Kaspersky Is an Unacceptable Risk Threatening the Nation's Cyber Defense

As geopolitical tensions rise, foreign software presents a grave supply chain risk and an ideal attack vector for nation-state adversaries.

Kevin E. Greene, Public Sector CTO, OpenText Cybersecurity

July 22, 2024

3 Min Read
Earth, in space, with chess pieces placed on it
Source: rico ploeg via Alamy Stock Photo

COMMENTARY

The current state of play with rising cyberattacks and geopolitical tension is proving to pose significant threats to national security. The recent announcement by the US federal government to ban Kaspersky software, effective July 20, will prevent Kaspersky from selling its products in the United States, as well as restrict software updates and resales. This ruling comes on the heels of growing tensions with Russia. A Russian national was recently indicted for conspiring with Russian military intelligence to destroy Ukraine computer systems as part of cyberattacks.

This tension has been mounting, and Kaspersky is in the crossfire, for good reason. Kaspersky has long been a Russia-based company that the United States has deemed a foreign adversary, and Kaspersky is subjected to the jurisdiction, control, or direction of the Russian government, as cited in the Final Determination order

Undue and Unacceptable Risk

The order cites significant cybersecurity threats that pose undue and unacceptable risk to national security centered around strategic exploitation, primarily exposure and access to sensitive information, exploiting known software vulnerabilities to gain unauthorized access, lack of threat coverage and signatures, and access to install malicious software for backdoors. While evidence regarding the plausibility and likelihood of successful strategic exploitation has not been published, experts contend that these threat scenarios are serious enough given the review of documents and information Kaspersky provided regarding its mitigation measures to address cybersecurity risk. 

In the end, Kaspersky did not provide any new or substantial information to counter the concerns regarding undue and unacceptable risk. Given the state of play, and the ongoing concerns over Russia's cyber operations targeting US critical infrastructure, Ukraine, and other multinational partners, the Final Determination is not surprising. In fact, many believed that this should have happened back in 2017, when Kaspersky was banned for use in government environments.

The Foreign Software Supply Chain Threat

Vendors' software supply chains become an attractive attack vector for nation-state adversaries to exploit and target organizations. Oftentimes, these software supply chain attacks are carried out using zero-day attacks, or by exploiting known CVEs in the wild. For widely used software, vulnerability prevalence becomes a key driver in expanding the blast radius in cyberattacks that allow threat actors to use extortion techniques through ransomware, espionage to access classified or sensitive information, destruction, and other tactics to impose cyber effects that disrupt cyber-defense capabilities. Managing and mitigating software supply chain risk is important for sustaining long-term cyber resiliency.

According to Verizon's "2024 Data Breach Investigations Report," vulnerabilities in third-party software attributed to a significant increase in data breaches. All software has or will have exploitable vulnerabilities, so banning Kaspersky and other foreign software lowers the attack surface associated with these vulnerabilities. Foreign software presents a considerable supply chain risk given the geopolitical implications that can be used as part of a cyber operation to compromise national security. 

Geopolitical Impact on Cybersecurity and Additional Measures

As organizations continue to formalize and evolve their cybersecurity strategies, they must now factor in impacts from geopolitical activities. Security teams and leaders need to have an active finger on the pulse of the latest national security headlines, understand their effects, and use that information to inform cybersecurity strategies. 

Adversaries are also not wasting any time in weaponizing cyber for espionage activities and disruption. When cybersecurity and geopolitics are combined, it elevates mission and business risk for this nation. Organizations must also take this shift into account and use it to elevate their cyber defenses. Proactive threat intelligence is an essential tool for staying ahead of nation state and supply chain attacks, while doubling down on public/private collaborations and partnerships also helps organizations stay informed. 

Defending Forward

The Kaspersky ban should not be taken lightly. It's an opportune time for an adversary's cyber operations. Geopolitics continues to shape the new cyber battlefield and will require organizations to be more informed — not just about cyber threats, but also about the impact of geopolitics on cyber activity. Foreign software is the ideal attack vector that allows adversaries to gain a wealth of telemetry about operating environments and valuable intelligence as part of counter-intelligence operations. We must continue to "defend forward" and protect the nation from hostile threats.

About the Author

Kevin E. Greene

Public Sector CTO, OpenText Cybersecurity

Kevin E. Greene is a public sector expert at OpenText Cybersecurity. With more than 25 years of experience in cybersecurity, he is an experienced leader, champion, and advocate for advancing the state of art and practice around improving software security. He has been successful in leading federal funded research and development (R&D) and has a proven track record in tech transition and commercialization. Notably research from Hybrid Analysis Mapping (HAM) project was commercialized in former technologies/products by Secure Decisions’ Code Dx and Denim Group Thread Fix, which were acquired by Synopsis and Coal Fire respectively. Additional commercialization includes GrammaTech Code Sonar, KDM Analytics Blade platform and research transitioned to improve MITRE’s Common Weakness Enumeration (CWE) by incorporating architectural design issues from the Common Architectural Weakness Enumeration (CAWE) research project developed by Rochester Institute of Technology (RIT).

Prior to joining OpenText Cybersecurity, Kevin worked at the MITRE Corporation supporting DevSecOps initiatives for sponsors, Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) research under the Center for Threat Informed Defense (CTID), and high-performing contributor to MITRE’s CWE program. Kevin valued his time serving the nation as a federal employee at the Department of Homeland Security, Science and Technology Directory, Cyber Security division, where he was as program manager leading federal funded research in software security.

Kevin currently serves on the advisory board/committee for New Jersey Institute of Technology (NJIT) Cybersecurity Research Center where he holds both a Master of Science and Bachelor of Science in Information Systems; as well as Bowie State University Computer Technology department and Bryant University Cybersecurity/Cloud Program external advisory boards.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights