Binary code with US flag showing US bans Kaspersky products

US Bans Kaspersky Products From Commercial Sale Over Concerns About Personal Information Collection

Kaspersky products have been added to the list of US bans of foreign software products over national security concerns, as the Department of Commerce named the Russian government’s ability to compel the company to turn over customer information as an unacceptable risk.

The situation is thus very similar to the assorted US bans on TikTok, which has not been caught transferring information to the Chinese government but faces preemptive suspensions simply for the possibility that it could happen. Concerns about Kaspersky products are not new among federal agencies, however, as the national government banned it from civilian agencies in 2017.

US bans of software over theoretical foreign government access scenarios continue

The measure against Kaspersky products is something of a “soft ban,” as the company will no longer be able to legally sell in the US but US companies will not face any fines or legal repercussions for continuing to use them. The full ban goes into effect September 29, and in the meantime Kaspersky will be in a grace period in which it can continue to serve existing US clients with updates and necessary patches before it must withdraw from the market entirely. However, it can no longer take on new US clients as of July 20.

For its part, Kaspersky denies it has ever had any contact with Russia’s government for the purposes of “cyberespionage or offensive cyber efforts” and said that the US bans were not based on a comprehensive evaluation of its products. The US has not presented any evidence of collaboration between Kaspersky and Russia’s government of this nature, instead pointing to Russian national security law that could compel the company to turn over private customer information. The Commerce Department also expressed concern that the Russian government could use Kaspersky products to remotely access client systems. The Kremlin responded to the announcement by accusing the US of using it as a means to favor US-based cybersecurity vendors.

Commerce Secretary Gina Raimondo indicated that US bans are based on “extremely thorough” investigations, and claimed that the Russian government has demonstrated intent to use private companies like Kaspersky to collect and “weaponize” the personal information of Americans. The secretary did not provide specifics for that claim as pertains to Kaspersky products, but did allude to these same theoretical concerns informing the 2017 federal civilian agency bans.

Damir J. Brescic, CISO of Inversion6, notes that Russia’s national laws do bear some similarity to the terms that have caused so much international trouble for Chinese companies: “The reason that the U.S. government took such a stance is due to the concerns that Kaspersky could/has complied with the Russian government in what could be seen as assisting in cyber espionage or other malicious activity. The concern is obviously heightened by some of the controversial laws Russia has in general regarding cybersecurity; where they require companies to assist the government in intelligence gathering activities. Similar to other nation-state threat actors, such as China, Iran and North Korea. There are a few key aspects that companies and even government agencies need to take into consideration when assessing the impact of a software tool, such as Kaspersky. The major concern is that the Kaspersky antivirus solution, when implemented in an organization, requires extensive system privileges to function correctly, as most solutions of its kind do. This type of technology can provide a threat actor the potential to exploit and gain access to a systems configuration, sensitive data, and network connections.”

US bans of Kaspersky products could be a significant blow to the company

The US bans of Kaspersky products could prove to be a significant financial blow to the company. The company boasts some 200,000 corporate clients and 400 million individual users around the world, but does not break this down by location. Some independent marketing studies indicate that almost half of the company’s clients are in the United States, and that it is particularly popular with small and medium-size businesses for its relatively low price point and consistently high performance ratings.

The comparisons to the TikTok situation are obvious. But the current prohibition of Kaspersky products, in addition to previous US bans, dates back to more than just a concern about a foreign rival’s potential abuse of a national security law. Much of it seems to be tied to the loss of secret hacking tools by the NSA’s “Equation Group” in 2014, the team that serves a function similar to the government-backed APT groups of Russia and other nations. Kaspersky claims to have come upon the group and its tools by accident as part of an internal investigation into a then-unknown hacking team that had been spreading files flagged as malware; the issue flared up again in 2016 when a hacking group called “The Shadow Brokers” claimed to have stolen some of Equation Group’s malware tools. Kaspersky published a report explaining its side of the story in 2017, which was met with accusations of Russian FSB involvement and intentional use of Kaspersky’s software as a global file scanning system for espionage purposes. Kaspersky believes that the information was obtained accidentally when an NSA employee took sensitive files home to their personal computer, and was subsequently infected with a different type of malware when they used a key generator to install a pirated version of Microsoft Office.

The Commerce Department was granted the power to self-initiate investigations of whether foreign companies pose a national security risk under a 2019 executive order issued by then-president Donald Trump, specifically pertaining to information and communications technology issues. This is the first time the department has undergone such an investigation. In addition to banning Kaspersky products, the department added 12 company executives to the “entity list” (but did not include founder Eugene Kaspersky).

US businesses can continue legally using Kaspersky products for as long as they like, but after September 29 it will be very difficult (if not impossible) for them to receive necessary updates.

 

Senior Correspondent at CPO Magazine