New Government Ban on Kaspersky Would Prevent Company from Updating Malware Signatures in U.S.

New Government Ban on Kaspersky Would Prevent Company from Updating Malware Signatures in U.S.

The U.S. government has expanded its ban on Kaspersky software in a new move aimed at getting consumers and critical infrastructure to stop using the Russian company’s software products, citing national security concerns.

The ban, using new powers granted to the U.S. Commerce Department, would prohibit the sale of Kaspersky software anywhere in the U.S. and would also prevent the company from distributing software security updates or malware signatures to customers in the U.S.

Signatures are the part of antivirus software that detect malicious threats; antivirus vendors push new signatures to customer machines often on a daily basis to keep customers protected against new malware and threats as the vendors discover them. Without the ability to update the signatures of customers in the U.S. the ability of Kaspersky software to detect threats on those systems will significantly degrade over time.

The U.S. Commerce Department announced the ban on Thursday after what it said was an "extremely thorough investigation" but did not elaborate on the nature of the investigation or what it uncovered.

"Given the Russian government’s continued offensive cyber capabilities and capacities to influence Kaspersky’s operations ... we have to take the significant measure of a full prohibition if we’re going to protect Americans and their personal data," U.S. Secretary of Commerce Gina Raimondo told reporters in a phone call. "Russia has shown it has the capacity and, even more than that, the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and that’s why we are compelled to take the action that we’re taking today."

Asked what evidence the government found to support concerns that the Russian government is using Kaspersky software to spy on customers, Raimondo and other government officials on the call declined to provide specifics.

"In terms of specific ... instances of the Russian government using [Kaspersky software to spy] we generally know that the Russian government uses whatever resources available to perpetrate various malicious cyber activities," one senior Commerce official said on background. "We do not name any particular actions in this final determination, but we certainly believe that it’s more than just a theoretical threat that we describe."

The ban will not go into effect until September 29 to give existing Kaspersky customers in the U.S time to find a replacement for their antivirus software. The ban on new sales of Kaspersky software in the U.S., however, goes into effect on July 20th. Sellers and resellers who violate the ban could be subject to fines from the Commerce Department and potentially criminal action.

In addition to the ban, the Commerce Department also put three Kaspersky entities on its trade-restrictions entities list, which would prohibit U.S.-based suppliers from selling to Kaspersky, though it's unclear if Kaspersky currently has U.S. suppliers.

A Kaspersky spokesman said the company's U.S. business currently amounts to "just under 10% of the company's total revenue." The company's total revenue last year was $721 million. There are "more than a million endpoints protected by Kaspersky solutions in the U.S.," he said.

The company, in a statement sent to Zero Day, accuses the Commerce Department of making its decision "based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services." He said the company "intends to pursue all legally available options" to challenge the ban.

"We ... will continue to defend ourselves against actions that seek to unfairly harm our reputation and commercial interests," he said in an email. 

The Department of Homeland Security had previously issued a directive in 2017 banning federal government agencies and departments from installing Kaspersky software on their systems. DHS had also not cited any specific justification for its ban at the time, but media reports citing anonymous government officials at the time cited two incidents. According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the NSA tools, and the software detected the source code as malicious and extracted it from the computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets.

Kaspersky denied that anyone used its software to explicitly search for secret information on customer machines and said that the tools detected on the NSA worker's machine were detected in the same way that all antivirus software is designed to detect malware on customer machines and quarantine or extract it for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker's machine was not actually malware but appeared to be source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code.

Following the 2017 DHS directive, Best Buy and other commercial computer sellers that had contracts with Kaspersky to sell computers with Kaspersky antivirus software pre-installed on those systems subsequently announced they would no longer install the software on computers they sold. This didn’t, however, put an end to existing customers using Kaspersky software or prevent new customers from purchasing the software on their own.

Today's ban is designed to convince those customers to stop using the software as well.

"When Americans have software from companies owned or controlled by countries of concern – such as Russia, such as China – integrated into their systems, it makes all Americans vulnerable," Raimondo told reporters. "Those countries can use their authority over those companies to abuse that software to access and potentially exploit sensitive U.S. technology and data."

In announcing the move, Raimondo emphasized that users of the software will not face legal penalties for continuing to use Kaspersky products. But the government has already launched an aggressive education campaign designed to discourage them from using Kaspersky she said.

"U.S. individuals and businesses that continue to use or have existing Kaspersky products and services are not in violation of the law," Raimondo said. "However, I would encourage you in as strong as possible terms to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family."

It's not clear how large Kaspersky's U.S. customer base is. The Commerce Department said the company's business in the U.S. is "significant" but did not release any numbers to reporters.

Jake Williams, founder of the security firm Rendition Infosec and a former NSA hacker, told Zero Day that the ban on Kaspersky software could prove problematic for critical infrastructures that have the software embedded in devices and can't easily swap it out in the time frame set by Commerce.

"I'm less concerned about your average user who has a Kaspersky antivirus running on their endpoint than somebody who has it running in a security appliance like a router or firewall," he says. "They can't easily swap that out. I know I've seen Kaspersky embedded on an ATM."

He notes that the time frame for updating embedded devices is usually "measured in years not months. And some of them never get updated."

He says that anyone using an embedded device that has Kaspersky installed on it will have to rely on the maker of that device to provide an updated system that doesn't use Kaspersky, which will force customers to replace their hardware device.

"You and I both know that's not going to happen in a lot of situations," he says. "So they will likely [continue] to run [those devices} without security" once Kaspersky stops providing updates for its software to U.S. customers.

Kaspersky's spokesman noted that the ban on the sale of the company's software does not extend to its threat intelligence reports, which it can still sell to U.S. customers. But he said that the ban will likely impact international cooperation between cybersecurity experts. Kaspersky for years has collaborated with security firms and law enforcement agencies in the U.S. to help fight cybercrime and nation-state threats, sharing data and intelligence about known threats. He noted that the new ban "will restrict those efforts," but didn't elaborate on whether the company will completely halt this cooperation going forward.

Updated 3:27 pm PST: To add comment from Kaspersky.

Updated 6.28.23; To add information about Kaspersky's current earnings in the U.S. market.

See Also:

How Russian Firm Might Have Siphoned Tools from the NSA