Recently, the Biden Administration announced the ban of the sale of Kaspersky antivirus software in the United States, citing the company’s “ties” to the Russian government as a potential risk to U.S. national security.  The Bureau of Industry and Security (BIS) conducted a review of the company’s cybersecurity and anti-virus transactions, making its determination based on five security risks BIS believed Kaspersky products posed to the United States.  Among these included perceived government ties, security weaknesses, and the opportunity such weaknesses provided the Russian government for further exploitation.  BIS posted on its website a list of 81 products subject to the ban.  Concerns that the potential access this technology could provide an adversary like Russia in U.S. critical infrastructure influenced BIS’ decision.

Kaspersky denied these allegations, citing geopolitics rather than facts driving the ban, asserting how the company has “has implemented significant transparency measures that are unmatched by any of its cybersecurity industry peers to demonstrate its enduring commitment to integrity and trustworthiness,” among other rebuttals.  Compounding matters, the U.S. Office of Foreign Assets Control imposed sanctions on 12 Kaspersky executives (though not to Kaspersky Lab, its parent or subsidiary companies, or its founder and chief executive officer), perhaps in attempt to hold accountable individuals believed that would facilitate espionage activities via Kaspersky products.

While the ban comes geopolitically at a time when the United States is fully committed to its support of Ukraine in its proxy conflict with Russia, this is not the first time the U.S. government has signaled out Kaspersky as a potential threat.  Indeed, Kaspersky has been in the U.S. government’s crosshairs for some time, prohibiting the use of Kaspersky products in government agencies’ networks in 2017, and placing the company on a growing entity list of Chinese technology and telecommunications companies that include Huawei, ZTE, China Mobile, and China Telecom.  Companies designated to the list are barred from purchasing parts and components without the approval of the U.S. government.  In its defense, Kaspersky has routinely tried to assuage U.S. concerns, firmly asserting unsubstantiated threat claims, and opening a Transparency Center in the United States in 2021, a dedicated facility that reviewed programming code, software update, and other “technical and business processes.”  Kaspersky did the same for European governments where the Belgian, French, and German governments found no evidence of wrongdoing.

It’s clear that the U.S. government has been increasingly ratcheting up pressure on Kaspersky, but it begs the question why now for a full and total ban that will now impact citizens that have bought Kaspersky products?  Unfortunately, for those satisfied with Kaspersky security solutions, the government has made the decision for them to find an alternative. Though the BIS exempted Kaspersky threat intelligence products and services, security training products and services, and consulting/advisory services, customers of other offerings will have until September 29 to look elsewhere for their solutions, as Kaspersky will no longer be able to provide signature updates after this date.  As of July 20, the company will not be able to sell or license its software in the United States.  For those having these software products, they will stop working soon.

While the U.S. government cites national security risks as justification for the ban, it has offered very little in the way of evidence to support its decision.  In 2022 after the Russian invasion of Ukraine, the government held private briefings with some U.S. companies warning about the threat posed by Kaspersky products.  At the time, there was no indication if a specific incident catalyzed the need for such a briefing, though no “new” information emerged leaked or otherwise, suggesting there was none.  In the past, the government has provided technical analysis via joint bulletins of foreign government-linked cyber activities as a way of legitimizing accusations.  When it comes to Kaspersky, this type of evidence-based allegation has always been lacking, calling into question the credibility of such claims when more definitive evidence is not shared.  

So, the question remains, why now?

Since the U.S. government has already banned Kaspersky product use in federal agencies, the call for a U.S.-wide ban can be interpreted to limit what the government perceives to be Russia’s reach into the United States.  This would suggest that the Russian government does indeed have a close relationship with Kaspersky, and that such a ban would be a major monkey wrench in its espionage and sabotage operations.  This would further suggest that the U.S. government has the necessary damning classified evidence of such a connection, without having necessarily to expose “sources and methods” routinely references when speaking about “national security.”  

However, this seems unlikely.  If it did, then it is logical to presume that the ban would have been mandated as soon as those facts bore out, and not taken a 10-year gradual evolution to do so.  

After all, if the link is there, why not ban the company completely and not just its products and not some of its business operations?  A 2017 allegation said that Kaspersky did work for the Russian government, engaging with the Russian Federal Security Service (FSB) providing the intelligence agency real-time information on hackers’ geographic locations, aiding in raids against them.  Such “collaboration” has been championed as the “smoking gun” to indict Kaspersky.  Still, many other cybersecurity vendors have been known to assist their host governments in a similar capacity.  Several U.S.-based vendors even have employment opportunities for those with security clearances, presumably to interact with the U.S. government.  Would they be considered arms of the state as well?

What is more likely is that the U.S. government wanted U.S. companies to not use Kaspersky products per its own dictates.  According to one news source, key critical infrastructure industry companies may have still been using Kaspersky products, despite the government’s stern warnings and the classified briefing on the subject in 2022.  So, it would appear that it failed to convince those companies about the threat, and as a result, the U.S. government exercised its own authority to get them to comply.  Critical infrastructure security is important, but the manner in which it is done is also important.  Banning a company from doing business in the country because of potential risks doing the right thing for the wrong reasons and draws comparisons to the way authoritarian regimes maintain security and control.

As China’s laws compel Chinese companies to assist the government when called upon, Russia has expanded its own legal mandates over Russian Internet and telecommunications companies increasing surveillance of Internet communications.  The worry is that Kaspersky would have to surrender U.S. customer data transmitted through its products.  However, if such examples exist in U.S. intelligence channels, they haven’t been shared with the public or private companies, making such concerns – while legitimate – hypothetical until proven otherwise, allowing the government to make uniform decisions in the public’s interest without the public’s input.

“National security” has become a go-to phrase that is quickly used when the government has needed to explain why it has done something that seems immediate and unnecessarily draconian.  Under such pretense, it does not have to show its work unless it wants to.  And if the United States has the proof against Kaspersky, there is no reason not to show it publicly now.  This would go far in rebuilding trust in a public that is desperately looking for government transparency, allowing it to demonstrate how it’s protecting its citizens and the industries on which they rely.  Otherwise, this ban risks being merely a geopolitical gambit forcing the company to pivot its sales to organizations in friendly countries as the divide between Russia and the United States further widens.  

Is Kaspersky a threat?  Possibly.  But there has not been the type of evidence that would solidify this conclusion, and the government’s final decision to ban does not list any specific instances of Russia leveraging Kaspersky products for exploitation.  Unfortunately, in an era of dwindling government transparency, that’s the kind of response that’s becoming less an anomaly and more the norm.