SPY GAMES: U.S. Government Can’t Get Controversial Kaspersky Lab Software Off Its Networks.

“It’s messy, and it’s going to take way longer than a year,” said one U.S. official. “Congress didn’t give anyone money to replace these devices, and the budget had no wiggle-room to begin with.”

At issue is a provision of the National Defense Authorization Act (NDAA) enacted last December that requires the government to fully purge itself of “any hardware, software, or services developed or provided, in whole or in part,” by Kaspersky Lab. The law was a dramatic expansion of an earlier DHS directive that only outlawed “Kaspersky-branded” products. Both measures came after months of saber rattling by the U.S., which has grown increasingly anxious about Kaspersky’s presence in federal networks in the wake of Russia’s 2016 election interference campaign.

America’s intelligence chiefs have, too, issued public warnings about Kaspersky software. When asked by Sen. Marco Rubio (R-FL) at an intelligence committee hearing last year whether they would be comfortable using Kaspersky software on their computers, all six of the top intelligence leaders—from the Central Intelligence Agency chief to the director of National Intelligence—had the same answer: No.

Plus:

The company works so closely with Russia’s Federal Security Service, or FSB, that agents are sometimes embedded in the firm’s Moscow headquarters. And like virtually all anti-virus products, Kaspersky’s has complete access to any computer on which it’s running, including the ability to riffle through files and, depending on the configuration, upload them to Kaspersky’s servers in Russia. It can also execute arbitrary instructions transmitted from the company’s headquarters.

What a mess.