Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Why Are Local Governments Using a Russian Software the Feds Won't?

The reasons spotlight cities' funding and workforce struggles that cybersecurity experts have warned about for years.

Russia Kaspersky
Eugene Kaspersky, Russian antivirus programs developer and chief executive of Russia's Kaspersky Lab, watches through a window decorated with programming code's symbols at his company's headquarters in Moscow, Russia, Saturday, July 1, 2017. Kaspersky says he's ready to have his company's source code examined by U.S. government officials to help dispel long-lingering suspicions about his company's ties to the Kremlin.
(AP Photo/Pavel Golovkin)
The Washington Post revealed this week that several local governments across the U.S. are using a Russian brand of security software that the federal government fears could be leveraged by the foreign country for cyberespionage.

Earlier this month, the federal government removed Kaspersky Lab, a Moscow-based company that sells anti-virus security software, from its list of approved vendors. Meanwhile, nearly all the local governments interviewed by the Post appeared unaware of the controversy. Upon learning about it, most said that they had no immediate plans to stop using the product.

The news is merely the latest development in an ongoing debate about whether local goverments are doing enough to protect themselves from cyber threats.

Cybersecurity experts have long been sounding the alarm about local governments’ vulnerability to cyberattacks and the impact such an intrusion could have. They say most local governments face great barriers to protecting their data and systems, including lack of funding, shortage of cybersecurity professionals and general ignorance about the seriousness of the threat.

“AT&T is not the communication center I care about. 911 is the communication center I care about. [Cyber actors] have the ability to create actual terror in the United States," says Michael Hamilton, the former CISO of Seattle and current founder and president of the managed detection and response firm Critical Informatics, Inc. 

However, Hamilton believes it’s premature for local governments to pull out of contracts with Kaspersky Lab, given that there have been no specific vulnerabilities identified and no evidence of malicious intent released to the public. “It’s got to be demonstrated somewhere that this threat is real" before local governments spend money to replace the software, he says.

"It’s expensive [to switch vendors]. When I was in Seattle, I fired McAfee [the security software company] and it was a huge investment. They’re not going to make that investment unless they have to,” says Hamilton.

John Morrisson, systems manager for the Connecticut Division of Public Defender Services, largely agrees. He says his agency likely won't stop using the software unless the feds bar state and local governments from contracting with Kaspersky.

“I don’t want to base it on cost, but we do have a three-year contract with Kaspersky," he says. Still, he clarified, “obviously, if there was a problem, cost would not be an issue."

In Portland, Ore., another city identified in the Post story, a spokesperson told Governing in an email that the city is investigating the feasibility of disabling its Kaspersky products, which one of the city's vendors is currently using to scan for malicious emails. Portland likely wouldn't take a serious financial hit, however, since it doesn't have a direct contract with Kaspersky itself.

For its part, Kaspersky Lab -- which was founded in 1997 by a former employee of Russian military intelligence agencies -- denies the allegations by the U.S. government. Controversy, however, has been following the company since at least 2015: According to the Post, law enforcement urged congressional staff that year not to meet with Kaspersky officials about national security matters. In addition, Michael Flynn resigned as President Trump's national security adviser this year in part because he failed to disclose the money Kaspersky paid him to speak at one of its cybersecurity conferences.

Beyond the Kaspersky controversy, Hamilton says local and state governments are in a deep rut concerning cybersecurity. He warns about the effects of “cultural inertia,” which he says encourages government workers to continue doing things the same way they always have.

“It’s like, ‘We fix potholes and put cops on the street -- we don’t hire cyber people,'” he says of the mentality of officials at the local level.

"Cyber people" are in fact the other big obstacle for local governments trying to protect themselves from cyberattacks: There simply aren’t enough of them working in the public sector. A 2015 survey from the National Association of Chief Information Officers found that 86 percent of IT chief respondents said they struggled to fill vacant IT positions.

Hamilton suggests creative solutions to help fill those gaps, such as internships or apprenticeships that might offer lower pay than private-sector jobs but help people gain experience early in their career.

But at some point, Hamilton says the federal government will have to “bust out the purse and help [state and local governments] with [cybersecurity] funding."

Earlier this year, bipartisan lawmakers in the U.S. House of Representatives introduced a bill that would create a grant program for state, local and tribal governments to protect themselves against cyberthreats. This kind of funding would likely be welcome, especially with the news that Russia targeted election systems in 21 states last year.

The bill, however, has yet to go anywhere.

The other cities identified by the Post as using the program are: Fayetteville, Ga.; San Marcos, Texas; and Picayune, Miss.; which is scheduled to install it in public schools soon.

Natalie previously covered immigrant communities and environmental justice as a bilingual reporter at CityLab and CityLab Latino. She hails from the Los Angeles area and graduated from UCLA with a B.A. in English literature.
Special Projects
Sponsored Stories
Sponsored
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
Sponsored
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Sponsored
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Sponsored
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
Sponsored
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Sponsored
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Sponsored
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
Sponsored
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
Sponsored
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.