Australia has banned the use of Kaspersky Lab products across government, mandating the popular antivirus suite be removed from federal government systems.
Since 2017, Russia-based cybersecurity vendor Kaspersky Lab has faced a slew of international bans over perceived risks to national security – namely that the Kremlin could hold sway over the organisation and its globally used products.
Coming one year after an unprecedented Kaspersky ban in the US private sector, Home Affairs has declared Australian Government entities will need to “prevent the installation” of Kaspersky products on all systems and devices.
Secretary of the Department of Home Affairs, Stephanie Foster, said she arrived at the decision after “considering threat and risk analysis”.
Giving particular emphasis to threats of “foreign interference, espionage and sabotage”, Foster determined the “use of Kaspersky Lab Inc products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data.”
The ban comes under the Protective Security Policy Framework (PSPF), which enables the Secretary to issue security directions on applicable Commonwealth entities.
The new order, PSPF Direction 002-2025, further mandates Australian government entities proactively identify and remove existing instances of Kaspersky software – including from mobile phones, handheld computers, tablets, laptops and personal digital assistants – and report their completion of the task no later than 1 April 2025.
Notably, the order also applies to information security products supplied “directly or indirectly” by any of Kaspersky’s predecessor, successor, parent, subsidiary, or affiliate companies.
Government agencies can meanwhile seek an exemption in the case of a time-limited “legitimate business reason”, specifically where the use of Kaspersky is “necessary for the conduct of national security or regulatory functions”.
Information Age has contacted Kaspersky for comment.
Australia joins Five Eyes in ban
The recent PSPF direction makes Australia the fourth of the Five Eyes nation – those being Australia, UK, US, Canada and New Zealand – to ban Kaspersky from government systems.
The US first banned the prominent antivirus vendor from all government departments in 2017, alleging Kaspersky had worked on secret projects with Russia’s Federal Security Service.
The UK followed suite that year across national security departments, while Canada joined its Five Eyes partners by barring Kaspersky from government mobile devices in late 2023.
While Australia notably fell short of a ban in 2017, the new directive signed by Foster advocates for further action outside of the public sector.
“I have also considered the important need for a strong policy signal to critical infrastructure and other Australian governments regarding the unacceptable security risk associated with the use of Kaspersky Lab, Inc,” said Foster.
Foster added entities must manage risks arising from the vendor’s “extensive collection of user data” and the exposure of said data to “extrajudicial directions from a foreign government that conflict with Australian law.”
Notably, Kaspersky was commissioned as the Department of Prime Minister and Cabinet’s information security provider in 2015 under the Liberal government of the time.
Deepseek, Kaspersky bans build on security framework
Earlier this month, Home Affairs issued a direction to ban Chinese artificial intelligence chatbot DeepSeek (and the company’s wider offerings) from federal government devices.
Speaking in a Senate estimates hearing Monday, Foster noted both the Kaspersky and Deepseek bans build upon a series of PSPF directions which seek to “manage security risks” facing Australian systems.
Last July, the secretary issued directions for government entities to identify indicators of “foreign ownership, control or influence risk” in relation to technology procurement, alongside a requirement for agencies to perform a “technology asset stocktake” on all internet-facing systems.
A further PSPF release, planned for July 2025, is expected to introduce new standards for an authentication-heavy, zero-trust culture and the safe deployment of gateway technologies across government.
Public consultation for the government’s implementation of zero-trust culture is open until 28 February.
