US bans Kaspersky on grounds of risks from Russia

The Bureau of Industry and Security (BIS) conducted a review and concluded that Kaspersky's cybersecurity products ‘pose unacceptable risks to the United States' national security and the security and safety of its people.’

These risks are articulated as Kaspersky being ‘subject to the jurisdiction, control, or direction of the Russian Government’, that it could provide the Russian Government access to sensitive US customer information, and that the software ‘allows for the capability and opportunity’ to install malware and withhold critical updates.

It also claims that the manipulation of Kaspersky software could cause significant risks of data theft, espionage, and system malfunction including in critical infrastructure, and risk the country's economic security and public health, ‘resulting in injuries or loss of life.’

“Kaspersky's products and services pose an unacceptable risk to United States national security and the security and safety of US persons, and an undue risk of subversion of, or sabotage to, the integrity and operation of Information and Communications Technology and Services (ICTS) in the United States,” reads the statement on the US Commerce Department’s website. “In particular, there is a significant risk of harm to the integrity and operation of ICTS and the ICTS supply chain in the United States.”

New sales in the US will be banned from July 20. To provide those that are currently using Kaspersky software with time to swap it out with other security services, BIS will allow Kaspersky to continue to operate and provide updates until September 29. The ban does not apply to Kaspersky Threat Intelligence, Kaspersky Security Training, or Kaspersky consulting or advisory services ‘that are purely informational or educational in nature.’

Kaspersky has hit back at the decision with its own announcement, stating: “Despite proposing a system in which the security of Kaspersky products could have been independently verified by a trusted 3rd party, Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.

“Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interests and allies. The company intends to pursue all legally available options to preserve its current operations and relationships.” 

While the details are distinct, it’s a similar set of allegations to that which led to Huawei being kicked out of networks first in the US and later in allied countries – that the company’s presence in a geopolitical rival state poses a security risk when its products are involved in networks.

There was never much specific evidence provided in the case of Huawei that they were up to anything, but the argument was posed as a potential future incident rather than that it had caught it in the act. The horror stories involved things like the Chinese Communist Party spying through network kit, hitting a kill switch on telecoms infrastructure, or sabotaging key assets.

Opinions differ on how much such things were ever possible, but in general the precedent for exiling corporate entities on the grounds of possible future meddling in networks on behalf of unfriendly countries has certainly been set. Kaspersky for its part seems to set on fighting the decision in this instance, and though it feels unlikely in the current climate that a legal complaint could alter US policy once its various security and defence apparatus has set themselves on a course, you never know.