Local and state government agencies from Oregon to Connecticut say they are using a Russian brand of security software despite the federal governments instructions to its own agencies not to buy the software over concerns about cyberespionage, records and interviews show.

The federal agency in charge of purchasing, the General Services Administration, this month removed Moscow-based Kaspersky Lab from its list of approved vendors. In doing so, the agencys statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it. Kaspersky has strongly denied coordinating with the Russian government and has offered to cooperate with federal investigators.

The GSAs move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost. The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity.

Interviews suggest that concerns in recent months from Congress and in the intelligence community about Kaspersky are not widely known among state and local officials, who are most likely to consider purchasing the Russian software. Those systems, while not necessarily protecting critical infrastructure, can be targeted by hackers because they provide access to troves of sensitive information.
...
The GSA included a reference to System of Operational-Investigative Measures, or SORM a national Russian electronic eavesdropping network that the U.S. government publicly warned about in advance of Americans traveling to the 2014 Winter Olympics in Sochi, Russia. 
At the time, the State Department advised travelers to assume that cellphones could be turned into listening devices and laptops could be infiltrated if connected to Russian networks. The GSA statement this month said applicability of SORM to Kaspersky supported GSAs decision to exercise the cancellation clause.
...
Kaspersky Lab was founded in 1997 by Eugene Kaspersky, a decade after he had graduated from a KGB-supported cryptography school and had worked in Russian military intelligence agencies.
