The cybersecurity firm Kaspersky denied Friday that it is a security threat after the U.S. Commerce Department banned the use of its software in the United States.
The Moscow-based company — whose CEO Eugene Kaspersky is Russian — said in a statement that the Commerce Department’s decision would not affect its ability to sell and promote its cyber security products and training in the U.S.
Kaspersky said the government had based its decision on the “geopolitical climate and theoretical concerns” rather than independently verifying if there was a risk. The government says Kaspersky’s Russian connections mean the company poses an “undue or unacceptable risk to U.S. national security or the safety and security.”
The company conducts much of its business in Russia and, as a Russian citizen who lives in that country, Eugene Kaspersky himself is subject to Russian law, the Commerce Department said in a decision dated June 14 that was posted on the Federal Register.
The department said it had considered Kaspersky's objections to the initial findings of its investigation into whether its products or services posed a threat and found that the decision to ban its software was “well supported.” Aside from the company's obligation to abide by Russian laws and decisions, its software can be exploited to identify sensitive U.S. citizens' data and make it available to Russian government actors, the department said.
Kaspersky boasts one of the world’s most popular consumer antivirus products and a research unit widely respected for routinely exposing elite hacking groups. In 2019, The Associated Press found that an undercover operative had targeted several cybersecurity experts in an apparent effort to gather intelligence about critics of Kaspersky.
The company says it cannot deliberately obtain sensitive data on Americans and that its operations and employees in Russia can only access aggregate or statistical data not attributable to a specific person. It said the main impact of the U.S. government's decision would be to benefit cybercrime, while also diminishing the freedom of consumers and organizations to choose the cyber protection they want.
Weighing in on the decision was Andrew Borene, Executive Director for Global Security at threat intelligence firm Flashpoint. He is also a former senior officer at the U.S. Office of the Director of National Intelligence and the National Counterterrorism Center (NCTC.
“This decision is a logical reflection of the tectonic shifts that are dividing economies along the lines of power competition between allies and the Russia/China/Iran/North Korea digital domain; these divides obviously extend into private sector actors as well. Kaspersky has a history of problems with U.S., Canadian and other allied governments -- banning its use for U.S. security probably is a wise choice in many cases, particularly in the categories of civilian critical infrastructure at state/local/municipal level, whether that infrastructure is inherently governmental or privately owned and operated.”
Adam Maruyama, Field CTO at Garrison Technology also offered his thoughts. “The administration’s move to ban Kaspersky Lab products in the United States underscores the stakes of security products gone bad, wherein the privileges that are supposed to be used to protect networks and systems are instead used to subvert security mechanisms, deploy malware, and steal data.
"But deliberate seeding of such capabilities via a commercially available product is only the tip of the iceberg. In their report on zero-days exploited in the wild in 2023, Google noticed a marked increase in attacks against enterprise security software, including detection and response, VPN, and firewall operating systems. Left unchecked, this rise in exploits could provide attackers the same privileged access they would have had if administrators installed compromised software.
"As threat actors become more sophisticated and look to privileged services such as security software to gain and maintain persistent access, the cybersecurity community needs to rethink the way we consider security solutions. If we don’t fundamentally rethink the way we approach and enforce security, our most sophisticated adversaries will continue to subvert the software meant to keep us safe – whether it’s by shipping compromised software or attacking and compromising legitimately-developed solutions.”