent action in an aggressive campaign by Congress to review the possible security implications of using Kaspersky software for government infrastructure.
Already, the General Services Administration (GSA) has ordered the removal of Kaspersky software platforms from its catalogues of approved vendors. Meanwhile, the Senate is considering a draft bill of the 2018 National Defense Acquisition Authorization (known as the NDAA, it specifies the size of and uses for the fiscal year 2018 US Defense Department budget) that would bar the use of Kaspersky products in the military. While Congress certainly has a responsibility to maintain the security of government systems, such a blanket ban contributes to a growing protectionist trend in government technology procurement and threatens innovation.
Procurement choices have implications far beyond lost contracts. The move to strip out Kaspersky products from government systems is likely to have a chilling effect on government contractors and consumers. As the GSA evaluates the practices of contractors and suppliers in the government supply chain, use of Kaspersky products may prove to be a penalizing, if not disqualifying, factor for companies during the proposal evaluation process. The House Science Committee letters specifically request the names of any US government contractors or subcontractors that use Kaspersky products.
While the NDAA only targets software, Kaspersky technology is also integrated into the hardware and software products of companies like Juniper and Microsoft. It’s not clear whether the NDAA ban would bar use of products that incorporate Kaspersky technology. If it does, other tech companies might move away from partnerships with the company, which would be a blow to its business in the US.