Australia bans the use of Kaspersky products by government entities

The Secretary of the Department of Home Affairs issued on Friday a mandatory direction under the Protective Security Policy Framework (PSPF) to government entities requiring all to prevent the installation of Kaspersky products and web services from its devices and to remove existing ones.

In the directive signed by Stephanie Foster on 17 February, Foster stated that after considering threat and risk analysis, “I have determined that the use of Kaspersky Lab products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage. I have also considered the important need for a strong policy signal to critical infrastructure and other Australian governments regarding the unacceptable security risk associated with the use of Kaspersky Lab, Inc. products and web services.”

Foster added that entities must manage the “risks arising from Kaspersky Lab’s extensive collection of user data and exposure of that data to extrajudicial directions from a foreign government that conflict with Australian law.”

According to the directive, entities have until 1 April 2025 to identify and remove all existing instances of Kaspersky Lab products and web services on all Australian Government systems and devices. They must also prevent the installation of Kaspersky Lab and report completion of these requirements to the Department of Home Affairs’ Commonwealth Security Policy Branch.

The move follows that of the US which, in June 2024, banned Kaspersky from selling its software and products in the US, including issuing updates to products that were in use at the time.

In a statement, the cybersecurity vendor said it was disappointed with the decision. “Kaspersky believes that the decision stems from the current geopolitical climate and was not supported by any technical assessment of the company’s products, which the company has been continuously advocating for. The fact that the directive was issued without any warning or opportunity for engagement to address the Australian Government’s concerns highlights its political nature.”

“The allegations cited in the direction are not based on specific evidence and no due process has been organized or followed to provide justification. Kaspersky regrets the measures depriving organizations of reliable cybersecurity protection and maintains that their ultimate impact is the deterioration of global cyber resilience,” Kaspersky said in a statement. “Being an advocate of an evidence-based approach to IT products’ security assessments, Kaspersky is determined to continue addressing any fact-based concerns about the security of its products in an open and transparent manner.”

In 2018, Kaspersky started moving all Australian users’ data from Russia to Switzerland as part of a transparency move, which included opening of a network of Transparency Centers so that the company’s stakeholders could check the source code of Kaspersky products and its threat detection rules.