Biden Administration Considers Imposing Sanctions on Kaspersky Labs
Client Alert | 3 min read | 04.06.22
As the U.S. government continues to ratchet up sanctions in response to the Russian invasion of Ukraine, public reporting suggests there may be a new target in the sites of U.S. sanctions authorities: Kaspersky Labs (Kaspersky), the popular Russian cybersecurity and antivirus company. Any sanctions imposed by the Department of Treasury’s Office of Foreign Assets Control (OFAC) would come on the heels of other recent government action against Kaspersky. On March 25, 2022, the Federal Communications Commission (FCC) added Kaspersky to its list of communications equipment and services that are deemed to pose an unacceptable risk to the national security of the United States, as well as the safety and security of the American people. Kaspersky, which is headquartered in Moscow, is the first non-Chinese company added to the list that includes Shenzhen-based Huawei Technologies Company and ZTE Corporation, among others. Kaspersky has publicly disagreed with the decision.
Last week, several news outlets reported that the U.S. government has been privately warning some critical infrastructure companies that Russia could manipulate software designed by Kaspersky to gain remote access to customer information systems. Similarly the United Kingdom’s National Cyber Security Centre (NCSC) has pointed out that the risk calculus has “materially changed,” and the NCSC further notes that “Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war.” Because many of Kaspersky’s most popular products relate to antivirus, endpoint protection, and cloud security, the chief concern is that such software may have privileged access to sensitive data or locations that could be exploited for Russia’s strategic advantage.
These actions, and the looming possibility of sanctions, are the latest in a multi-year campaign by the federal government to reduce the risks it has identified as associated with Kaspersky’s products and services. On September 13, 2017, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 17-01, Removal of Kaspersky-Branded Products, requiring federal agencies to remove and discontinue use of all Kaspersky antivirus software because of the inherent vulnerability that Russian government threat actors could potentially exploit the software’s system access. The following year, the National Defense Authorization Act for Fiscal Year 2018 prohibited the federal government from using hardware, software, or services developed, in whole or in part, by Kaspersky. A corresponding addition to the Federal Acquisition Regulation (FAR)—FAR 52.204-23—prohibited government contractors from providing or using such hardware, software, and services in performance of a federal contract or subcontract. In conjunction with these actions, several U.S. government officials warned of the risks to the private sector.
While the U.S. government considers sanctions against Kaspersky, there are several actions companies can undertake now to mitigate potential business disruptions and further secure their information and information systems:
- Identify Kaspersky Products and Services – Companies should first consider whether they use any of Kaspersky’s cybersecurity offerings, from antivirus and endpoint protection offerings; to cloud security; to professional services such as Kaspersky’s security awareness training, security architecture design, or vulnerability and patch management programs. Because Kaspersky’s software is often packaged with or renamed by other computer security products and services, this could require additional time and resources.
- Assess Supply Chain Implications –Companies may also wish to examine whether their vendors and suppliers use Kaspersky’s products, as sanctions can and often do come with unanticipated supply chain issues.
- Source or Develop Alternative Solutions – Companies that currently utilize Kaspersky should consider developing contingency plans to mitigate potential business disruptions. If alternatives are not already in place, now is the time to line up backup products, especially for antivirus and endpoint protection. Installing new antivirus and endpoint protection across an organization’s estate can be time-consuming, fraught with configuration difficulties, and (in nearly all cases) first requires the removal of any previous antivirus or endpoint protection systems for the new solution to operate effectively.
Contacts
Insights
Client Alert | 8 min read | 12.20.24
End of Year Regulations on Interoperability
Federal policy efforts to advance health data exchange and interoperability are continuing to change rapidly. The latest changes are the publication of two final rules by the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) finalizing parts of the of the Health Data, Technology, and Interoperability (HTI-2) Proposed Rule. These rules adopt requirements regarding the Trusted Exchange Framework and Common Agreement (TEFCA) (HTI-2 Part 1), and create a new Information Blocking exception under Protecting Care Access (HTI-2 Part 2), on December 16th and 17th, respectively.
Client Alert | 4 min read | 12.19.24
Client Alert | 4 min read | 12.19.24
Key Changes to the State Attorneys General – 2024 to 2025 Transition
Client Alert | 4 min read | 12.19.24
New EU Directive Impacting Digital Platforms and Individuals Working for Them