Kaspersky Is an Unacceptable Risk Threatening the Nation's Cyber Defense

COMMENTARY

The current state of play with rising cyberattacks and geopolitical tension is proving to pose significant threats to national security. The recent announcement by the US federal government to ban Kaspersky software, effective July 20, will prevent Kaspersky from selling its products in the United States, as well as restrict software updates and resales. This ruling comes on the heels of growing tensions with Russia. A Russian national was recently indicted for conspiring with Russian military intelligence to destroy Ukraine computer systems as part of cyberattacks.

This tension has been mounting, and Kaspersky is in the crossfire, for good reason. Kaspersky has long been a Russia-based company that the United States has deemed a foreign adversary, and Kaspersky is subjected to the jurisdiction, control, or direction of the Russian government, as cited in the Final Determination order. 

Undue and Unacceptable Risk

The order cites significant cybersecurity threats that pose undue and unacceptable risk to national security centered around strategic exploitation, primarily exposure and access to sensitive information, exploiting known software vulnerabilities to gain unauthorized access, lack of threat coverage and signatures, and access to install malicious software for backdoors. While evidence regarding the plausibility and likelihood of successful strategic exploitation has not been published, experts contend that these threat scenarios are serious enough given the review of documents and information Kaspersky provided regarding its mitigation measures to address cybersecurity risk. 

In the end, Kaspersky did not provide any new or substantial information to counter the concerns regarding undue and unacceptable risk. Given the state of play, and the ongoing concerns over Russia's cyber operations targeting US critical infrastructure, Ukraine, and other multinational partners, the Final Determination is not surprising. In fact, many believed that this should have happened back in 2017, when Kaspersky was banned for use in government environments.

The Foreign Software Supply Chain Threat

Vendors' software supply chains become an attractive attack vector for nation-state adversaries to exploit and target organizations. Oftentimes, these software supply chain attacks are carried out using zero-day attacks, or by exploiting known CVEs in the wild. For widely used software, vulnerability prevalence becomes a key driver in expanding the blast radius in cyberattacks that allow threat actors to use extortion techniques through ransomware, espionage to access classified or sensitive information, destruction, and other tactics to impose cyber effects that disrupt cyber-defense capabilities. Managing and mitigating software supply chain risk is important for sustaining long-term cyber resiliency.

According to Verizon's "2024 Data Breach Investigations Report," vulnerabilities in third-party software attributed to a significant increase in data breaches. All software has or will have exploitable vulnerabilities, so banning Kaspersky and other foreign software lowers the attack surface associated with these vulnerabilities. Foreign software presents a considerable supply chain risk given the geopolitical implications that can be used as part of a cyber operation to compromise national security. 

Geopolitical Impact on Cybersecurity and Additional Measures

As organizations continue to formalize and evolve their cybersecurity strategies, they must now factor in impacts from geopolitical activities. Security teams and leaders need to have an active finger on the pulse of the latest national security headlines, understand their effects, and use that information to inform cybersecurity strategies. 

Adversaries are also not wasting any time in weaponizing cyber for espionage activities and disruption. When cybersecurity and geopolitics are combined, it elevates mission and business risk for this nation. Organizations must also take this shift into account and use it to elevate their cyber defenses. Proactive threat intelligence is an essential tool for staying ahead of nation state and supply chain attacks, while doubling down on public/private collaborations and partnerships also helps organizations stay informed. 

Defending Forward

The Kaspersky ban should not be taken lightly. It's an opportune time for an adversary's cyber operations. Geopolitics continues to shape the new cyber battlefield and will require organizations to be more informed — not just about cyber threats, but also about the impact of geopolitics on cyber activity. Foreign software is the ideal attack vector that allows adversaries to gain a wealth of telemetry about operating environments and valuable intelligence as part of counter-intelligence operations. We must continue to "defend forward" and protect the nation from hostile threats.