The Trump administration’s order barring certain Russian software from government networks doesn’t fully cover one troubling vulnerability — the teeming ranks of government contractors.
That omission could leave open gateways for hackers looking to pilfer government secrets, cybersecurity specialists warn, something that has reportedly happened in recent years with contractors from the CIA and the NSA. But legal experts say the government has only limited ability to require contractors to uproot Kaspersky Lab’s products from their computers.
“It’s a huge area of risk, especially with some of the recent breaches at the NSA and the CIA where it was clear that these contractors were the source of it,” said Trevor Rudolph, the former head of an OMB team that helps agencies improve their cyber defenses.
Matt Keller, who advises government clients on digital security programs as a vice president at GuidePoint, dubbed the issue a “moderate to high risk” for federal agencies.
It’s impossible to quantify the risk exactly, but hundreds of thousands of federal contractors hold top secret clearances.
DHS in September banned government agencies from using Moscow-based Kaspersky Lab’s products, following more than a decade of suspicions about the company’s ties to the Kremlin and more recent accusations that its software was helping Russia steal U.S. secrets. But that ban does not cover networks that contractors operate for their own purposes, even though their employees may use them to share and discuss sensitive U.S. government work.
“It’s a clear area of risk. It’s something that I find very, very worrisome” — Trevor Rudolph, cyber policy fellow at New America
The reason, said government contractors and former federal officials, is that DHS can’t legally dictate every detail of how private companies run their networks.
But the result, they fear, could be dangerous. Contractors, the conduits for several high-profile thefts of classified information in recent years, will be the ones least protected from an alleged Kremlin campaign to steal secret government files by piggy-backing on Kaspersky software.
Kaspersky, whose founder is a former Russian intelligence officer, has spent years fending off allegations that its products help facilitate Russian spying operations, either through willing cooperation or Kremlin snooping on Kaspersky data that flows into Russia.
But after U.S. intelligence officials accused Russia of orchestrating a massive digital campaign to sow discontent during the 2016 U.S. elections, the government faced growing pressure to stop using Kaspersky software.
The Trump administration responded in mid-July, removing Kaspersky from its list of pre-approved technology products. Then, in September, DHS outright bannedagencies from using Kaspersky tools, giving them three months to replace the software. Explaining its decision, the agency cited “the risk that the Russian government … could capitalize on access provided by Kaspersky products to compromise federal information and information systems.”
Most of the concrete facts about the Kaspersky saga have been hidden from public view, but details began to emerge after the DHS order, including in a series of damning news reports last month. On Nov. 15, the Pentagon told the House Science Committee that it had known Kaspersky was a counterintelligence threat since 2004.
The DHS order applies to “federal information systems,” which essentially means networks that either the government operates, or that a contractor is operating on behalf of the government. It does not, however, mean computer systems that contractors are using in their own offices for everyday business.
Contractors have become a pressing counterintelligence concern in recent years, beginning with former Booz Allen Hamilton employee Edward Snowden’s theft of a massive trove of surveillance documents in 2013. A second NSA contractor, Reality Winner, was charged this year with stealing and leaking a top-secret agency report on Russia’s attempts to hack local election officials.
A third contractor, Harold Martin, was indicted early this year on charges that he took home thousands of classified documents, both physical and digital. His lawyers said Martin simply wanted to continue his work from home. But his actions may have also exposed those files to hackers.
According to news reports, investigators spent months examining whether Martin was the unwitting source of a massive digital theft by a mysterious hacker group called the Shadow Brokers, which has been dumping the NSA’s hacking tools online.
Fears of Kaspersky-enabled spying on contractors’ personal computers also stem in part from reports that the Russian government had pilfered classified NSA hacking code from the personal laptop of an agency employee. Like Martin, the employee brought home secret material to continue working on it, and people familiar with the incident told The Washington Post that Kremlin spies discovered the high-value files by monitoring Kaspersky’s software, which flagged the NSA code on the employee’s computer as a potentially malicious file.
Kaspersky has countered that the Russians could have nabbed the hacking code via malware planted on the contractor’s laptop by a pirated version of Microsoft Office. The company also vehemently denies that it shares information with the Kremlin, or that Russian cyber spies have infiltrated the company’s networks.
Despite these chilling security breaches, contractors remain integral to the country’s national security work. At the end of 2015, more than 860,000 private contractors held government security clearances, nearly half of them at the top-secret level. Many of these people work side-by-side with government staff.
But once these contractors log off of government networks, cyber experts said, there is little the government can do to police what software is protecting the company’s private system.
Several government contractors told POLITICO that it’s exceedingly likely that Kaspersky code is helping defend some of these private networks. The popular Moscow-based cyber firm is a giant in the digital security industry, with more than 400 million customers worldwide and 270,000-plus corporate clients.
Rudolph, the former OMB cyber official, said DHS cannot use a directive to federal agencies to also “dictate what a private entity can and cannot do … especially down to the software level of an anti-malware product.” Nor, he said, would such language make its way into government contracts. “I don’t think they have firm legal standing to do that.”
While the government has used its authority to force other types of changes in the contracting community — such as banning discrimination against LGBT workers — imposing a specific Kaspersky ban through existing contracts “could face legal challenges,” said Stewart Baker, a former top official at DHS and the NSA. Several others who work in this area agreed with Baker’s assessment.
The General Services Administration, which oversees government-wide technology contracts, declined to comment when POLITICO asked if contract law forbids such provisions.
Agencies may be able to individually push contractors to ditch Kaspersky by arguing that their systems fit the scope of the ban. A DHS official told POLITICO that “each department and agency is responsible for determining whether a given information system, including one used or operated by a contractor, meets” the terms of the directive. But it’s unclear if this would work.
“This is definitely an area that needs some work … but it’s really, really, really hard” — Andrew Grotto, a former top staffer on the National Security Council’s cyber team
It is also likely, experts said, that some agencies have specifically relinquished the authority to dictate software choices in their contracts, preventing them from implementing a total Kaspersky contractor ban.
Federal regulations do require contractors to take some measures to protect data on their own system if it handles any government data. But companies may not know when and how contractors are using government data on their personal computers.
“It’s a clear area of risk,” said Rudolph, who is now a cyber policy fellow at New America. “It’s something that I find very, very worrisome.”
Possible short-term solutions could include legislation clarifying the government’s authority to impose software restrictions on contractors. But those kinds of steps are highly unlikely, and they are not necessarily a good idea, experts agreed.
For one thing, opening the floodgates on changes to the arcane federal acquisition rules would be akin to the current struggle to reform the tax code.
“It just becomes kind of a feeding frenzy,” said Andrew Grotto, a former top staffer on the National Security Council’s cyber team.
New government powers to dictate private companies’ practices might also discourage them from seeking federal contracts, he added.
The more likely path, contractors and former officials said, is that the contracting community will gradually follow in the government’s path and take into account the government’s warnings about cyber threats.
Grotto said he had already seen contractors work to comply “with the spirit of the [ban] even if they don’t have to do it legally.”
Still, he added: “This is definitely an area that needs some work … but it’s really, really, really hard.”
Tim Starks and Cory Bennett contributed to this report.