Kaspersky Banned
BIS Bans Russian Cybersecurity Firm
Years ago, when I still worked for the US government, Kaspersky Labs’ software presented a concern for US agencies. The multinational cybersecurity and anti-virus company was widely used in the United States, with hundreds of millions of US individuals and companies using the company’s services, including anti-virus, internet security, and password management.
Kaspersky investigated numerous cyber threats, including Stuxnet, Flame, and Red October, but national security concerns about the company’s links to Russia’s intelligence services were present even as the company became famous for exposing cyber weaponry, including the ones that disrupted Iran’s nuclear program.
Media reports and the US government in 2017 alleged that Kaspersky was closely tied to the Russian FSB, and in a Senate hearing that year, several heads of US intelligence agencies gave a resounding “NO!” when asked by Senator Marco Rubio whether they would be comfortable having Kaspersky anti-virus software installed on their agency computers.
After media accusations that Kaspersky has been working with Russian intelligence surfaced, the company released a statement noting that the company does not have "inappropriate ties with any government." Internal company emails obtained by Bloomberg show that Kaspersky has maintained a “much closer working relationship with Russia’s main intelligence agency, the FSB, than it has publicly admitted.”
The devil is in the details of the language used by the company. Kaspersky is a Russian company, and their ties to Russia’s security services are not “inappropriate,” but legal in Russia. The company’s servers are in Russia, which means, hundreds of millions of users have their files and possibly their sensitive information cycled through infrastructure in a hostile, adversarial country and ultimately controlled by that country’s security services.
Under Russian laws and according to Kaspersky Lab’s certification by the F.S.B., the company is required to assist the spy agency in its operations, and the F.S.B. can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions.
Let’s not forget that the company’s CEO, Eugene Kaspersky, is a graduate of a KGB institute that prepared graduates for service in Russian intelligence. As a military cadet in the 1980s, Kaspersky studied at the KGB-administered Institute of Cryptography, Telecommunications and Computer Science, and as early as 2013 admitted to having the FSB—Russia’s successor to the KGB—as a client.
Federal agencies in 2017 banned the use of Kaspersky software on US government computers. the Department of Homeland Security issued a directive for all federal departments and agencies to identify Kaspersky products on their systems and develop plans to remove them and replace them with alternatives within three months.
This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.
That should have been a big red flag to the private sector. If during Senate hearings, the heads of the intelligence community testified that Kaspersky was a threat, and federal agencies quickly moved to get rid of Kaspersky’s products, the private sector should have taken a hint and done the same.
They’re going to have to do so now.
The Biden administration last week banned the use of Kaspersky software in the United States because of security concerns and the company’s links to the FSB.
The US subsidiary of Kaspersky is now prohibited from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons.
In addition, the Commerce Department’s Bureau of Industry and Security (BIS) included AO Kaspersky Lab and OOO Kaspersky Group (Russia) and Kaspersky Labs Limited (UK)—on the agency’s Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives.
That means Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use.
In order to minimize disruption to U.S. consumers and businesses and to give them time to find suitable alternatives, the Department’s determination will allow Kaspersky to continue certain operations in the United States—including providing anti-virus signature updates and codebase updates—until 12:00AM Eastern Daylight Time (EDT) on September 29, 2024.
The US government after a yearslong investigation found transactions involving Kaspersky’s products and services pose an “unacceptable risk” to US national security or the safety and security of US persons, as outlined in EO 13873, issued by then-president Trump in 2019.
OFAC has not included Kaspersky or Eugene on its SDN List yet, but last week it did designate 12 individuals in executive and senior leadership roles of the company. All the individuals were sanctioned pursuant to EO 14024 for operating in the technology sector of the Russian economy, which according to Treasury’s recent assessment, has fully pivoted to a wartime stance to support Russia’s invasion of Ukraine. Not only are the leaders of Kaspersky blocked, but foreign financial institutions that conduct or facilitate significant transactions or provide any service to Russia’s military-industrial base, which now includes the leadership team of Kaspersky, run the risk of being designated by OFAC, regardless of whether or not a US nexis is present (secondary sanctions risk).
Kaspersky, of course, denies being a security threat to the United States and claims that because neither the company nor its CEO are sanctioned by OFAC, the current prohibitions will not impact the company’s “resilience.”
But the company is sure to lose business. Those clueless enough to have continued using the software after the US government banned it in 2017 will now lose access to it. No more updates, no more licenses, and resellers who still have it in stock will have to sell it by September 29th.
Why have the company and Eugene Kaspersky himself not been designated? Maybe they will be. The designation process is lengthy and involves a coordination process that includes everyone from the State Department, to the Intelligence Community, to the National Security Council—basically any agency that has equities. So maybe the sanctions package is simply not finished.
It’s entirely possible that both the company and Kaspersky himself will be designated soon. If I were a firm or financial institution still doing business with Kaspersky, I’d be scrambling to shut it down right now.
We were complaining about the 'mandatory' use of the software a LONG time ago. And I know NIS was looking at it as far back as 2010, if not earlier. Sigh... Just like the Walker 'case', we'll never know how much they got.
I've actually met Gene Kaspersky at a trade show. Fascinating guy. One of the few people who has successfully managed to get subscribers to pay after they pirated his product for years.