5 Questions On The Kaspersky Ban

In a first of its kind action, the Department of Commerce’s Bureau of Industry and Security (BIS) announced on June 20 that Russian-owned Kaspersky Lab can no longer sell its antivirus and other cybersecurity software in the U.S. or issue updates for software already in use, effective on September 29, 2024. We asked some industry experts to weigh in on what this type of ban means for the industry, and MSPs specifically.

“My only question is why this took so long after the 2017 ban on Kaspersky’s use in U.S. government systems,” says Mike Semel, security and compliance expert and head of Semel Consulting.

1. What’s the Threat?

“It’s the level of access that these tools have within a computer that allows it to run largely as a system user or an administrative user,” says Chris Henderson, senior director of threat operations at Huntress. “You have a prolifically installed piece of software that now all of a sudden can be weaponized and turned against you. And so I think largely the government is worried about espionage and using that to exfiltrate data or get other data out of our consumers and our businesses.”

Semel points out that Kaspersky itself lays out the roadmap for potential damage and disruption. “Its website says its solutions are ‘A new approach to protecting the internet of things, transportation, industrial automation and other IT infrastructures with high cybersecurity requirements,’” he notes.

“Another way of looking at adding a Russian-based product deep in our computer operating systems is that Kaspersky is ‘A new approach to ATTACKING the internet of things, transportation, industrial automation and other IT infrastructures with high cybersecurity requirements,’” Semel explains. “Years ago, the Chinese government added a small chip to Supermicro servers so they could get back-door access into U.S. government and business networks, including Amazon and Apple. How hard would it be to send a software update to a system protected by Kaspersky to allow it to give access to sensitive and regulated data?”

Jeremey Colwell, managing director/founder of The Human IT Company in Vancouver, BC, Canada, sees the ban as “less of a cybersecurity move and more of a national defense move. In terms of effectiveness, Kaspersky is a definition-driven antivirus product, so it’s definitely not considered a best-in-class piece of software…. But it is a well-known name, and many individuals or businesses may feel slightly put out that their preferred product is no longer available.”

2. What Are the Pros And Cons of Banning Software?

Kevin Beaver, a security consultant and founder of Principle Logic, says he has mixed feelings about the ban, but acknowledges that he tends “to be a bit of a contrarian. … Regardless of which government agency [issues bans], such acts set a precedent that different administrations occupying the White House can pick and choose the winners and losers.”

Henderson believes “the intentions are solid” but the timeline of replacing it is tight and potentially disruptive from a workload perspective. He notes that the potential roadmap for an IT project is typically further out than three months. “So they’ve [businesses] planned out their work for the next six months, 12 months, and then throwing in a rip and replace task—the opportunity costs there are significant. And so what other security or IT endeavors are now not going to [take] place?”

For Semel, the pros or upside of the Kaspersky ban “are that our government will no longer let businesses accept the risk of having a ‘Russian Agent’ in their computer systems. The cons are that other companies and countries may be next and will probably never end because of how our foreign adversaries have been able to infiltrate our computing and communications infrastructures.”

Henderson agrees with Semel on both counts. “From a pro [perspective], you are largely eliminating a known threat. From a cons perspective, though, at least you knew where the threat was, and you could monitor for it. What other software does the Russian government have access to? Are you just going to play a cat-and-mouse game where as soon as this one is done, another one pops up?”

3. Will the Kaspersky Ban Improve Our Cybersecurity Posture?

Beaver doesn’t think that’s likely. “I’m not convinced that any government action fixes any true problem at the core,” he explains.

For Henderson, such a ban has the ability to improve our cybersecurity posture. However, he says the Kaspersky move feels a bit performative. “The current ban feels more like banning a boogeyman than banning an actualized threat. And so I personally would like to see more transparency in the threats that we are seeing from the government side in terms of why these decisions are being made.”

Semel says the ban provides some temporary security improvement. “MSPs know how to layer cybersecurity tools to reduce the attack surface of a network,” he says. “Now the government is working the other side to reduce the number of threats. Of course, hackers will still work to undermine the security tools we use to weaponize them. Cat and mouse.”

4. Are More Bans Likely?

Kaspersky has not been the only foreign-owned company under scrutiny as a potential national security threat. In April, the senate passed and the president signed a bill that would force a sale of TikTok by its Chinese owner, ByteDance, or ban it if it’s not sold.

Will there be more bans to come?

Simply put, says Semel, “Yes.”

“I think as we start to really consider the threat that technology makes compared to the convenience that it provides, we’re going to start having to ask ourselves hard questions around what software are we using that has the potential to be controlled by foreign nationals,” Henderson says. “I don’t necessarily think that there’s going to be immediate widespread bans of all of the software. But if a business cannot prove that it has divested from their political interests or have safeguards in place to prevent that kind of abuse, I think we should expect to see more of these conversations popping up.”

Beaver anticipates more bans too. “And as we have seen with the so-called TikTok ban, there is way more to it than meets the eye. It’s best to read this legislation if you’re going to be making any meaningful decisions around it. Unfortunately, most people don’t, it seems, including our own representatives who vote on it.”

Colwell expects to “see a similar ban in Canada around the Kaspersky product. I also would expect that some of the EU Nations are also going to follow suit in due course.”

5. Should MSPs Be Asking About Country Of Origin When Vetting A Product?

Henderson says absolutely given the third-party risk to MSPs and their clients. “I think country of origin, financial stability of the organization, how likely are they to be able to be bribed or are they still going to be around,” he says. “Over the past five years or so, we’ve seen a large increase in the diligence MSPs are doing against their vendors. I’ve never answered more vendor diligence questionnaires than I have this year. More and more people are asking the right questions, which is really good. And so ensuring that MSPs have a very robust third-party risk management program, that they’re assessing the security controls of those organizations. Questioning, do you have political ties and things like that is very appropriate and making a risk-based decision off of that for their own risk tolerances.”

For Colwell, country of origin “makes a difference for many businesses and MSPs, particularly around the military complex and CMMC compliance. Some businesses have a strong preference towards buying domestic or buying in alignment with political partnerships. I generally take the view that while country of origin carries some importance, the effectiveness of the product is paramount.” 

In contrast, Semel believes it’s “a waste of time and effort for MSPs and small businesses to focus on a country of origin for a product. In today’s worldwide supply chain, a board or chip made in China will likely be part of a U.S. consumer or business product. The chip that China added to Supermicro motherboards at their point of origin was the size of a grain of rice and went unnoticed by Supermicro until a customer discovered it. Now imagine it is a few lines out of millions of lines of code hidden within software. It will take the resources of larger enterprises and U.S. government agencies to successfully evaluate products and identify their risks.”

Cat And Mouse

Kaspersky has issued a statement saying it “does not engage in activities which threaten U.S. national security.” The company “intends to pursue all legally available options to preserve its current operations and relationships.”

And its market share is small, about 3%, according to Security.org. Henderson says in his experience, it’s not largely deployed by MSPs.

How this and other potential bans play out remain to be seen. But when it comes to cybersecurity, expect the cat-and-mouse games to continue.  

For more on the federal government’s efforts to bolster the U.S. cybersecurity posture, see The White House And You – Are The Walls Closing In On MSPs?

Share:

Author:

Colleen Frye

Colleen Frye is executive editor of MSP Success. A veteran of the B2B publishing industry, she has been covering the channel for the last 17 years.

RELATED ARTICLES

Get The #1 Media Source For MSPs!
Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends And Business Growth Strategies. Subscribe now!

Upcoming Events

Stay Up To Date

Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends and Business Growth Strategies

Never Miss An Update