The federal government has been considering action against Kaspersky Lab for more than a year, but the announced ban on sales of the Russia-based anti-virus and cybersecurity company’s software in the U.S. is still likely to cause major headaches for businesses.
Department of Commerce Secretary Gina Raimondo is urging U.S. customers “in the strongest possible terms” to stop using Kaspersky products and seek alternate providers.
The decision came from the department’s Bureau of Industry and Security, which issued a “final determination” that not only covers Kaspersky Labs but its affiliates, subsidiaries and parent companies.
BIS added three entities — AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom) — to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives.
The Commerce Department says Russia has the capacity and intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and the agency felt compelled to take action.
Kaspersky will no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use. The full list of prohibited transactions can be found at oicts.bis.gov/kaspersky.
The Commerce Department says the action was the result of “a lengthy and thorough investigation” that found the company’s continued operations in the U.S. presented a national security risk due to the Russian government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations. The department says the situation could not be addressed through mitigation measures short of a total prohibition.
Kaspersky is a multinational company with offices in 31 countries, servicing users in over 200 countries and territories. Kaspersky provides cybersecurity and anti-virus products and services to over 400 million users and 270,000 corporate clients globally, according to the company’s website.
Many cybersecurity executives were likely not shocked the action was taken against Kaspersky but noted the decision’s significance as the U.S. government continues to bolster cyber defenses.
Andrew Borene, Executive Director for Global Security at threat intelligence firm Flashpoint, says the decision, “is a logical reflection of the tectonic shifts that are dividing economies along the lines of power competition between allies and the Russia/China/Iran/North Korea digital domain.
“These divides obviously extend into private sector actors as well. Kaspersky has a history of problems with U.S., Canadian and other allied governments, says Borene, a former senior officer at the U.S. Office of the Director of National Intelligence and the National Counterterrorism Center (NCTC). “Banning its use for U.S. security probably is a wise choice in many cases, particularly in the categories of civilian critical infrastructure at state/local/municipal level whether that infrastructure is inherently governmental or privately owned and operated.”
Adam Maruyama, Field CTO, Garrison Technology, says the Commerce Department’s move underscores the stakes of “security products gone bad,” where the privileges that are supposed to be used to protect networks and systems are instead used to subvert security mechanisms, deploy malware, and steal data.
But he adds the “deliberate seeding of such capabilities via a commercially available product is only the tip of the iceberg.” Maruyama says Google’s most recent report of zero-days exploited in the wild, it noticed a marked increase in attacks against enterprise security software, including detection and response, VPN and firewall operating systems.
“Left unchecked,” Maruyama says, “this rise in exploits could provide attackers the same privileged access they would have had if administrators installed compromised software.”
Maruyama believes the cybersecurity community -- particularly in the high-threat sectors of government and critical infrastructure -- must consider innovative solutions like using fixed-function, deterministic components such as FPGAs rather than malleable software solutions to enforce critical security functions.
“If we don’t fundamentally rethink the way we approach and enforce security, our most sophisticated adversaries will continue to subvert the software meant to keep us safe – whether it’s by shipping compromised software or attacking and compromising legitimately-developed solutions,” he says.
Trouble Brewing
The U.S. government previously acted against Kaspersky in 2017, when the Department of Homeland Security issued a directive requiring federal agencies to remove and discontinue use of Kaspersky-branded products on federal information systems.
A year later, the National Defense Authorization Act (NDAA) for fiscal year 2018 prohibited the use of Kaspersky by the federal government. In 2022, the Federal Communications Commission added to its “List of Communications Equipment and Services that Pose a Threat to National Security” information security products, solutions, and services supplied, directly or indirectly, by Kaspersky.
The federal government says it will minimize disruption to U.S. consumers and businesses by allowing Kaspersky to continue certain operations in the U.S.— including providing anti-virus signature updates and codebase updates — midnight on September 29, 2024.
BIS says Kaspersky poses an undue or unacceptable risk to national security because it is subject to the jurisdiction of the Russian government and must comply with requests for information that could lead to the exploitation of access to sensitive information present on electronic devices using Kaspersky’s anti-virus software.
BIS also says Kaspersky has broad access to, and administrative privileges over, customer information through the provision of cybersecurity and anti-virus software. The agency says Kaspersky employees could potentially transfer U.S. customer data to Russia, where it would be accessible to the Russian government under Russian law.
Kaspersky has the ability, BIS says, to use its products to install malicious software on U.S. customers’ computers or to selectively deny updates, leaving U.S. persons and critical infrastructure vulnerable to malware and exploitation.
And the agency notes that Kaspersky software is integrated into third-party products and services through resale of its software, integration of its cybersecurity or anti-virus software into other products and services, or licensing of Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services.
“Third-party transactions such as these create circumstances where the source code for the software is unknown,” BIS said. “This increases the likelihood that Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive U.S. persons data.”
The Commerce Department said it’s working with the Department of Homeland Security and Department of Justice to inform U.S. customers, including state, local, tribal and territorial government agencies, non-government customers at the SLTT level, and critical infrastructure operators about ways to easily remove the software.
Company Denies Allegations
Kaspersky’s founder, Eugene Kaspersky, was bitten early by the computer bug. According to various online profiles, Kaspersky was16 years old when he entered a five-year program with The Technical Faculty of the KGB Higher School, which prepared intelligence officers for the Russian military and KGB.
He graduated in 1987 with a degree in mathematical engineering and computer technology and served the Soviet military intelligence service as a software engineer. He met his first wife Natalya Kaspersky at Severskoye, a KGB vacation resort, in 1987. His interest in IT security began when his work computer was infected with the Cascade virus in 1989 and he developed a program to remove it. Kaspersky Labs was founded in 1997 and quickly grew. From 1998 to 2000, its annual revenue grew 280%, and by 2000 almost 60% of the firms revenues were international.
In a statement issued Thursday, Kaspersky Labs denied it engaged in any activities that threaten U.S. national security and said the company made “significant contributions” with its reporting and protection from a “variety of threat actors that targeted U.S. interests and allies.” The company says it plans to “pursue all legally available options” to preserve its current operations and relationships.
“Despite proposing a system in which the security of Kaspersky products could have been independently verified by a trusted third-party, Kaspersky believes the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services,” Kaspersky Labs said in its statement.
The company also noted the decision doesn’t affect Kaspersky’s ability to sell and promote cyber threat intelligence offerings and/or trainings in the U.S.
Kaspersky says it has protected over 1 billion devices in its 26 years and implemented “significant transparency measures” in 2017 to show the company was committed to integrity and trustworthiness. “The Department of Commerce’s decision unfairly ignores the evidence,” the statement said.
The primary impact of the measures, the company says, “will be the benefit they provide to cybercrime. International cooperation between cybersecurity experts is crucial in the fight against malware, and yet this will restrict those efforts.
“Furthermore, it takes away the freedom that consumers and organizations, large and small, should have to use the protection they want, in this case forcing them away from the best anti-malware technology in the industry, according to independent tests. This will cause a dramatic disruption for our customers, who will be forced to urgently replace technology they prefer and have relied upon for their protection for years.”
