Vermont Chief Information Officer John Quinn instructed the entire state government to determine if it uses any hardware or software made by certain companies believed to have ties to the Russian and Chinese governments, and make plans to phase them out if they’re found.
In a memorandum sent Wednesday to Vermont’s executive-branch agencies, Quinn ordered the removal of products sold by Kaspersky Lab, a cybersecurity software firm suspected by U.S. officials of having ties to the Kremlin, and devices manufactured by Chinese firms including Huawei and ZTE, which the United States has accused of conducting espionage on behalf of Beijing.
“The ever-evolving nature of cyber threats has continued to prove that the State of Vermont and the valuable data that we hold for our citizens is a priority target for cyber criminals and hackers alike,” Quinn’s memo reads.
The order follows on federal actions against Kaspersky, Huawei, ZTE and other companies that U.S. officials accuse of threatening national security. The federal government banned Kaspersky Lab, one of the world’s largest vendors of computer-security software, from its networks in September 2017, arguing that the company’s founder Eugene Kaspersky, “collaborates” with Russian intelligence bureaus.
The Chinese firms, including mobile-phone providers Huawei and ZTE, were banned from U.S. government use under last year’s National Defense Authorization Act. That law also singled out surveillance-device manufacturers Hytera, Hangzhou Hikvision and Dahua. The federal government also filed nearly two dozen criminal charges against Huawei last month, accusing the company of stealing trade secrets from T-Mobile, committing fraud and violating trade sanctions against Iran.
Quinn’s order references some of these federal actions in justifying the new ban.
“The federal cybersecurity and intelligence communities have documented evidence of the concerns regarding these products or telecommunications equipment and have used several mechanisms…to block their use within the federal technology community,” the memo reads.
The order immediately prohibits the acquisition of or renewal of contracts for products made by Kaspersky or any of the named Chinese firms. It also lays out a timetable for Vermont agencies to review their information technology contracts to determine if they include the targeted companies and line up replacements from approved vendors, if necessary.
Within 30 days of Quinn’s directive, agencies will be required to turn in lists of any suspect products currently in use to the state’s chief information security officer, Nicholas Andersen, a former Pentagon cybersecurity official who was hired last December.
“This includes equipment used to support any information technology, telecommunications, industrial control system, supervisory control and data acquisition system, systems used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other security purposes, building infrastructure support, or video surveillance purpose,” the directive reads.
After another 30 days, Vermont agencies will be required to provide plans to phase out any banned software and hardware and replace it with acceptable products. Within three months, Quinn’s directive requires agencies to begin implementing those replacement plans, issuing updates at least once every 30 days until the banned equipment is completely purged.
But Vermont officials does not yet know how many of the newly verboten products it is using. Quinn told StateScoop the state needs to examine nearly 360 IT contracts spread among more than two dozen agencies and commissions.
Vermont is not alone among states that started shunning Kaspersky software following the federal government’s 2017 ban or Huawei and ZTE devices in the wake of last year’s NDAA, according to Doug Robinson, the executive director of the National Association of State Chief Information Officers.
“Other CIOs simply control this with general authority through their architecture and standards, administrative regs and/or procurement policies,” Robinson said. “They don’t need to name a specific vendor.”
But Vermont’s move Wednesday may make it showier than other states in banning Kaspersky, Huawei, ZTE and the other companies as a matter of official policy.
“We believe we are the first state or one of the first to issue a directive like this,” Quinn said.