Full Report
The Australian government followed the U.S., Canada, and the United Kingdom in taking action against the Russian cybersecurity giant © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Regulation/Compliance: Australian Government Ban on Kaspersky Software
## Overview
This regulatory action involves a directive issued by the Australian Department of Home Affairs banning the installation and use of Kaspersky Lab products and web services on official government systems and devices due to the software posing an "unacceptable security risk." The rationale centers on threats of foreign interference, espionage, and sabotage.
## Key Details
- Issuing Authority: Australia’s Department of Home Affairs (specifically referencing the Protective Security Policy Framework - PSPF).
- Effective Date: The directive was issued "last week" (prior to Feb 24, 2025).
- Jurisdiction: Australian Federal Government agencies and their associated systems/devices.
- Status: In Effect (Directive issued).
## Requirements
### Mandatory Requirements
1. **Prohibition of Installation:** Government agencies are prohibited from installing Kaspersky products or web services on official systems and devices.
2. **Removal Obligation:** All existing instances of Kaspersky software must be removed from government systems and devices.
### Recommended Practices
1. **Vendor Replacement:** Agencies should switch to a different, vetted anti-malware provider that does not present similar risks (implied by the US action mentioned in the text).
2. **Security Review:** Agencies should conduct comprehensive threat and risk analyses regarding other foreign-sourced software potentially posing similar risks.
## Affected Organizations
- Industries: Australian Federal Government departments and agencies.
- Organization Size: Applies to all entity utilizing government IT assets requiring compliance with the Protective Security Policy Framework (PSPF).
- Geographic Scope: Australia (specifically the Federal Government apparatus).
## Compliance Timeline
- **Directive Issued:** Prior to February 24, 2025 (Last week).
- **April 1 (Date):** Full compliance required; all Kaspersky software must be removed from government systems and devices.
## Implementation Guidance
### Assessment Phase
- Audit all government systems and devices to identify any current installations of Kaspersky products or use of Kaspersky web services.
### Implementation Phase
- Develop and execute a phased plan for uninstalling Kaspersky software across all identified assets.
- Source, procure, and deploy approved alternative cybersecurity solutions to replace the banned software before the final deadline.
### Validation Phase
- Conduct post-implementation scans and audits to confirm the complete eradication of Kaspersky software from the network and endpoints.
- Document the transition process and evidence of compliance with the Department of Home Affairs.
## Technical Requirements
- Complete removal of all Kaspersky applications.
- Verified replacement with alternative security software deemed acceptable by relevant governmental security authorities.
## Penalties & Enforcement
- Fines: Not explicitly detailed, but non-compliance with a PSPF directive typically results in findings during audits.
- Other Consequences: Potential disciplinary action against agency leadership; classification as non-compliant with mandated security standards.
- Enforcement: The directive was issued by the Department of Home Affairs, suggesting enforcement oversight via mandatory security compliance reviews under the PSPF.
## Related Standards
- **Protective Security Policy Framework (PSPF):** This is the underlying framework under which the directive was enforced.
- **Alignment:** The ban is an application of the PSPF's principles regarding identifying and mitigating unacceptable security risks, particularly those related to foreign interference, espionage, and sabotage. This aligns with international efforts by Five Eyes partners.
## Resources
- Official Documentation: PSPF Directive Update - Kaspersky Lab Inc. Products and Web Services (URL provided in text: `https://www.protectivesecurity.gov.au/news/pspf-direction-update-kaspersky-lab-inc-products-and-web-services`)
- Guidance Documents: The specific mandatory security direction document itself (`PSPF-Direction-002-2025.pdf` linked in the article).
- Tools: Standard IT asset management and endpoint detection/response tools for identification and removal.
## Practical Recommendations
1. **Immediate Triage:** Agencies must immediately cease procuring new Kaspersky licenses or expanding current usage.
2. **Prioritize Removal:** Focus on removing the software from the most sensitive systems first, while ensuring the blanket removal deadline of April 1st is met for all systems.
3. **International Context:** Recognize this action aligns with security mandates in the US, UK, and Canada, guiding the selection of replacement vendors toward partners sharing security assurances with allied nations.