Kaspersky Antivirus: Why the software was added to a US security risk list

Kaspersky, the fifth-largest vendor of enterprise IT products, has been added to the US FCC's blacklist

Add bookmark
Shannon Flynn
Shannon Flynn
04/07/2022

Kaspersky Antivirus: Why the software was added to a US security risk list

Those who know cyber security know Kaspersky Lab. The company was founded in 1997, is operated by a holding company in the UK and is headquartered in Russia.

In 2021, Gartner named Kaspersky the third-largest provider of consumer-level IT products and the fifth-largest vendor of enterprise IT products. The company offers antivirus, antimalware, password and endpoint management and other digital security products.

Despite Kaspersky being a household name, US Federal Communcations Commission decided to blacklist the company.

Kaspersky Lab Makes the FCC Blacklist

The FCC and the Department of Homeland Security (DHS) regularly amend the list of foreign IT vendors they consider threats to national security. On 25 March 2022 the FCC added Kaspersky.

Become a Cyber Security Hub member and gain exclusive access to our upcoming digital events, industry reports and expert webinars

Kaspersky joins a roster of companies which, according to the FCC, “pose an unacceptable risk to national security or the security and safety of United States persons”. Two Chinese-owned companies were added on the same day – China Mobile International and China Telecom Corp.

There are no federal-level cyber security laws in the US, but this blacklist, called “List of Equipment and Services Covered by Section 2 of the Secure Networks Act”, is one mechanism with which the country defends its online infrastructure. When keeping a single office secure is challenging enough, eliminating variables in a problem as vast as national security seems attractive.

Security against state-backed threats

FCC commissioner Brendan Carr said this decision is intended to “help secure our networks against threats posed by Chinese and Russian state-backed entities seeking to engage in espionage and otherwise harm America’s interests.”

Although this decision follows the Russian invasion of Ukraine – which began in late-February 2022 – the US government has banned Russian-made IT products before. In September 2017, US officials banned antivirus products made by Kaspersky from federally owned networks.

The recent Russian aggressions in Ukraine were not mentioned in the FCC’s announcement, nor was President Joe Biden’s warning to the private sector about potential Moscow-backed cyber-attacks.

Kaspersky fired back quickly. The company claims the maneuver was “made on political grounds” and denounced the ban as an “unsubstantiated … response to the geopolitical climate rather than a comprehensive evaluation of … Kaspersky’s products”.

Officials at the Chinese embassy in Washington, D.C., also issued a statement, saying the FCC had “abused state power and maliciously attacked Chinese telecom operators again without factual basis. The US should immediately stop its unreasonable suppression of Chinese companies.”

Purpose of the blacklist

It remains unclear what the nature of the “unacceptable risk” cited by the FCC is. Kaspersky operates from a headquarters in Russia and the other companies blacklisted on the same day are based in China. Leaving some to question whether the threat is a real one or whether it is guilt by association.

According to the 2017 banning of Kaspersky products from federal networks, the FCC was specifically worried about provisions in Russian law concerning data sharing. In 2017, a White House spokesperson explained that Russian law requires companies like Kaspersky to cooperate and share information with national spy agencies like the Federal Security Service, the successor agency to the notorious KGB.

In their own words, Homeland Security was concerned about the “risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems.”

This new decision by the FCC is its most decisive yet – this is the first Russian company to make the blacklist – but it is built on the same logic as previous denunciations of Kaspersky.

It should be noted that there is a longstanding precedent of US-based cyber security and telecommunications companies providing user data to the US government in response to subpoenas.

Government agencies compelling private domestic companies to compromise user privacy, in order to pursue action against individuals or groups, is not a new phenomenon nor exclusive to any one country.

As for the effects of the blacklist, those who rely on Kaspersky services likely will not be affected. There is nothing stopping individuals or organizations from buying Kaspersky products. However, Kaspersky products can no longer be purchased using government subsidies.

In the name of national digital sovereignty

Kaspersky Lab says its client base is 400 million strong, even years after being banned from US federal networks. The closure of federal subsidies may impact the company’s bottom line, but likely not significantly.

The larger impact is on national digital sovereignty. As with the blacklisting of Huawei products in March 2021, the US is setting a strong precedent when it comes to keeping its chief economic rivals out of its digital infrastructure as much as possible.


RECOMMENDED