A House subcommittee discussed placing greater pressure on federal agencies to take accountability for the software hosted on its networks and their risk assessment of the cyber supply chain, as it focused on the recent ban of Russian software company Kaspersky Lab’s products from federal networks during a Wednesday hearing.
Following directives from the White House and Department of Homeland Security to remove Kaspersky’s anti-virus software from government systems, the House Committee on Science, Space & Technology’s oversight subcommittee held its first hearing to focus on the extent to which foreign cyber actors are able to infiltrate our networks with software capabilities.
“While once considered reputable, Kaspersky Lab, its founder and their Russian ties have created a significant risk to U.S. security,” said full committee Chairman Rep. Lamar Smith (R-Texas) in his opening remarks.
The subcommittee brought in witnesses from the General Services Administration (GSA) and the National Institute of Standards and Technology (NIST), as well as private sector cyber security experts, to discuss how Kaspersky was able to find a place on government networks and to what extent this software aid malicious cyber attacks.
Kaspersky’s software allows the company to have complete network monitoring capabilities to see all activity on client networks, and then exploit this information with remote administration abilities, according to Sean Kanuck, a witness at the hearing and director of future conflict and cyber security at the International Institute for Strategic Studies.
“The mere fact alone that foreign intelligence agencies have sought access through this implies there is a risk,” said Kanuck, who compared Kaspersky to a “private global cyber intelligence network.”
The hearing comes after intelligence community officials expressed concern in the spring that Kaspersky could be compelled to cooperate with the Russian intelligence agency, the FSB, under the country’s telecommunication laws.
In July, Smith commenced his committee’s investigation into the matter seeking information on all federal departments and agencies current or former use of Kaspersky software.
To begin combating potential supply chain risks associated with Kaspersky products, the GSA directed its resale vendors over the summer to remove Kaspersky products from its catalogues and has now eliminated any use of the anti-virus software from its scheduled contracts, according to testimony from David Shive, the agency's chief information officer.
“GSA took a proactive stance in completing comprehensive scanning of all IT assets for the presence of Kaspersky products in June 2017. GSA confirmed that there was no installation of the products in our on-premise and cloud-based systems and reported this DHS in accordance with the binding operational directive,”said Shive.
In response to concerns from Oversight Subcommittee Chairman Rep. Darin LaHood (R-Ill.) regarding NIST’s Cyber Security Framework failing to prevent the use of a potentially malicious software product, Donna Dodson, chief Cyber Security Advisor for the agency, confirmed that NIST would be working with the federal government to establish improved supply chain guidelines.
Lacking of a priority for updating and modernizing federal networks led to the use of problematic software, such as Kaspersky, according to testimony from James Norton, president of cyber advisory firm Play-Action Strategies.
Norton recommended the subcommittee push DHS to provide federal CIO’s with proper funding to invest in higher-quality cyber tool and develop a trusted vendor list to secure the supply chain.
“What we’re seeing today is that it’s been years of really underfunded networks where we haven’t really had the capability or the staffing or the opportunity to really take an internal look at what is on the network outside the current clean-up that is happening,” said Norton. “We haven’t really taken this issue seriously. The executive branch is only just now taking a look at this in the last couple of years. That is obviously a big miss, and there’s been a lot of success in terms of foreign adversaries being able to infiltrate not only the DoD, DHS and other networks, but also civilian networks.”
The committee is seeking to hold further hearings to determine the potential role Kaspersky offered the Russian government in its alleged malicious cyber activities and disinformation campaigns.
“Cyber security is no longer simply about defending our data from theft. It is also about defending our democracy from disinformation campaigns that combine cyber assaults with influence operations. Since the 2016 election, it has been well-established that Russia has spread falsehoods and disinformation, seeking to sow divisions between us and confusion among us,” said Rep. Don Beyer (D-Va.) during the hearing. “This is not, and should not be, a partisan issue – together we should be striving to defend our democracy against those who seek to damage it.”