Kaspersky's US Customers Face Tight Deadline Following Govt. Ban

US businesses and consumers using Kaspersky's antivirus software products and services have until Sept. 29 to stop using them, following a Biden Administration ban earlier this week on sales of the company's technologies in the country over national security concerns.

Companies and individuals that continue to use Kaspersky products past that date will be doing so at their own — considerable — risk, because Kaspersky will no longer be able to offer any support or updates for its products after the deadline.

"It's a good time for CISOs along with other C-suite executives and board members to revisit their organizational use of the software and, frankly, to begin preparing for this to be a long-term aspect of government commercial cybersecurity regulation," says Andrew Borene, executive director at threat intelligence firm Flashpoint. "That means immediately evaluating the scope of any Kaspersky deployment, capturing current requirements, and identifying alternatives for delivering on those requirements once the ban takes full effect at the end of September."

US Concerns About Kaspersky's Moscow Ties

In a first-of-its-kind move, the US Department of Commerce, on June 20 formally banned Kaspersky from selling its products and services in the US, citing continued use of the company's software as presenting an "undue or unacceptable national security risk."

The Commerce Department's concerns have to do with Kaspersky being a Russian company and therefore apparently being obligated to turn over customer data to the government there, whenever asked for it.

"Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive US information," the Commerce department said.

The ban marks the first time the Commerce Department has used its authority under a Trump Administration 2019 Executive Order on Securing the Information and Communications Technology and Services Supply Chain (ICT).

As part of its action, the department also "designated" Kaspersky entities in Russia and the UK, meaning that US organizations and individuals are restricted from transacting business with them. In a related announcement, the US Department of Treasury placed similar restrictions on 12 key executives at Kaspersky, but notably not on the company's founder Eugene Kaspersky.

A Kaspersky spokesman described the Department of Commerce decision as likely motivated by the "current geopolitical climate and theoretical concerns rather than on a comprehensive evaluation of the integrity of Kaspersky's products and services." Kaspersky will pursue all available legal options to fight the decision, the spokesman said in an emailed statement. He added, "Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interests and allies."

The US government decision does not impact Kaspersky's ability to continue selling its threat intelligence services or its cybersecurity training programs in the US, the statement noted.

Death Knell for Kaspersky in the US?

Even so, the US government's moves this week could effectively mean the end for Kaspersky in the country. In September 2017 the US Department of Homeland Security banned Kaspersky from selling to US federal civilian executive branch agencies over similar national security concerns. Though the company appealed that decision, the Federal Acquisition Regulation Council made it an official and permanent ban in September 2019. With this week's actions, the US government has formally blocked it from selling to US private sector companies and individuals as well.

"The US government has had its eye on Kaspersky for quite a while, so the ban is not particularly surprising," says Eric Parizo, an analyst with Omdia. The 2019 Executive Order bans the use of IT products and services that are owned or directed by a foreign adversary and pose an unacceptable risk to US national security, he says.

This week's US government action does not explicitly prohibit US individuals and organizations from using Kaspersky products after Sept. 29, 2024. But since the vendor cannot provide software updates for existing customers after that date, continued use of the product would represent a clear security risk, Parizo says. "In light of these events, it would be prudent for Kaspersky customers in the US to immediately seek alternatives." What heightens the urgency is the fact that Kaspersky's software products — like all anti-virus tools — have a lot of access to sensitive data on systems on which they are installed, he says.

Countdown to Kaspersky Sunset

Adam Maruyama, field CTO at Garrison Technology, recommends that companies which need to replace Kaspersky software make sure to catalog and identify unmanaged corporate devices that may be running the company's software. This includes looking at systems belonging to contractors on the corporate network as well as employees using personal devices at work.

"In the longer term, companies need to be conscious that a 'rip and replace' of antivirus software may not fully remove root-level access points from their systems, as antivirus programs often require root level access that is not easily removed by uninstallers," Maruyama cautions.

Given the concerns that the Commerce Department has raised about data theft and the potential weaponization of Kaspersky software, organizations should closely monitor network security suites and technical behavior of systems where Kaspersky was previously installed, he says.

The focus should be on anomalous behavior such as continued callbacks to Kaspersky or other unidentified servers. "For users with the highest levels of access to high-risk data and administrative privileges, organizations with a critical infrastructure mission may even want to consider replacing devices that previously used Kaspersky antivirus products to guard against residual risk," he says.