With the October deadline looming, CISOs would be well-advised to start planning their migrations to other security products.
The US government enacted new restrictions on Kaspersky’s customers, indicting 12 of its executives and prohibiting further sales of its software and services in June. The regulations augment existing bans from using its software by US federal agencies that began several years ago and have spread to similar bans by federal agencies in places such as Lithuania and the Netherlands.
The action coordinated efforts by both the Commerce and Treasury departments, based on national security risks about any potential cooperation with Russian intelligence agents.
The 12 executives cited by the Treasury do not include Eugene Kaspersky, the founder and CEO of the company and its most visible spokesperson and did not cite the entire corporate entity itself or any of its subsidiaries. The indictments include the head of human resources, various vice presidents and the CTO.
The first bans, which began in 2017, motivated moving Kaspersky’s main corporate data center from Moscow to Switzerland. Since then, they have opened 12 of what the company calls “transparency centers” around the world where reviews of source code and threat detection methods are shared with partners, government agencies and customers. Some data processing still is in Moscow, which is part of what made US regulators nervous and helped to enact the June restrictions. “When the feds first banned Kaspersky for their own use, this set off a wave of customers moving away to its competitors,” says Greg Schaffer, who is a virtual CISO to numerous businesses. “I think this latest ban is prudent, even though I haven’t seen any proof of any potential exploits.”
Kaspersky responds to the latest US ban
Kaspersky has pushed back on the Treasury indictments, saying they are “unjustified and baseless.” The company has also said that the Commerce Department’s new rules don’t apply to those parts of its operations that have no relevance to national security issues and should be exempt from the ban, such as its extensive slate of training courses on threat intelligence, incident response, and digital forensics.
Kaspersky claims that any threat intelligence products should be exempt, although that feature is part of many of their products and not easily isolated from managed detection or endpoint detection tools. That potentially means future litigation over what is and isn’t part of the banned products and services that fall under the Commerce Department edicts.
What CISOs should do now
Kaspersky claims 270,000 corporate clients, although, to be clear, that counts every customer in the world. While many of its previous customers have already migrated to other security products, those in the US that are still using their software need to make plans now. “Don’t wait until October, the last minute to switch because then it becomes a business continuity issue. The time is now to assess your risk and figure out what parts of your infrastructure could be compromised or need replacing,” says Schaffer.
Tim Crawford, founder of research and advisory firm Avoa, also argues for immediate action. “You have to move quickly, don’t wait or take a chance to get close to that October deadline, because those non-updated systems will become fully vulnerable, and hackers are lying in wait for you,” he tells CSO.
Part of the problem harks back to how deep anti-malware products are buried within an OS and a network infrastructure. “There is a lot of time and effort involved in replacing these types of products,” says Matthew Rosenquist, CISO at Mercury Risk and Compliance. “Figuring out the APIs that are affected, what telemetry is being sent and compatibility with other security tools, such as a SIEM and other managed threat feeds, all of this will take time to test properly.”
CSOonline.com
One tactic is to view the transition away from Kaspersky as “just another form of incident response,” says Keri Pearlson, the executive director of the research consortium CAMS at MIT Sloan School. “But this time instead of an incident generated by a breach, this incident is generated by new rules. CISOs with a mindset of resilience will recognize this as another exercise of how resilient their organizations are. With these new directives forbidding the use of technology from a specific vendor, CISOs must now figure out how to transition to something new. The technology seems to work fine, but new rules make it necessary to stop using it.”
This should be part of thinking about the tech stack from a resilience perspective, Pearlson says. “CISOs must respond. They must respond quickly, efficiently and effectively. While transitioning to new technology from a new vendor might take time, it must be done.” She adds that a resiliency should also include the replacement of a previously trusted vendor, “and frankly any other disruptive incident that might get in the way of operations is an imperative today.”
Some think that this is only the tip of the iceberg, and things are bound to get worse. “We need to get a lot more serious about cybersecurity,” says John Cronin, a long-time IT consultant. “Russia is one of the top cyberattack sources, and one of the top data harvesting actors. Russia will continue to manipulate companies to their advantage. Even if the product is perfectly safe today, it could change in a heartbeat,” says Rosenquist. “We don’t want our adversaries to have any advantage.”
From time to time matters of state trump matters of commerce and now is that time, according to GigaOm analyst Howard Holton. “As a security tool that poses significant risk as they have access to assets at a fundamental level, it is a clear supply chain security issue. This is the first time the US has taken this step, and it would be prudent for the world to listen. The threat is real, and the prohibition is not issued lightly.”
Impact on resellers
What is new this time is that the scope of the ban has widened to include Kaspersky partners and resellers, who could be subject to trade sanctions and criminal prosecution if they continue to sell the company’s products and services, including selling software updates come October. Kaspersky does a large part of its B2B sales through these partners. “This will put some pressure on its customers, many of whom operate large critical infrastructures, such as Volkswagen for example,” says Rosenquist.
L3 Networks is a Kaspersky managed services provider who tells CSO they moved away from selling their products several years ago. “We are still listed as a reseller because you never know what the future will hold, and we like to maintain multiple vendor relationships and have alternative vendors in case we have to shift,” says co-founder Steve Griffin. L3 runs full-service managed SOC and NOC services out of its offices in California and Armenia. “We got to be able to pivot to other vendors. We don’t want to pour too much concrete and fall in love with a particular vendor and must protect ourselves and have other irons in the fire.”
Three big reasons why Kaspersky is a target
This isn’t the first foray into banning computer products from non-US sources. Experts have mixed feelings over bans on Huawei and TikTok, both China-based. “It is hard to tell in these situations if the policy is based on real threats or because someone doesn’t like the Russians or Chinese,” says Cronin.
CSOonline.com
But what is different in Kaspersky’s situation is that this concerns security software itself. Schaffer mentions one of three motivational issues behind these actions against Kaspersky. “Part of the problem is that all anti-malware software phones home to check for latest virus signatures and behavior patterns, so there is a potential for bi-directional communications and attacks.”
Larry Dietz, a seasoned cybersecurity consultant and instructor, tells CSO this makes vendors based in China or Russia more suspicious, whether or not they actually are doing anything. And ironically, Kaspersky has tried to dispel their Russian heritage in the past by identifying Russian-sourced attacks, which apparently have fallen on deaf ears in Washington.
Another issue is that anti-malware software must work closely with the underlying Windows or MacOS operating systems, and that makes it more difficult to track its operation if it is part of any active malware exploit. “These tools go deep into your OS by their very nature,” security consultant David Goodman tells CSO.
The third issue is one of necessity for any modern security software: it needs constant care and feeding in terms of software updates, which are specifically prohibited in the Commerce sanctions regulations. Any security product that isn’t being updated is quickly a target for attackers, as has been seen numerous times with exploits that seek out older versions specifically.
Related reading:
- Show the proof, or cut it out with the Kaspersky Lab Russia rumors (2017)
- Kaspersky did upload NSA hacking code from PC that was backdoored via pirated software (2017)
- Israel hacked Kaspersky, caught Russia using the software to hack U.S. (2017)
- Germany’s BSI warns against Kaspersky AV over spying concerns (2022)
- US bans Kaspersky Labs over national security concerns (2024)
