The US Department of Commerce (DOC) is considering sanctions against Kaspersky Lab “weighing an enforcement action under its online-security rules”, The Wall Street Journal reported on Friday. Sources said this could be a test case for future actions against Chinese-controlled technologies, namely TikTok.
The cybersecurity company has been under suspicion for years, with Western governments concerned it could be weaponized by the Kremlin.
In 2017 the US government banned federal agencies software from using Kaspersky Lab, citing concerns over the company’s alleged ties to Russian intelligence. Private companies and individuals were discouraged from using Kaspersky products, and several US retailers stopped selling the company’s software.
The US government launched a security probe into Kaspersky Lab in early 2022 amid heightened cyberattacks following Russia’s invasion of Ukraine. The firm was then added to a list of national security risks.
Founded in 1997 by KGB-trained engineer and cybersecurity expert Eugene Kaspersky, the company has for some time been under suspicion of potential links to the Russian government. In 2017, Kaspersky said the allegations of his company’s involvement in Russian hacks were “like the script of a C-movie”.
Microsoft violations
The news comes as the DOC imposed a combined $3.3m in civil penalties against Microsoft Corporation for alleged and apparent violations of US export controls and sanctions laws involving Cuba, Iran, Syria, Russia, and Ukraine.
Microsoft reportedly voluntarily self-disclosed the alleged violations and cooperated with a joint investigation. It took remedial measures after discovering the conduct at issue, which predated the export controls and sanctions imposed in connection with Russia’s invasion of Ukraine.
“US companies will be held accountable for the activities of their foreign subsidiaries,” said Matthew S Axelrod, Assistant Secretary for Export Enforcement at the DOC. “[The DOC will] ensure that US export control and sanctions laws are enforced effectively, wherever in the world the underlying conduct occurs.”
Security precautions
Companies are now concerned about the about the security implications of using Kaspersky products. Law firm Crowell and Moring last year suggested the following actions:
- Identify Kaspersky products and services – Companies should first consider whether they use any of Kaspersky’s cybersecurity offerings, from antivirus and endpoint protection offerings; to cloud security; to professional services such as Kaspersky’s security awareness training, security architecture design, or vulnerability and patch management programs. Because Kaspersky’s software is often packaged with or renamed by other computer security products and services, this could require additional time and resources.
- Assess supply chain implications – Companies may also wish to examine whether their vendors and suppliers use Kaspersky’s products, as sanctions can and often do come with unanticipated supply chain issues.
- Source or develop alternative solutions – Companies that currently utilize Kaspersky should consider developing contingency plans to mitigate potential business disruptions. If alternatives are not already in place, now is the time to line up backup products, especially for antivirus and endpoint protection. Installing new antivirus and endpoint protection across an organization’s estate can be time-consuming, fraught with configuration difficulties, and (in nearly all cases) first requires the removal of any previous antivirus or endpoint protection systems for the new solution to operate effectively.