Australia Bans Kaspersky Over National Security Concerns

The Australian government has officially banned the use of Kaspersky Lab's cybersecurity products and web services across all government systems, citing national security risks.

The ban, outlined in PSPF Direction 002-2025, requires all non-corporate Commonwealth entities to remove existing Kaspersky software and prevent future installations by April 1, 2025.

The directive was issued by Stephanie Foster PSM, Secretary of the Department of Home Affairs after a security risk assessment determined that Kaspersky's products posed an “unacceptable security risk” due to potential threats of foreign interference, espionage, and sabotage. The government also emphasized the broader policy signal this action sends to critical infrastructure operators and other Australian jurisdictions regarding the risks of using Kaspersky software.

Kaspersky Lab, a Russian cybersecurity firm, has faced increasing scrutiny over concerns that it may be compelled to share user data with the Russian government under local laws. The Australian directive specifically highlights the risk of Kaspersky's “extensive collection of user data” being exposed to “extrajudicial directions from a foreign government that conflict with Australian law.”

Removing Kaspersky from all government systems

Under the Protective Security Policy Framework (PSPF), government agencies must:

• Identify and remove all existing Kaspersky products and web services from government systems.
• Prevent future installation of Kaspersky software on all government-issued and authorized non-government devices.
• Report compliance to the Department of Home Affairs' Commonwealth Security Policy Branch.

Limited exemptions may be granted for national security and regulatory purposes, provided strict risk mitigations are in place.

This move follows similar actions by other Western governments, most notably the United States, which banned Kaspersky software in June 2024 due to national security concerns. The U.S. Department of Commerce determined that Kaspersky's operations posed a risk to U.S. critical infrastructure and data security, ultimately prohibiting the company from providing its services in the country​.

While Kaspersky has consistently denied any wrongdoing, asserting that its operations remain independent of the Russian government, these bans reflect growing global distrust toward the firm, particularly amid heightened geopolitical tensions.

Government agencies in Australia must act swiftly to meet the April 1, 2025 deadline. Meanwhile, private organizations and critical infrastructure operators are strongly encouraged to evaluate their cybersecurity solutions in light of the government's warning.

For users in Australia relying on Kaspersky software for their protection, the directive is not expected to have a negative effect. However, it's still prudent to plan to transition to alternative trusted vendors in case security updates and support are phased out in the future.