FCC blacklists popular Russia-based security software firm Kaspersky

Day Two Of The CeBIT 2017 Tech Fair
Visitors pass the Kaspersky Lab pavilion at the CeBIT 2017 tech fair in Hannover, Germany. The German and U.S. governments recently labeled products from the company "a threat to national security."
Krisztian Bocsi/Bloomberg

The Federal Communications Commission last week added Moscow-based cybersecurity software company Kaspersky to a list of companies whose products pose “a threat to national security.”

Although a company spokeswoman declined to say how many U.S. banks the privately owned company serves, the company is known to serve banks internationally, and in 2015 it identified a cyberattack targeting financial institutions. Kaspersky said recently on its website it protects the data of “over 400 million users” and that it has 240,000 corporate clients around the world.

Kaspersky-branded products have long been a top pick among independent reviewers, including AV Test, PC Magazine, TechRadar and Tom’s Guide and a popular choice among U.S. banking consumers. Among the features in its consumer software is Safe Money, a web browser extension designed to protect consumers online where they enter bank or payment information.

Though last week’s announcement from the FCC about Kaspersky is not the first action against the company by the U.S. government, it is a timely message about the government’s stance on the company’s suite of products. According to Reuters, the government began privately warning some companies the day after Russia invaded Ukraine that Moscow could manipulate Kaspersky software to cause harm.

“Today’s action is the latest in the FCC’s ongoing efforts, as part of the greater whole-of-government approach, to strengthen America’s communications networks against national security threats, including examining the foreign ownership of telecommunications companies providing service in the United States and revoking the authorization to operate where necessary,” said FCC Chairwoman Jessica Rosenworcel.

Before the FCC declared that Kaspersky products pose a national security threat, Germany’s Federal Office for Information Security said on March 15 that any Russian IT manufacturer “can conduct offensive operations itself, be forced to attack target systems against its will, be spied on without its knowledge as a victim of a cyber operation or be misused as a tool for attacks against its own customers.”

The Italian Data Protection Authority said on March 18 it had begun a “fact-finding exercise” regarding Kaspersky products in response to alerts from “several IT security agencies both in Italy and in Europe regarding use of the software to wage cyber-attacks against Italian users.”

Key Speakers At The World Economic Forum (WEF) 2016
Eugene Kaspersky, CEO of Kaspersky Lab, looks on during a 2016 news conference at the World Economic Forum in Davos, Switzerland. The company said recently it runs some of its key operations out of Switzerland, but critics say its Russian workforce exposes it to coercion by a hostile government.
Jason Alden/Bloomberg

Kaspersky responded to the German statement by saying it was “not based on a technical assessment of Kaspersky products” but rather “made on political grounds.” The company said it relocated its cyberthreat-related data processing infrastructure to Switzerland in 2018 and that it had other processing operations in Canada, Germany and elsewhere.

“The security and integrity of our data services and engineering practices have been confirmed by independent third-party assessments: through the SOC 2 Audit conducted by a ‘Big Four’ auditor, and through the ISO27001 certification and recent re-certification by TÜV Austria,” a company statement reads.

Kaspersky doubled down on its line about politics after the FCC’s announcement last week, saying the government action was “a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky’s products and services.”

A Kaspersky spokeswoman told American Banker the company’s technologies “are trusted by hundreds of global technology and OEM partners” and that it works together with law enforcement agencies including Interpol and Europol. The spokeswoman also said Kaspersky “does not have any ties to the Russian government.”

Critics pointed out Kaspersky counts the Russian government as one of its clients, attacked company CEO Eugene Kaspersky for his statement on Russia’s invasion of Ukraine and said his Russian employees could become targets of government coercion. Product review publication PC Magazine, which Kaspersky had previously held up as a positive reviewer, said it could “no longer recommend Kaspersky products.”

The FCC’s action last week cited a directive issued by the Department of Homeland Security in 2017, requiring all federal agencies to drop any reliance on Kaspersky products. Congress later passed a law affirming the action, and President Donald Trump signed it. The company responded by suing the government on a claim that it had been deprived of due process.

A judge later dismissed the lawsuit and a second case the company filed questioning the constitutionality of the related law, saying that although the actions could well have an adverse effect on the company, “that does not make them unconstitutional.”

For reprint and licensing requests for this article, click here.
Cyber security Technology
MORE FROM AMERICAN BANKER