Avoid use of Kaspersky software

The information below was sent to the IT Security and Frontline Notify (FLN) groups via email on October 9, 2017.

In light of recent reports that classified National Security Agency (NSA) documents were stolen by exploiting Kaspersky Lab anti-virus software, Information Assurance (IA) is recommending that you remove any AO Kaspersky Lab products you may have on your computers.

The U.S. Department of Homeland Security has ordered federal agencies to identify and plan to remove products from the Russian cybersecurity firm AO Kaspersky Lab running on government computers. The directive gives federal executive branch departments and agencies 30 days to identify Kaspersky-branded products on their systems and 90 days to provide plans for discontinuing their use. We have heard that faculty researchers at some of our peer institutions have received letters from NASA asking them to ensure removal of Kaspersky products from any systems that interface with NASA.

The NSA leak resulted from a contractor's transfer of data to a home computer with Kaspersky anti-virus software installed. Transferring the classified data to the personally-owned computer was a violation of government policy regarding the handling of classified data.

Members of the university community are expected to abide by Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33). Information about individual and unit responsibilities associated with that policy is available on Safe Computing.

Some security professionals have questioned whether the vulnerability in Kaspersky software was intentional or an inadvertent bug. Regardless, given the Department of Homeland Security directive, we recommend that you remove and replace any Kaspersky Lab products you may be using from your devices.

Tip: Use the anti-virus software recommended by IA. IA recommends free software for use on personal computers and university-provided software for university-owned computers.