Australian Kaspersky ban triggered by detection in gov agency supply chain – Security

A formal ban on the use of Kaspersky Lab software by the federal government last month was triggered by “a detection of its use in the supply chain of one government agency”, according to Home Affairs officials.

Speaking at a budget estimates hearing late last week, officials said that agencies had been first directed not to use Kaspersky back in 2017 via a letter from Prime Minister and Cabinet.

“The letter effectively said for non-corporate Commonwealth entities to not use Kaspersky products,” Home Affairs deputy secretary of cyber and infrastructure security group Hamish Hansford said.

The detection of Kaspersky in the single government agency’s supply chain prompted a fresh email to chief security officers across government from Hansford, followed up by a “formal direction” in February this year.

It was noted that the power to issue a formal direction has only existed since 2023.

Assistant secretary of government cyber and protective security Tim Neal said that a “survey” of government entities conducted in “late 2024” also uncovered a “potential procurement” at the federal level contemplating Kaspersky software.

In addition, the survey – which requested federal, state and territory governments and critical infrastructure operators “to scan their environments and their policies around Kaspersky Lab” – found instances of the software in use outside of the federal sphere as well.

“There were multiple instances across the three [surveyed] cohorts, which [included] the Commonwealth government, the states and territories, and critical infrastructure,” Neal said.