Kaspersky Lab, a Russian-owned cybersecurity company that sells anti-virus software and other kinds of IT systems security products, has been banned from use by the federal government. This latest development comes by way of the Department of Homeland Security (DHS), which issued a directive requiring agencies to (1) identify Kaspersky products they are using, (2) create plans to stop using those products, and, eventually, (3) discontinue using those products and remove them from IT systems. The DHS directive is on the heels of the General Services Administration’s (GSA) July 23 decision to remove Kaspersky from the list of approved vendors. The latest move makes logical sense, of course: if Kaspersky really represents the threat that Congress and the Trump Administration believe that it does, then every moment that goes by with Kaspersky products in use is a moment where security is at risk.
And what danger are we talking about? The problem is one of access. Kaspersky products, like any security products, need to be updated. Think about when you get your periodic update requests from Apple or Microsoft (or, perhaps, you have decided to forgo the request and get your updates automatically); your device then communicates with the software provider who installs new code into your system. The problem that the federal government is now worried about is that Kaspersky, whose servers are thought to be in Russia, can surreptitiously install malware that make your information (or sensitive information in the federal government) accessible by foreign hands. There also appears to be deep suspicion that Kaspersky has Kremlin ties, although the case for that is unclear.
Make no mistake: the danger here is real. But how different is the threat from Kaspersky from that of threat that any third party with high-level access to sensitive information? Why do we trust Kaspersky less than any other third party provider? Some of the anti-Kaspersky action is the politics of the moment — both current icy geopolitics and tense domestic politics in the wake of the 2016 election and Russia’s certain meddling in it. But shifting geopolitics means shifting targets. In 2013, Congress was deeply concerned about China, and passed a law that placed various restrictions on Chinese IT vendors based on concerns about Chinese espionage. Tomorrow may bring new targets.
The truth is, governments both state and federal rely on third-party vendors for security software (by the way, the DHS move says nothing about what states should do, and presumably state governments using Kaspersky face the same kinds of risk), and thus make their systems vulnerable to malware by those same third parties. So long as there is reliance on third party vendors, the risks remain real. The concerns about Kaspersky might very well be legitimate. But there is little reason to think that banning Kaspersky will solve the security risk.
What does that mean for you? If you’re not in the security business, you’re purchasing security products for your organization, too. That means you, too, need to be vigilant. The due dilgence that comes with third-party contracts and in-house IT expertise, and maintaining basic security hygiene within your organization, will help minimize the risk.