About 15 percent of U.S. government agencies have detected Kaspersky Lab's software on their systems in a review prompted by concerns that the Russian antivirus firm is vulnerable to Kremlin influence, a security official has told Congress.
Jeanette Manfra, assistant secretary for cybersecurity at the Department of Homeland Security, testified on November 14 that 94 percent of agencies responded to an order to survey their networks to identify any use of Kaspersky products and to remove them.
Manfra said her department did "not currently have conclusive evidence" that any networks had been breached because of their use of Kaspersky software.
The administration of President Donald Trump ordered civilian U.S. agencies in September to remove Kaspersky software from their networks. U.S. officials are concerned that the company's antivirus software could be used by Russian intelligence agencies to spy on the U.S. government.
The decision was a sharp response to what U.S. intelligence agencies have described as a national security threat posed by Russia in cyberspace, including allegations that Moscow attempted to influence last year's U.S. presidential election through cyberattacks and leaks.
Kaspersky has repeatedly denied that it has ties to any government, and said it would not help a government with cyberespionage. Moscow has denied any interference in the 2016 U.S. presidential election.
The chief executive of the software company, Yevgenny Kaspersky, is a mathematical engineer who attended a KGB-sponsored school and once worked for the Russian Defense Ministry.
His critics say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin.
Trump's September order required civilian agencies to identify any use of Kaspersky products within 30 days and to discontinue their use within 90 days.
Ninety-six of 102 federal agencies have reported on whether they found Kaspersky software on their networks, Manfra told the oversight subcommittee of the House of Representatives Science, Space, and Technology Committee.
The department is working with the remaining six "very small" agencies to assess their networks, she said.
The government was generally complying with the directive to remove the software, she said.
Manfra told lawmakers it is possible the move against Kaspersky could prompt litigation.
Asked if the company was considering suing the U.S. government, a spokeswoman for Kaspersky said the company "continues to consider all possible options."
The U.S. government's order to purge all computers of Kaspersky products gave the company an opportunity to respond and mitigate concerns about possible Kremlin influence.
Kaspersky provided a "significant" response under a deadline of November 10, Manfra said, adding that the response was still being reviewed by department lawyers.
Some lawmakers expressed agitation at why the U.S. government, having had suspicions about Kaspersky Lab for years, did not move more quickly to purge its software from networks.
Manfra said she became personally aware of concerns about the firm in 2014, and that while her agency promptly took steps to remove software, other agencies may have lagged because they did not have access to classified information.
The company's products generally appeared to land on U.S. government networks through larger technology purchases that included Kaspersky in prebundled software, Manfra said.
Kaspersky has said previously that its footprint in the U.S. federal government market was small.
To address suspicions, Kaspersky said last month it would submit the source code of its software and future updates for inspection by independent parties.
Manfra said such a step, while welcome, would "not be sufficient" to address concerns the U.S. government has about Kaspersky.