3rd Party Risk Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
FCC Adds Kaspersky, Chinese Telecoms to High-Risk CompaniesAlso, HackerOne Suspends Kaspersky's Access to Bug Bounty Platform
The U.S. Federal Communications Commission's Public Safety and Homeland Security Bureau voted unanimously to ban Kaspersky Lab, China Telecom (Americas) Corp., and China Mobile International USA Inc., stating the companies posed a national security threat. In addition, the bug bounty platform HackerOne suspended Kaspersky's access to the platform.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
This comes after the Federal Office for Information Security of Germany on March 15 warned against the use of virus protection software from the Russian manufacturer Kaspersky and advised Kaspersky users to consider alternatives, citing national security concerns.
As soon as the FCC announcement was published, Kaspersky released a statement saying the company's bug bounty platform hosted with HackerOne was indefinitely suspended and that it has frozen existing funds and discussions for already-reported vulnerabilities (see: Sanctions Halt Rewards for Bug Hunters in Belarus, Russia).
Kaspersky announces changes to the bug bounty program and #vulnerability disclosure process. All researchers are welcome to contact us at https://t.co/WNDcGxMIG4 pic.twitter.com/XIX7ecjQrz— Kaspersky (@kaspersky) March 25, 2022
Reacting to the development, Kaspersky tells Information Security Media Group that the firm is disappointed with the decision by the FCC to prohibit certain telecommunications-related federal subsidies from being used to purchase Kaspersky products and services.
Spokespersons for China Telecom (Americas) Corp. and China Mobile International USA Inc. were not immediately available to comment.
A Warning to Kaspersky Users?
"This decision is not based on any technical assessment of Kaspersky products - that the company continuously advocates for - but instead is being made on political grounds," Kaspersky says. "Kaspersky will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate with U.S. government agencies to address the FCC's and any other regulatory agency's concerns."
In addition to the FCC's concerns, Jake Williams, a research analyst at the Institute for Applied Network Security and a former member of the U.S. National Security Agency's elite hacking team, says it is not clear what impact this latest move by the FCC will have on Kaspersky.
"After the U.S. government barred federal agencies and contractors from using Kaspersky in 2017, many U.S. commercial organizations began voluntarily replacing their products. But for those who have chosen to continue using Kaspersky, it's not clear the FCC's guidance will impact their decision-making," Williams tells ISMG.
The FCC previously banned telecommunications companies from using FCC funds to buy equipment from Chinese manufacturers Huawei and ZTE and added to its list of communications equipment and services those that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019 (see: FCC Takes Steps Toward Squeezing Out Huawei, ZTE).
The Secure and Trusted Communications Networks Act requires the FCC to publish and maintain a list of communications equipment and services that pose an "unacceptable risk" to national security.
"This is yet another step in a long-simmering campaign by the United States to eliminate Kaspersky from North America. The move was expected and is a sign that if you're still using Kaspersky in the US, it's time to find an alternative," said John Bambenek, principal threat hunter at digital IT and security operations Netenrich.
The FCC states that adding Kaspersky to the list was based upon a Binding Operational Directive issued by the Department of Homeland Security and published in the Federal Register on Sept. 11, 2017, that required certain federal agencies to remove Kaspersky-branded products from federal information systems.
"The BOD states that, in consultation with interagency partners, the Department of Homeland Security "determined that the risks presented by Kaspersky-branded products justify the issuance of this Binding Operational Directive," the FCC says.
The FCC published the initial list, commonly referred to as the covered list, in March 2021.
Kaspersky tells ISMG that the U.S. government's 2017 prohibitions on federal entities and federal contractors from using Kaspersky products and services were unconstitutional, based on unsubstantiated allegations, and lacked any public evidence of wrongdoing by the company.
The company also states that there has been no public evidence to justify these actions since 2017 and the FCC announcement specifically refers to the Department of Homeland Security's 2017 determination as the basis for today's decision.
"Kaspersky believes today's expansion of such prohibition on entities that receive FCC telecommunication-related subsidies is similarly unsubstantiated and is a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky’s products and services," the company says.
Kaspersky says that it doesn't have any ties with any government, including Russia.
"Last year, for the first time, the FCC published a list of communications equipment and services that pose an unacceptable risk to national security, and we have been working closely with our national security partners to review and update this list," says FCC Chairwoman Jessica Rosenworcel.
Rosenworcel also states that this recent action is the latest in the FCC's ongoing efforts, as part of the greater whole-of-government approach, to strengthen America's communications networks against national security threats, including examining the foreign ownership of telecommunications companies providing service in the United States and revoking the authorization to operate where necessary.
But how do governments and companies evaluate products produced in countries that come to be regarded as adversaries?
"Trust is everything when it comes to security, so how do you trust a product from a company that is subject to the government of a geopolitical adversary? The mere presence of the incentive of an adversarial government to exploit a product made by a company on its shores for intelligence gathering operations or sabotage may be enough to deem the risks of using it unacceptable," says Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel.
Clements says that there are some possible ways for companies to alleviate those concerns, such as sharing source code and a reproducible build process with the foreign government, but those things introduce their own risks to the company that is sharing the information.
"Once the source code is shared, the recipient has incredible options for causing harm. The receiving government could leak that intellectual property to a domestic competitor who could then create an exact replica of the product or have the source scrutinized for security vulnerabilities that would be otherwise very difficult to detect and develop custom exploits targeting it," Clements tells ISMG.
He says it's a big challenge for both countries and companies, and it can't be easily solved. The challenge, he says, may spur the adoption of more open-source software solutions that can be independently verified by all users.