Only six out of 102 federal agencies failed to meet the first deadline in the Department of Homeland Security’s (DHS) directive to identify and uninstall all Kaspersky Lab software, a House Science, Space and Technology subcommittee heard Tuesday.
“A small number of very small agencies” are receiving DHS help to complete the first stage of the directive, testified Jeanette Manfra, assistant secretary for cybersecurity and communications at DHS’s National Protection and Programs Directorate.
{mosads}
The oversight subcommittee held its second hearing on Kaspersky Lab software as part of an announced series on the firm.
DHS directed federal agencies to cease using Kaspersky anti-virus and other programs on Sept. 13. A number of media reports claim that Russian intelligence agencies took advantage of the anti-virus’s scanning system to search for classified files on U.S. systems.
Manfra acknowledged that for years before issuing the directive, DHS had tried to curtail federal and critical infrastructure use of Kaspersky Lab software through classified briefings.
She said she had been aware of the Kaspersky issue since at least 2014, but the department had tried to use behind-the-scenes methods to limit Kaspersky installations rather than operate in a way visible to the public.
The first deadline gave agencies 60 days to identify all Kaspersky software on systems and develop a plan to remove it.
Manfra said that all agencies had attempted to comply with the DHS directive, but that six small agencies without the resources to hunt for Kaspersky software were unable to complete the task on their own. The DHS, she said, was currently helping those agencies move forward.
She also said around 15 percent of government systems had Kaspersky products installed.
Usually, she said, this was because the software was pre-installed on a government-purchased system.
Kaspersky has denied any willful involvement with espionage operations.
Rep. Eddie Bernice Johnson (D-Texas) said during the hearing that should not impact security decisions.
“Whether or not the company is aware of the threats is irrelevant” to security concerns, she said.
Democrats on the subcommittee seemed largely interested in expanding the Kaspersky investigation into a broader investigation of Russia.
“We’re missing the forest for the trees,” said Rep. Don Beyer (D-Va.), who later added, “Kaspersky Lab products are not the biggest security risk from Russia.”