The Australian Government has banned the use of Kaspersky Lab products and web services on all government systems and devices. Those systems and devices already using the Russian cybersecurity and anti-virus provider’s products are to have them removed.
The directive came after the Protective Security Policy Framework, which applies to non-corporate Commonwealth entities, deemed the products to be unsafe after it considered the advice from ‘technical authority entities’.
“After considering threat and risk analysis, I have determined that the use of Kaspersky Lab, Inc. products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage,” said Stephanie Foster, Secretary of the Department of Home Affairs. “I have also considered the important need for a strong policy signal to critical infrastructure and other Australian governments regarding the unacceptable security risk associated with the use of Kaspersky Lab, Inc. products and web services.”
By 1 April 2025, all non-corporate Commonwealth entities must:
1. Identify and remove all existing instances of Kaspersky Lab, Inc. products and web services on all Australian Government systems and devices.
2. Prevent the installation of Kaspersky Lab, Inc. products and web services on all Australian Government systems and devices.
3. Report completion of above requirements to the Department of Home Affairs' Commonwealth Security Policy Branch.
Government entities must also manage risks resulting from Kaspersky’s collection of user data, including the use of that data for non official purposes by a foreign government when it conflicts with Australian law.
Exemptions can be sought for a 'legitimate business reason', defined as being necessary for national security and regulatory functions. However, legitimate business reasons must be time limited and follow all the necessary mitigations.
