FCC follows DHS and NSA in flagging the Moscow-based company as a threat
Germany urges current Kaspersky users to find alternatives
CISA at "Shields Up" alert status over general heightened Russian cyberattack threat against U.S. following invasion of Ukraine
OUR RECOMMENDATION: Out of an abundance of caution, home and business users might consider alternatives to Kaspersky Lab products and services
Kaspersky added to covered list for "unacceptable risk"
The United States Federal Communications Commission (FCC) has deemed all services and products from Moscow-based cybersecurity firm Kaspersky Lab to present an "unacceptable risk to national security," according to documents the agency released March 25, 2022.
Among the Russian multinational’s offerings are free computer and mobile device anti-virus software products for consumers as well as other home and business cybersecurity applications.
The company’s inclusion on the FCC’s “covered list” (created by the Secure and Trusted Communications Networks Act of 2019) means that U.S. businesses are legally prohibited from using money from the agency’s Universal Service Fund to purchase, maintain, modify or support any Kaspersky products or services. The $8.3 billion per year USF program subsidizes affordable telecom broadband rates for low-income families.
Commenting on the Kaspersky announcement, FCC chair Jessica Rosenworcel noted that
“Today’s action is the latest in the FCC’s ongoing efforts, as part of the greater whole-of-government approach, to strengthen America’s communications networks against national security threats"
That approach includes examining foreign ownership of telecoms providing service in the U.S. and "revoking the authorization to operate where necessary," Rosenworcel said.
China Mobile and China Telecom were added to the covered list at the same time. That brings the list total to eight. Kaspersky Lab is the first non-Chinese company to be included. Huawei, ZTE, Hytera, Hangzhou Hikvision and Dahua were first on the list of flagged equipment and services.
Temporary 2017 DHS ban made permanent in 2018
The U.S. Department of Homeland Security banned use of Kaspersky products by federal agencies and contractors in 2017.
At the time, the DHS cited concerns about “ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
Kaspersky was also alleged to be designing cybersecurity software for Russian law enforcement agencies and sending personnel with Russian police and intelligence organizations on raids and arrests.
The DHS Kaspersky ban was made permanent under the 2018 National Defense Authorization Act.
NSA's early Kaspersky prohibition
U.S. intelligence agencies have long suspected that Russian intelligence was using Kaspersky Lab’s security software as a back door to collect sensitive information from customers’ computers. Among top-secret documents leaked by former National Security Agency contractor Edward Snowden was a draft report detailing a 2008 investigation into Kaspersky products.
The NSA linked a 2014-2015 data breach, in which the Russia government stole a classified agency hacking tool, to Kaspersky anti-virus installed on a contractor’s home computer. By the time the DHS instituted its ban, the NSA had already barred its employees and contractors from using the company’s software.
CISA maintains general "Shields Up" alert stance
On February 26, 2022, the U.S. Cybersecurity and Infrastructure Security Agency issued its first-ever "Shields Up" alert, cautioning "all organizations—regardless of size—[to] adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets."
The CISA alarm sounded as use of Russian wiper malware attacks climbed in the ongoing Ukraine conflict. The malicious software leaves targeted devices inoperable and destroys or renders data permanently unavailable.
CISA has not explicitly tied Kaspersky Lab products to its alert to date.
Germany advises consumers to replace Kaspersky
While the U.S. federal government has yet to advise the general public to replace Kaspersky on consumer computers and devices, Germany’s federal cybersecurity authority did just that on March 15.
The BSI issued a bulletin recommending all users replace applications from Kaspersky's portfolio of anti-virus software with alternative products, for reasons that include a heightened likelihood of cyber attack linked to Russia’s ongoing invasion of Ukraine.
The U.S. government shares NATO nation fears of Russian hybrid operations. According to CISA's Shields Up warning, “Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks."
Potential risk for misuse - including spying
What makes anti-virus so special?
"Antivirus software...has extensive system permissions and must maintain a permanent, encrypted and non-auditable connection to the manufacturer's servers," BSI said in its notice. "If there are doubts about the reliability of the manufacturer, anti-virus software poses a particular risk."
In early 2018, Digita Security chief research officer and former NSA hacker Patrick Wardle reverse-engineered and subverted Kaspersky software to demonstrate a proof of concept: that anti-virus software could be repurposed to search for classified documents.
"In the battle against malicious code, antivirus products are a staple,” Wardle told the New York Times. “Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect.” Wardle noted attributes such as
Persistence - installed in such a way to make sure the software is always running
Scanning - designed to observe and scan all files, including documents
Automatic updates - extends software capabilities in a nontransparent manner
Upload (exfiltration) of files - transmitting suspicious/flagged files for more analysis
Self defense & anti-analysis - mechanisms to thwart reverse-engineering efforts
In 2019, German journalist Ronald Eikenberg discovered “a major security issue [in Kapersky Lab software] that let cybercriminals track millions of Kaspersky customers without their knowledge.” The behavior of the software appeared similar to malware built to manipulate bank websites, according to Eikenberg.
Kaspersky Lab ranks #4 globally among antivirus vendors by revenue. The company has repeatedly denied wrongdoing and protested limitations placed on their products by governments outside Russia. A pair of lawsuits filed against the U.S. government over the DHS ban were dismissed in 2018.
What does all this mean for you?
It is important to note that, despite years of increasing concern over Kaspersky Lab products and services among American intelligence and communications agencies, unlike Germany the U.S. government has not as of this writing taken the public step of advising home users or businesses not under contract with the federal government to stop using Kaspersky anti-virus and its other cybersecurity solutions.
Given the changing world landscape and the ever-evolving nature of cyber risk, however, we recommend that
organizations follow the guidance outlined in CISA's Shields Up alert to be prepared to respond to disruptive cyber incidents, and
out of an abundance of caution, businesses and consumers should consider replacing Kaspersky Lab products with well-regarded alternatives.