Preliminary findings of a mandatory review of federal computer networks for the presence of a Russian-made anti-virus software that may actually pose an information security risk show that the products are on computer systems of about 15 percent of civilian agencies, a Department of Homeland Security (DHS) official disclosed on Nov. 14.

So far, 94 percent of agencies required to report on the presence of Kaspersky Lab’s products on their information systems have complied with a Binding Operational Directive (BOD) issued by DHS on Sept. 13, Jeanette Manfra, assistant secretary for Cybersecurity and Communications at DHS, told the House Committee on Science, Space, and Technology Oversight Subcommittee. The agencies that haven’t reported within the mandated 30 days are “very small” and DHS is assisting them in their review because they lack the resources to do so, she said in response to questions from Rep. Darin LaHood (R-Ill.), chairman of the panel.

Later on Nov. 14, a DHS official told sister publication Defense Daily that the percentage of agencies that identified Kaspersky products on their networks when the BOD was issued was 13 percent.

Manfra said that part of the ongoing review includes an audit of the location of Kaspersky products on agencies’ information systems and what “information may have transited those systems and whether there was any cause for concern. For the most part, we have not identified any yet but we are still working with agencies.”

Manfra said that 102 agencies and departments are required to review their information systems per the September directive. That would mean about 15 agencies have discovered Kaspersky products on their computers and networks.

In the U.S., Kaspersky sells anti-virus and internet protection tools for computers and Android-based tablets and smartphones. The company also provides endpoint and cloud security solutions for small and medium-size businesses and larger enterprises.

When the BOD was issued, DHS said that “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

Responding to questions from Rep. Bill Posey (R-Fla.) to identify the six agencies that haven’t been able to comply yet with the order to identify whether Kaspersky products are on their information systems, Manfra said she didn’t want to share the answer publicly. She said this was due in part to preventing bad actors knowing which agencies have the software and to maintain the trust DHS has with these agencies.

 Manfra said that the review has shown that in most cases where Kaspersky products have been discovered on federal information systems the software was bundled as part of a larger purchase. This means the buyers “weren’t necessarily aware they were explicitly purchasing that.”

Only a “very low percentage of purchases” of Kaspersky products were made directly, she said.

The hearing was the second the subcommittee has held within the past three weeks aimed at gaining a greater understanding of the presence of the Kaspersky products on federal networks. Rep. Lamar Smith (R-Texas), chairman of the full committee, said at the first hearing in October and again on Nov. 14 that the Kaspersky software gives Russia’s government hackers “unlimited access to data stored on computers with Kaspersky products,” adding that the Russian company has 400 million users of its products worldwide.

Information technology officials with the Defense Department and NASA also testified on Nov. 14. Essye Miller, the deputy chief information officer for Cybersecurity at DoD, said the department doesn’t use Kaspersky’s products. Anti-virus software for DoD devices and personal home computer use is licensed from McAfee and Symantec [SYMC].

Miller noted that while the DHS directive doesn’t apply to DoD her department is working toward the “intent” of the order. Even before the directive was issued, on Aug. 3 the Joint Force Headquarters-DoD Information Network issued a task order related to the potential use of Kaspersky products in the department’s information systems.

“Within the bounds of the BOD’s requirements, we conducted a search of DoD’s systems and confirmed that we did not have the listed Kaspersky products on any of our systems,” she said in her prepared testimony.

There are supply chain risks, Miller noted, adding that in 2012 DoD issued instructions aimed at managing cyber security risks throughout its supply chain.

Renee Wynn, NASA’s chief information officer, told the panel that Kaspersky’s software isn’t part of the agency’s enterprise anti-virus protection. NASA uses Symantec’s endpoint protection products, she said.

However, Wynn disclosed that between the start of 2013 and mid-August of 2017 NASA’s Office of the Chief Information Officer did find “a small number” of computers and mobile devices with Kaspersky’s software and were authorized to connect to the agency’s network.

In these instances, it was likely that the Kaspersky software was bundled into larger hardware purchases, Wynn said.

Since the DHS directive went out, NASA hasn’t found any new deployments of Kaspersky’s technology, she said.

When the BOD was sent out in September, DHS gave Kaspersky until Nov. 3 to respond to the department’s concerns about the company’s products. Manfra said that the deadline was extended until Nov. 10. The response has been delivered and is being reviewed by DHS lawyers, she said, adding that she hasn’t reviewed it.

Once Manfra does review Kaspersky’s response, Manfra said her office will “make a determination” for Acting DHS Secretary Elaine Duke to make a decision.

Concerns about Kaspersky’s ties to Russian government officials, including intelligence officials, have floated for years. The New York Times reported in early October that Russian hackers were able to gather intelligence about the U.S. National Security Agency’s cyber security capabilities from the home computer of an agency official who took classified material home and used it on his personal computer, which was outfitted with Kaspersky software. The article says U.S. investigators believe the Russian hackers were able to exploit the Kaspersky software to hack the NSA employee’s home computer.

Kaspersky maintains that it doesn’t have links to Russian intelligence. On Oct. 23, the company launched a Global Transparency Initiative to validate the trustworthiness of its products.

Manfra said that a review of Kaspersky’s source code “would not be sufficient in my opinion” to gain the company’s trust.