In September, the U.S. government banned all federal agencies from using products from Russian cybersecurity software giant Kaspersky Lab.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” according to the binding directive issued Sept. 13 by Department of Homeland Security Acting Director Elaine Duke.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
Agencies and departments were given 60 days to make plans to remove Kaspersky products from use, and 90 days to start removing the products from information systems.
Dec. 19 marks that 90-day mark, and while Kaspersky Lab CEO Eugene Kaspersky has vehemently denied allegations of aiding Russian intelligence agencies, the ripples of the ban spread beyond federal agencies.
“If it’s a requirement for the government, it’s also a requirement for Department of Defense contractors,” said Shawn Murray, president and chief academic officer for Murray Security Services. “If you’re doing business with the federal government, and you’re processing, transmitting or storing information on behalf of the government as part of your contract on company systems, you are not allowed to have Kaspersky on your networks — and it will be evaluated.”
DHS directed the removal of Kaspersky products to protect national security, Murray said, but businesses still using those products should weigh the risks to their own computing environments as well.
“If the U.S. concerns are valid, then any company can be vulnerable to losing sensitive or critical information on their computers and networks, especially if these computing resources are connected to the internet,” he said. “If a breach were to happen, a company would have to respond in accordance with federal and state laws related to their industry. Some industries are highly regulated and would require extensive response and reporting requirements.”
Kaspersky Lab is not the first tech company to be banned by the U.S. government, Murray said.
“For many years, Huawei, the largest telecommunications company in the world, has been banned from [U.S.] government networks,” he added in an email. “Huawei’s founder, Ren Zhengfeihaving, a former Chinese People’s Liberation Army officer, is believed to still hold ties with the Chinese government and its products have been long suspected of being used to spy on people, companies and governments across the globe. In 2012, the U.S. intelligence community declared that Huawei was a threat to national security.”
In fact, the list of foreign companies blocked by the U.S. government over security concerns is growing:
• On the same day as the U.S. Senate voted to ban Kaspersky, President Trump blocked Canyon Bridge Capital Partners, a Chinese government-backed equity fund, from buying Oregon-based Lattice Semiconductor.
Trump’s executive order asserted that Canyon Bridge “might take action that threatens to impair the national security of the United States” by exercising control over Lattice Semiconductor, which manufactures high-performance programmable logic devices.
• The Wall Street Journal and London-based Daily Mail have reported on complaints about Hangzhou Hikvision Digital Technology, which manufactures surveillance cameras used by police forces, one U.S. Army base, and in homes and businesses across the U.S. and the U.K.
The Chinese government owns 42 percent of the company, and the fear is that its internet-linked cameras, which boast vehicle-tracking, face-tracking and ‘see-in-the-dark’ technology, “could be hacked from Beijing at the touch of a button,” according to the Daily Mail.
• This year also saw the U.S. Army ban drones built by Chinese manufacturer DJI over cybersecurity concerns. The Aug. 2 memo cited a May 25 report by the Army Research Laboratory, which was classified, and directed personnel to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”
Rodney Gullatte, Jr., founder of Springs-based Firma IT Solutions, said businesses should always consider country of origin when choosing security software — and businesses that haven’t uninstalled Kaspersky software from their systems “should have done it months ago.”
“This has definitely hurt the trust in cybersecurity and IT,” Gullatte said. “This is a high-trust industry. If your trust is shaken, it’s hard.”