Start your day with intelligence. Get The OODA Daily Pulse.

Moscow-based Kaspersky Lab Shuts Down US Operations; Gifts Six Months of Access to U.S. Users

After the Biden administration announced plans to bar sales of the company in the U.S., Kaspersky Lab will gradually wind down its U.S. operations.  Details here.

Kaspersky Leaving US Following Government Ban

After the recent Kaspersky ban by the U.S. Commerce Department, Kaspersky is shutting down its operations in the U.S. and laying off employees. Kaspersky is a Russian cybersecurity firm, and the Commerce Department recently decided that the company’s software posed a national security risk. Subsequently, the Commerce Department banned the sale of the company’s software. Kaspersky then decided that business opportunities in the U.S. are no longer viable, leading to the company’s shutdown of U.S. operations.

Background

Global Response to the U.S. Ban of Moscow-based Cybersecurity Behemoth Kaspersky Labs

The Cybersecurity community was abuzz with the announcement by the U.S. Department of Commerce, Bureau of Industry and Security (BIS) “Prohibition of Russian Kaspersky Software for U.S. Customers.” We also anticipate the ban will spawn debate and controversy as the role of software bans from Commerce now joins broad export controls as a lever in securing the global IT supply chain (with the long-term impact, outcomes, and implications of such software bans for national security and global technological advantage TBD). Excerpts from the press release from Commerce’s BIS can be found here in this post – along with a sampling of news coverage in the last 16 hours since the announcement from outlets as varied as Tass, The Guardian, and Axios.

Is the Kaspersky Ban in the United States Warranted?

Recently, the Biden Administration announced the ban of the sale of Kaspersky antivirus software in the United States, citing the company’s “ties” to the Russian government as a potential risk to U.S. national security.  The Bureau of Industry and Security (BIS) conducted a review of the company’s cybersecurity and anti-virus transactions, making its determination based on five security risks BIS believed Kaspersky products posed to the United States.  Among these included perceived government ties, security weaknesses, and the opportunity such weaknesses provided the Russian government for further exploitation.  BIS posted on its website a list of 81 products subject to the ban.  Concerns that the potential access this technology could provide an adversary like Russia in U.S. critical infrastructure influenced BIS’ decision.

After the initial ban, the U.S. added sanctions of Kaspersky executives:

The Treasury Department sanctioned a dozen executives and senior leaders at Kaspersky Lab…the latest punitive action against the Russian antivirus company by the U.S. The department’s Office of Foreign Assets Control designated the firm’s chief operating officer, top legal counsel, human resources chief and the leader of its research and development wing, among others.   It did not sanction Kaspersky Lab, its parent or subsidiary companies, or the company’s CEO, Eugene Kaspersky. The move comes a day after the Commerce Department issued a final determination to ban the Moscow-based company from the U.S. because of national security and other longstanding concerns, including risks to critical infrastructure.

 Kaspersky has vehemently denied allegations that it is beholden to any government and has vowed to pursue legal options against the steps taken by Commerce.  “Today’s action against the leadership of Kaspersky Lab underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber threats,” Brian Nelson, Treasury’s undersecretary for terrorism and financial intelligence, said in a statement.    The U.S. “will take action where necessary to hold accountable those who would seek to facilitate or otherwise enable these activities,” he added.

Commerce also added three Kaspersky divisions to its entity list for cooperation with the Russian government in its cyber intelligence goals. 

The Shutdown of Kaspersky’s U.S.-based Operations

Russian cybersecurity firm Kaspersky Labs to wind down US operations | Reuters

Kaspersky Labs will gradually wind down its U.S. operations from July 20, the Russian anti-virus software maker said on Monday, nearly a month after the Biden administration announced plans to bar sales of the company in the country.   Kaspersky, which will eliminate all U.S.-based positions, did not allow consumers to purchase any products on its website earlier in the day, citing “purchase unavailable for U.S. customers”.  The news of the company’s plan to leave the U.S. was first reported by CNN.  The new restrictions by the U.S. government on inbound sales of Kaspersky software, which would bar downloads of software updates, resales and licensing of the product, will come into effect on Sept. 29.  New U.S. business for Kaspersky are to be blocked 30 days after the restrictions were first announced on June 20.
Featured Image SourceAxios

What Next?

Kaspersky gives US customers 6 months free security products • The Register

…the list of stuff that’ll be offered for free: Kaspersky Standard; Kaspersky Plus; Kaspersky Password Manager; Kaspersky Safe Kids; and Kaspersky VPN Secure Connection.

Per Jessica Lyons at The Register as of July 17, 2024:

Embattled Russian infosec shop Kaspersky is giving US customers six months of security updates for free as a parting gift as Uncle Sam kicks the antivirus maker out of the American market.  In a farewell note to US users, the soon-to-be-banned biz thanked its customers for “choosing and trusting Kaspersky throughout the years.”  “We’ve always strived and remain committed to provide the best cybersecurity there is — independent, transparent and expertly managed,” the letter continues. “Unfortunately, for now, you have one less choice in defending yourself against online threats.”  Kaspersky is referring to a US Commerce Department rule, announced last month, that will prohibit the business from selling software in the US to new customers beginning July 20, and also prevent it from distributing software updates and malware signatures to existing Stateside users after September 29.

“With Kaspersky leaving the US, we’d like to pay you back with the least we can: gifting you a selection of our security solutions for free for six months,” the goodbye letter, which shows a picture of a green bear holding a heart balloon and carries a “stay safe” sign while a tear falls from its eye.  Kaspersky did not respond to The Register‘s questions about which products and services would be offered to American customers for free. It’s also unclear how it will ensure the security of these products since it will be prohibited from providing software updates for them as of late September.

Updated to add 2230 UTC

Here’s the list of stuff that’ll be offered for free: Kaspersky Standard; Kaspersky Plus; Kaspersky Password Manager; Kaspersky Safe Kids; and Kaspersky VPN Secure Connection.  As for how the antivirus lab intends to keep these products secure in the US when updates are cut off from the end of September, its people told us:

Following the compliance requirements, we will be forced to stop antivirus signature and codebase updates plus disconnect apps from Kaspersky Security Network after September 29. Other functionality will continue working, including the core anti-malware functionality.  In the following guide we provide more details about what’s working and what’s limited.

Kaspersky Is an Unacceptable Risk Threatening the US’s Cyber Defense – The Foreign Software Supply Chain Threat

From a commentary by Kevin E. Greene, Public Sector CTO, OpenText Cybersecurity posted on Dark Reading: 

“Vendors’ software supply chains become an attractive attack vector for nation-state adversaries to exploit and target organizations. Oftentimes, these software supply chain attacks are carried out using zero-day attacks, or by exploiting known CVEs in the wild. For widely used software, vulnerability prevalence becomes a key driver in expanding the blast radius in cyberattacks that allow threat actors to use extortion techniques through ransomware, espionage to access classified or sensitive information, destruction, and other tactics to impose cyber effects that disrupt cyber-defense capabilities. Managing and mitigating software supply chain risk is important for sustaining long-term cyber resiliency.

According to Verizon’s “2024 Data Breach Investigations Report,” vulnerabilities in third-party software attributed to a significant increase in data breaches. All software has or will have exploitable vulnerabilities, so banning Kaspersky and other foreign software lowers the attack surface associated with these vulnerabilities. Foreign software presents a considerable supply chain risk given the geopolitical implications that can be used as part of a cyber operation to compromise national security.”

Additional OODA Loop Resources

For related OODA Loop News Briefs and Original Analysis, see Kaspersky | OODA Loop.

https://oodaloop.com/archive/2024/07/18/the-june-2024-ooda-network-monthly-meeting-the-uptick-in-global-it-supply-chain-breaches-frequency-and-specific-targeting/

https://oodaloop.com/archive/2021/11/22/scenario-planning-for-global-computer-chip-supply-chain-disruption-results-of-an-ooda-stratigame/

 

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its methods of data collection, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.

Tagged: Cybersecurity
Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.