Australia Bans Kaspersky Software Over National Security Concerns

The Australian government has ordered the removal of all Kaspersky Lab software and web services from federal systems, citing risks of foreign interference, espionage, and sabotage.

Issued under the Protective Security Policy Framework (PSPF) Direction 002-2025, the directive mandates that non-corporate Commonwealth entities identify and eliminate all Kaspersky products by April 1, 2025, and prohibits any future installations.

Home Affairs Secretary Stephanie Foster stated the decision was driven by concerns over Kaspersky’s “extensive collection of user data” and its potential exposure to “extrajudicial directives from a foreign government that conflict with Australian law.”

Scope and Rationale for the Ban

PSPF Direction 002-2025 applies to all systems and devices governed by the Public Governance, Performance and Accountability Act 2013 (PGPA Act), including government-issued mobile devices, laptops, and third-party hardware used in federal operations.

The ban explicitly covers Kaspersky’s cybersecurity products, threat intelligence platforms, and cloud services but excludes third-party software with embedded Kaspersky components.

Foster highlighted systemic risks tied to Kaspersky’s data telemetry and analytics, which could expose government networks to “transnational threat actors seeking unauthorized access.” This move aligns with global concerns about software supply chain security and data sovereignty.

Australia’s decision follows similar actions by the U.S. in 2024, which barred Kaspersky from operating in North America over alleged ties to Russian intelligence. Canada and the U.K. have also restricted Kaspersky’s use in critical infrastructure, making Australia the third Five Eyes nation to impose such prohibitions.

Exemptions and Security Measures

Limited exemptions apply to agencies involved in national security, law enforcement, or regulatory functions, provided they implement strict risk mitigations such as network segmentation, continuous monitoring, and restrictions on data transfers to Kaspersky servers.

Entities seeking exemptions must submit detailed justifications to the Commonwealth Security Policy Branch by March 15, 2025, and undergo quarterly audits to ensure compliance.

The Department of Home Affairs has also advised critical infrastructure operators and state governments to adopt similar precautions. Private-sector contractors handling government data are urged to align with these security measures, reflecting increased scrutiny of third-party software risks.

Kaspersky’s Response and Industry Impact

Kaspersky Lab has consistently denied any state affiliations, asserting its independence and commitment to secure-by-design principles. In its 2023 Sustainability Report, the company emphasized its Cyber Immunity strategy, transparency initiatives, and third-party code audits.

Despite these assurances, Western governments remain skeptical, particularly due to Russian laws mandating data localization and potential state access.

The ban reflects a broader shift in cybersecurity policy, with increased emphasis on supply chain security and zero-trust architectures. Analysts predict Australian agencies will accelerate adoption of alternatives like CrowdStrike, Palo Alto Networks, and Microsoft Defender for Endpoint.

Additionally, the directive aligns with PSPF Direction 002-2024, which mandates rigorous asset management and IT inventory controls for internet-facing systems.

A Turning Point in Cybersecurity Policy

Australia’s prohibition of Kaspersky products marks a significant shift toward proactive cyber defense amid rising geopolitical tensions. Supporters argue it reduces critical infrastructure risks, while critics warn of potential diplomatic fallout and reduced access to cost-effective security solutions.

Regardless of the debate, the era of unchecked software reliance is coming to an end, signaling a new approach to cybersecurity governance.