The legislation comes three months after a federal directive advised civilian agencies to remove Kaspersky Lab within 90 days and nearly six months after the federal government revoked Kaspersky Lab from its list of approved vendors.
Neither last week’s bill nor the September directive apply to state and local governments, several of which were still using Kaspersky software in July. The Washington Post revealed that month that Portland, Ore.; Fayetteville, Ga.; San Marcos, Texas; Picayune, Miss.; and the Connecticut Division of Public Defender Services were all using the software despite federal concerns about cyberespionage.
Now, most of those governments have officially moved away from Kaspersky software or have plans to do so in the near future.
In emails to Governing, officials from Fayetteville and Portland both reported that their cities switched from Kaspersky months ago, shortly after the controversy arose.
John Morrisson, systems manager for the Connecticut Division of Public Defender Services, says that the division is in the process of moving away from Kaspersky and should be completely transitioned by Jan. 1. In July, Morrisson told Governing that his agency probably wouldn’t stop using the software unless it was directly banned from doing so by the federal government. But the controversy propelled the agency to act.
“We just didn’t want the attention in a negative way,” Morrisson says. “Public Defender Services is in the business of helping, and we didn’t want this backlash from using Kaspersky software to take away from our very important job.”
San Marcos did not respond to Governing's requests for comment, and officials in Picayune said the only person who has knowledge of whether the city is using Kaspersky software is out until January.
Controversy has surrounded Kaspersky Lab for years: As early as 2015, law enforcement urged congressional staff not to meet with Kaspersky officials about national security matters. Michael Flynn, Trump's former national security adviser and a current subject of Robert Mueller’s probe into Russian interference in the 2016 election, received payments from Kaspersky to speak at one of its cybersecurity conferences. The founder of Kaspersky, Eugene Kaspersky, is a former employee of Russian military intelligence agencies.
Kaspersky Lab has denied any connections with the Kremlin and said in a statement last week that it disapproves of the new law “due to its geographic-specific approach to cybersecurity.” On Monday, it filed a lawsuit against the Trump administration.
Not all cybersecurity experts believe it’s necessary for state and local governments to follow the federal government's lead.
Michael Hamilton, a former chief information security officer of Seattle and founder of managed detection and response firm Critical Informatics, Inc., told Governing in July that “it’s got to be demonstrated somewhere that the threat is real” before local governments expend the large amount of resources required to switch vendors.
Hamilton still feels that way even after last week’s legislation.
“This has to be a risk-based decision. It’s very expensive [to switch vendors]. It’s a big procurement effort,” Hamilton says. “If someone could point to a situation and say, ‘hey, Kaspersky stole this information from us,’ that’s worth looking at. But there’s nothing like that. Local governments do not have federal secrets of importance to the Russians.”
Hamilton says he is much more concerned with cyberthreats to critical infrastructure like water, gas and electricity. In 2016, for example, the U.S government indicted an Iranian hacker who allegedly got access to the computer control system of the Bowman Avenue Dam in New York.
“Local governments manage traffic; they manage stormwater; they conduct emergency management. The impact of a disruption there is loss of life,” Hamilton says.
To deal with these threats, Hamilton says, local governments must invest in detecting and eradicating problems quickly. Officials should not think in terms of whether a locality will get hacked but when. Right now, it takes an average of 200 days for local governments to realize their systems have been infected.
“After 200 days,” Hamilton says, “someone has handed your ass to you.”