Full Report
Australia has become the latest country to ban the installation of security software from Russian company Kaspersky, citing national security concerns. "After considering threat and risk analysis, I have determined that the use of Kaspersky Lab, Inc. products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data,
Analysis Summary
# Regulation/Compliance: Australian Ban on Kaspersky Software
## Overview
This regulation constitutes a directive by the Australian Government, specifically the Department of Home Affairs, banning the installation and use of security software products and web services from Kaspersky Lab, Inc. on Australian Government systems due to unacceptable national security risks, including foreign interference, espionage, and sabotage, and data extraterritoriality concerns.
## Key Details
- Issuing Authority: Department of Home Affairs (Secretary Stephanie Foster PSM)
- Effective Date: The ban direction (Direction 002-2025) is in effect, with mandatory removal required by April 1, 2025.
- Jurisdiction: Australian Federal Government entities.
- Status: In Effect (Directive issued).
## Requirements
### Mandatory Requirements
1. **Prohibition on Installation:** Australian Government entities are prohibited from installing Kaspersky Lab, Inc. products and web services on government systems and devices.
2. **Mandatory Removal:** All existing installations of Kaspersky products and web services on government systems must be removed by **April 1, 2025**.
3. **Data Risk Management:** Entities must manage the risks arising from Kaspersky's extensive user data collection and potential exposure to extrajudicial directions from a foreign government that conflicts with Australian law.
### Recommended Practices
1. **Policy Signal:** A strong policy signal is intended for critical infrastructure operators and other non-federal Australian governments to review and address similar risks associated with Kaspersky usage.
2. **Exemption Management:** Agencies seeking exemptions must demonstrate a "legitimate business reason" and implement appropriate time-limited mitigations to meet specific essential compliance or law enforcement functions.
## Affected Organizations
- Industries: Primarily Australian Government entities (Federal level). Secondarily, Critical Infrastructure and other State/Territory government bodies are strongly signaled to review their usage.
- Organization Size: Applies based on affiliation with the Australian Government ecosystem.
- Geographic Scope: Australia.
## Compliance Timeline
- Date of Direction Issuance: Shortly before February 24, 2025 (when the news was reported).
- **April 1, 2025**: Final deadline for full compliance (removal of all existing instances).
## Implementation Guidance
### Assessment Phase
- Identify all systems, devices, and services currently utilizing Kaspersky Lab products or web services within the government entity's environment.
- Analyze data handling processes to determine the extent of user data collected by the software.
### Implementation Phase
- Develop and execute a phased plan to decommission and replace all Kaspersky software before the April 1, 2025 deadline.
- Develop contingency plans for services relying on the functionalities provided by Kaspersky software.
### Validation Phase
- Conduct technical audits post-removal to confirm that no Kaspersky instances or related services remain active on government assets.
- Document reliance on any temporary, risk-mitigated exemptions granted by the Department of Home Affairs.
## Technical Requirements
The requirement is to cease use of specific vendor software due to national security concerns related to data handling and foreign government influence.
- **Replacement:** Deploying alternative, trusted endpoint security or related software solutions.
- **Data Segregation/Minimization:** Ensuring no sensitive government data is processed or stored via non-compliant software services.
## Penalties & Enforcement
The article does not detail specific fines for failure to comply with Direction 002-2025, but consequences are tied to national security compliance frameworks.
- Fines: Not specified in the article.
- Other Consequences: Non-compliance constitutes a breach of Protective Security Policy Framework (PSPF) directions, potentially leading to security standing downgrades, loss of operational capability, and disciplinary action for responsible officers.
- Enforcement: Enforced through formal directions issued by the Department of Home Affairs Secretary, suggesting oversight under binding government security mandates.
## Related Standards
- Protective Security Policy Framework (PSPF): The directive is issued under the authority supporting this framework, which governs security for Australian Government information and systems.
- **Foreign Interference/Espionage Risk Management:** Implies alignment with existing government strategies related to supply chain security and managing threats from foreign state actors.
## Resources
- Official Documentation: [Direction 002-2025: Kaspersky Lab, Inc. Products and Web Services](https://www.protectivesecurity.gov.au/publications-library/direction-002-2025-kaspersky-lab-inc-products-and-web-services) (Link provided in context).
- Guidance Documents: Statements from the Department of Home Affairs Secretary regarding threat and risk analysis.
- Tools: Organizations will need configuration management tools and vulnerability scanners to identify and verify removal.
## Practical Recommendations
1. **Immediate Inventory:** Immediately catalogue all Kaspersky software and service dependencies across network endpoints and cloud environments.
2. **Prioritize Replacement:** Rapidly initiate procurement and deployment of approved, non-Kaspersky security software solutions.
3. **Document Exemptions:** If dependency exists past April 1, 2025, formally apply for a time-limited exemption, detailing robust, approved mitigation strategies.
4. **Supply Chain Review:** Use this event as a catalyst to review the supply chain security of all software used by government entities, informed by the precedents set by the US and Australia.