The Cybersecurity community will, of course, be abuzz with the announcement by the U.S. Department of Commerce, Bureau of Industry and Security (BIS) “Prohibition of Russian Kaspersky Software for U.S. Customers.” We also anticipate the ban will spawn debate and controversy as the role of software bans from Commerce now joins broad export controls as a lever in securing the global IT supply chain (with the long-term impact, outcomes, and implications of such software bans for national security and global technological advantage TBD). Excerpts from the press release from Commerce’s BIS can be found here in this post – along with a sampling of news coverage in the last 16 hours since the announcement from outlets as varied as Tass, The Guardian, and Axios – amongst others. 

Commerce Department Prohibits Russian Kaspersky Software for U.S. Customers | Bureau of Industry and Security

FOR IMMEDIATE RELEASE | Thursday, June 20, 2024 |

WASHINGTON, D.C. – Today, the Department of Commerce’s Bureau of Industry and Security (BIS) announced a Final Determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of a Russia-based anti-virus software and cybersecurity company, from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. The prohibition also applies to Kaspersky Lab, Inc.’s affiliates, subsidiaries and parent companies (together with Kaspersky Lab, Inc., “Kaspersky”).

This action is the first of its kind and is the first Final Determination issued by BIS’s Office of Information and Communications Technology and Services (OICTS), whose mission is to investigate whether certain information and communications technology or services transactions in the United States pose an undue or unacceptable national security risk. Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use. The full list of prohibited transactions can be found at oicts.bis.gov/kaspersky.

In addition to this action, BIS added three entities—AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom)—to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives.

Today’s Final Determination and Entity Listing are the result of a lengthy and thorough investigation, which found that the company’s continued operations in the United States presented a national security risk—due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations—that could not be addressed through mitigation measures short of a total prohibition.

Individuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage. Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination. However, any individual or business that continues to use Kaspersky products and services assumes all the cybersecurity and associated risks of doing so.

In order to minimize disruption to U.S. consumers and businesses and to give them time to find suitable alternatives, the Department’s determination will allow Kaspersky to continue certain operations in the United States—including providing anti-virus signature updates and codebase updates—until 12:00AM Eastern Daylight Time (EDT) on September 29, 2024.

BIS has determined that Kaspersky poses an undue or unacceptable risk to national security for the following reasons:

• Jurisdiction, control, or direction of the Russian Government: Kaspersky is subject to the jurisdiction of the Russian Government and must comply with requests for information that could lead to the exploitation of access to sensitive information present on electronic devices using Kaspersky’s anti-virus software.
• Access to sensitive U.S. customer information through administrative privileges: Kaspersky has broad access to, and administrative privileges over, customer information through the provision of cybersecurity and anti-virus software. Kaspersky employees could potentially transfer U.S. customer data to Russia, where it would be accessible to the Russian Government under Russian law.
• Capability or opportunity to install malicious software and withhold critical updates: Kaspersky has the ability to use its products to install malicious software on U.S. customers’ computers or to selectively deny updates, leaving U.S. persons and critical infrastructure vulnerable to malware and exploitation.
• Third-party integration of Kaspersky products: Kaspersky software is integrated into third-party products and services through resale of its software, integration of its cybersecurity or anti-virus software into other products and services, or licensing of Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services. Third-party transactions such as these create circumstances where the source code for the software is unknown. This increases the likelihood that Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive U.S. persons data.

Kaspersky is a multinational company with offices in 31 countries, servicing users in over 200 countries and territories. Kaspersky provides cybersecurity and anti-virus products and services to over 400 million users and 270,000 corporate clients globally.

The U.S. Government previously took action against Kaspersky in 2017, when the Department of Homeland Security issued a directive requiring federal agencies to remove and discontinue use of Kaspersky-branded products on federal information systems. Additionally, the National Defense Authorization Act (NDAA) for Fiscal Year 2018 prohibited the use of Kaspersky by the Federal Government. In addition, in March 2022, the U.S. Federal Communications Commission added to its “List of Communications Equipment and Services that Pose a Threat to National Security” information security products, solutions, and services supplied, directly or indirectly, by Kaspersky. Today’s determination by the Department is the latest U.S. Government action in an ongoing effort to protect U.S. citizens’ national security.

The Department is working with the Department of Homeland Security (DHS) and Department of Justice (DOJ) to inform U.S. customers, including State, Local, Tribal, and Territorial (SLTT) government agencies, non-government customers at the SLTT level, and critical infrastructure operators, about ways to easily remove the software. In addition, the Department is working with federal departments and agencies to inform users about this action and ensure a smooth transition for customers.

Additional information about this action and publicly available resources can be found on our website [oicts.bis.gov/kaspersky] and Frequently Asked Questions (FAQs) page.

The text of the Final Determination and a non-exhaustive list of prohibited products and services are available in the Federal Register online here.

OODA Loop – Biden Bans Kaspersky Software, Gives Users 100 Days To Find Alternative (Forbes)

Present Biden declared an immediate ban on Kaspersky software in the U.S., beginning with the sale of the software and continuing with a ban of its use in late September.

The Bureau of Industry and Security (BIS) found that Kaspersky software poses “unacceptable risks to the United States’ national security.” The risks involved with the use of the software include threats from the Russian Federation and vulnerabilities within the software that could be exploited by Russia. BIS believes the software could be exploited in critical infrastructure, causing data theft, espionage, and system malfunction.

Some services will not be affected by the ban, including threat intelligence, training, and consulting services. Kaspersky has committed to pursue legal options in attempts to overturn the ban and insists that the company is not involved in any activities which threaten U.S. national security.

Further Global News Coverage and Analysis

•  US prohibits use of Kaspersky Lab software on its territory since September 29 – Business & Economy – TASS

• Cybersecurity firm Kaspersky denies it’s a hazard after the US Commerce Dept bans its software – The Boston Globe

• US Bans Kaspersky Software | WIRED

• US blacklists sale of Russia-based Kaspersky products over ties to Kremlin – Nextgov/FCW

• U.S. bans sales of Kaspersky anti-virus software, citing ties to Russia – The Washington Post

• US To Ban Kaspersky Sales As Cybersecurity Vendor Denies Threat Accusations (crn.com)

• Kremlin slams US ban on cybersecurity firm Kaspersky (Daily Tribune – Phillipines)

• US bans Kaspersky software over alleged links to Russia | Euronews

• Biden bans US sales of Kaspersky software over Russia ties | Reuters

• US bans sales of Kaspersky antivirus software over Russia ties | US foreign policy | The Guardian

Additional OODA Loop Resources

https://oodaloop.com/archive/2021/11/22/scenario-planning-for-global-computer-chip-supply-chain-disruption-results-of-an-ooda-stratigame/

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its methods of data collection, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.