The U.S. Commerce Department has announced a full ban on the sale of Kaspersky products in the United States, effective July 20, 2024. Kaspersky, a prominent cybersecurity company based in Moscow, Russia, has been at the center of controversy due to alleged ties with the Russian government.
The announcement marks a critical juncture for cybersecurity professionals across the country. Here's what you need to know about the ban, its implications, and the steps you should take moving forward.
The U.S. government's concerns about Kaspersky date back several years. In 2017, the Department of Homeland Security (DHS) issued a directive to remove Kaspersky software from federal systems, citing fears that the company's products could be used to facilitate espionage and cyberattacks by the Russian government. Despite Kaspersky's repeated denials of any wrongdoing or inappropriate ties to the Russian state, these concerns have persisted.
The Commerce Department's recent decision to implement a full ban is based on ongoing national security concerns. In a statement, the agency emphasized the need to protect U.S. critical infrastructure and sensitive information from potential threats posed by foreign entities.
"It's surprising that it took the U.S. Commerce Department this long to ban Kaspersky products in the U.S. The U.S. Intelligence Community began looking at Kaspersky as a possible vector for Russian cyberattacks more than a decade ago," said Col. Cedric Leighton, CNN Military Analyst, U.S. Air Force (Ret.), and Chairman, Cedric Leighton Associates, LLC. "In 2017, the then director of the NSA told the Senate Intelligence Committee that his agency was concerned about U.S. government use of Kaspersky products. That should have been a warning to both private and public sector IT professionals that Kaspersky software posed a possible cyber espionage risk."
"The founder of Kaspersky Labs, Eugene Kaspersky, graduated from a KGB-affiliated university in 1987, prior to the dissolution of the Soviet Union," Col. Leighton continued. "As his company grew, it also attracted quite a few other veterans of either the Soviet or Russian intelligence services. Those connections have long sparked concerns within key U.S. intelligence agencies. Russian law also requires Russian companies to share their software code with the relevant authorities. That's a key path for malware to be introduced so it can later wreak havoc on a customer's IT network."
Implications for cybersecurity professionals
1. Immediate compliance requirements
Organizations using Kaspersky products must ensure compliance with the ban by July 20 of this year; and current Kaspersky customers have until September 29, 2024, to find alternatives. This involves:
- Identifying and removing Kaspersky products: Conduct an inventory of all Kaspersky software and hardware within your organization's network. Develop a plan for the swift removal and replacement of these products.
- Communicating with stakeholders: Inform relevant stakeholders—including IT teams, executives, and clients—about the ban and its implications. Ensure everyone understands the timeline and steps being taken to comply.
2. Transitioning to alternative solutions
The ban necessitates finding and implementing alternative cybersecurity solutions. Here are some steps to facilitate a smooth transition:
- Evaluate needs and solutions: Assess your organization's specific cybersecurity requirements and identify reputable alternatives to Kaspersky products. Look for solutions that offer similar or enhanced functionality and security.
- Test and deploy new solutions: Before fully deploying new cybersecurity tools, conduct thorough testing to ensure compatibility with existing systems and effectiveness in mitigating threats. Develop a phased rollout plan to minimize disruption.
- Training and support: Provide training for IT staff and end-users on the new solutions. Ensure there is adequate support available to address any issues that arise during the transition.
3. Strengthening overall cybersecurity posture
The ban on Kaspersky serves as a reminder of the broader geopolitical risks in cybersecurity. Professionals should use this opportunity to strengthen their overall security posture through:
- Regular audits and assessments: Conduct regular security audits and assessments to identify vulnerabilities and ensure compliance with best practices and regulatory requirements.
- Enhanced monitoring and response: Implement robust monitoring and incident response capabilities to quickly detect and respond to potential threats.
- Supply chain security: Evaluate the security of third-party vendors and partners. Ensure they adhere to stringent security standards to prevent supply chain attacks.
The ban on Kaspersky products is part of a larger trend of increasing scrutiny on foreign technology companies. As geopolitical tensions continue to rise, particularly between the U.S. and nations like Russia and China, cybersecurity professionals must remain vigilant and adaptable.
"One of the things cybersecurity professionals should be aware of is the origin company of whatever antivirus software they are using for the organization," said Burton Kelso, TEDx and Cybersecurity Technology Speaker. "Many companies like Kaspersky and Trend Micro are not based in the U.S., which means these companies fall under the jurisdiction of the host country. Cybersecurity professionals should read the terms of service for any antivirus, VPN, or firewall software they are using. If not, they could fall into a situation like a vast part of the terms of service involved, scanning computers for information that is then sold off to third-party vendors."
In his bi-weekly Inflection Point bulletin, Kip Boyle, vCISO, Cyber Risk Opportunities LLC, said: "As far as I know, this is a first in the history of cyber risk management. And, this isn't just a slap on the wrist. It's a complete eviction from the U.S. market. Current Kaspersky customers have until September 29th to find alternatives. After that, no more updates to detect new malware. Their antivirus will be as useful as a screen door on a submarine."
Some basic advice for cybersecurity teams:
- Stay informed about geopolitical developments and their potential impact on cybersecurity. Understand that national security concerns can lead to sudden regulatory changes that require quick adaptation.
- Avoid over-reliance on any single vendor or technology, particularly those from regions with geopolitical tensions. Diversify security solutions to include products from a variety of reputable sources.
Boyle said that the Russia-Ukraine War has changed the cybersecurity landscape.
"Russia's invasion of Ukraine and increased cyber activities have shifted the risk calculation," Boyle said. "Add China's critical infrastructure compromises to the mix, and you can see why the U.S. is nervous about Russian software in sensitive systems. I've seen quotes in various news articles that this ban is a decade overdue—maybe more."
"Given the abysmal state of Russian-U.S. relations since Russia's February 2022 invasion of Ukraine, it's highly likely that Russia's intelligence services (GRU, SVR, and FSB) would attempt to leverage Kaspersky's products to further their cyber espionage goals," Col. Leighton said. "IT professionals are truly on the front lines of today's cyber wars. When they assess what types of security solutions they should implement, they need to go beyond a technical evaluation and think about whether or not the solutions they are looking at could be a vector for malicious code to enter their networks. Technical evaluations of potential solutions are obviously necessary, but CISOs and other IT professionals need to think beyond the merely technical and include a geopolitical component in their assessments."
"Cybercrime is a human problem," Kelso said. "If you are focusing on making sure that your workforce is built up, your human firewall, to protect against cyber threats, you will not have to worry so much on the security software you have installed on your devices. Always remember, you have the best antivirus and cybersecurity software on your devices, but all it takes is one wrong click from a member of your workforce in order to invite the criminals in."
