About 15 percent of U.S. government agencies have detected some trace of Russian company Kaspersky Lab's software on their systems in a review prompted by concerns the antivirus firm is vulnerable to Kremlin influence, a security official told Congress on Tuesday.
Jeanette Manfra, assistant secretary for cyber security at the Department of Homeland Security (DHS), said that 94 percent of agencies had responded to an order to survey their networks to identify any use of Kaspersky Lab products and to remove them.
Manfra told a U.S. House of Representatives panel the DHS did "not currently have conclusive evidence" that any networks had been breached because of their use of Kaspersky software.
The administration of President Donald Trump ordered civilian U.S. agencies in September to remove Kaspersky Lab from their networks. U.S. officials are concerned that the company's anti-virus software could be used by Russian intelligence agencies to spy on the U.S. government.
The decision represented a sharp response to what U.S. intelligence agencies have described as a national security threat posed by Russia in cyberspace, following an election year marred by allegations that Moscow weaponized the internet in an attempt to influence its outcome.
Kaspersky Lab has repeatedly denied that it has ties to any government and said it would not help a government with cyber espionage. Moscow has denied that it sought to interfere in the 2016 U.S. presidential election.
The September DHS order required civilian agencies to identify any use of Kaspersky Lab products within 30 days and to discontinue their use within 90 days.
Ninety-six of 102 federal agencies have reported to DHS on whether they have found Kaspersky Lab software on their networks, Manfra told the oversight subcommittee of the House Science, Space and Technology Committee.
DHS is working with the remaining six "very small" agencies to assess their networks, Manfra said. She did not name the agencies that detected Kaspersky Lab products or those that were still auditing their systems. The government was generally complying with the directive to remove the software, Manfra said.
Read more: Security Vendor Breaches: Fallout Justified
She told lawmakers it was possible the action against Kaspersky Lab could prompt litigation, but she did not elaborate. Asked if the company is considering suing the U.S. government, a spokeswoman for Kaspersky Lab said in a statement that the company "continues to consider all possible options."
Some lawmakers expressed agitation at why the U.S. government, having had suspicions about Kaspersky Lab for years, did not move more quickly to purge its software from networks.
Manfra said she became personally aware of concerns about the firm in 2014, and that while DHS promptly took steps to remove software, other agencies may have lagged in part because they did not have access to classified information.
The company's products generally appeared to land on U.S. government networks through larger technology purchases that included Kaspersky Lab products as pre-bundled software, making it more difficult to track, according to Manfra and other officials who were testifying on Tuesday.
Kaspersky Lab has said previously that its footprint in the U.S. federal government market was minimal.
To address suspicions, Kaspersky Lab said last month it would submit the source code of its software and future updates for inspection by independent parties.
Manfra said such a step, while welcomed, would "not be sufficient" to address concerns the U.S. government has about Kaspersky Lab.
Reporting by Dustin Volz; Editing by Bernadette Baum and Grant McCool
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.