Why it took the U.S. nearly 10 years to ban a Russian cyber vendor
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
The Biden administration's new plan to rip and replace Kaspersky Lab's antivirus software from U.S. tech stacks has been roughly a decade in the making.
Why it matters: A slow-burn approach to considering the ban — the toughest action yet against a foreign-based cybersecurity company — could help the U.S. government avoid the same implementation woes it's faced in similar cases, experts say.
The big picture: The U.S. government is still struggling to remove Chinese telecommunications company Huawei's equipment from American networks, nearly five years after actions started.
- And lawmakers only just passed a law this year to force China-based ByteDance to divest its ownership in TikTok or face a ban — after roughly four years of regulatory back-and-forth. (Even that law is being challenged in court.)
Threat level: Each of these three companies is subject to laws in its home country that could compel it to share U.S. customer data that's transmitted through its products.
- China has a law that requires companies to help the government in intelligence work.
- Russia has expanded its laws in recent years to allow for tighter surveillance of online communications and internet traffic, Andrew Borene, who worked at the Office of the Director of National Intelligence, told Axios.
- However, the U.S. government hasn't declassified specific examples of Russia or China forcing these companies to share Western customer information.
Yes, but: Kaspersky's antivirus product had been in the spotlight longer than both Huawei and TikTok — yet it still took three administrations to get to a software sales ban.
- Part of that is because it took a long time for officials to fully understand the security risks tied to Kaspersky, Borene, who is now executive director of global security at Flashpoint, said.
- Also, Russia has only recently started becoming more outwardly hostile against Western governments again, James Lewis, a former diplomat and current director of the Center for Strategic and International Studies' strategic technologies program, added.
- Kaspersky also put up a real fight to clean up its image in Washington. It was an approved government vendor; it tried joining prominent trade groups and sponsored high-profile conferences.
What they're saying: "Kaspersky has done good research, they have a good product, but there was a concern that they had a sweet spot for the Russian government," Lewis told Axios.
Flashback: Kaspersky first raised eyebrows in Washington back in 2015 when the National Security Agency was tipped off that Kaspersky may have collected information about U.S. hacking tools and shared it with the Kremlin.
- In that case, which was first reported in 2017, Israeli government hackers found evidence that Kaspersky may have obtained the NSA hacking tools via an agency employee who was using the antivirus software on his home computer.
- The company shot back, saying it "does not have inappropriate ties to any government" and that it's been "caught in the middle of a geopolitical fight."
- Those accusations eventually resulted in the U.S. government banning the software on its own networks, but it had stopped short of an outright halt of new sales — until last week.
The intrigue: The Department of Commerce also just got new authorities in recent years that made a ban on Kaspersky's antivirus sales easier, officials told reporters during a briefing last week.
Between the lines: Despite those concerns, U.S. critical infrastructure organizations still used Kaspersky's antivirus and other cybersecurity products.
- A senior Commerce official told reporters that the company had a "significant number of U.S. customers," including critical infrastructure organizations and state and local governments.
State of play: Short of completely restructuring the company's organizational structure, changing leadership or leaving Russia entirely, there wasn't much Kaspersky could've done to fight the oncoming ban, experts say.
- Kaspersky denied any wrongdoing in a statement last week and said it intends to pursue legal action against the new Commerce restrictions.
What's next: Homeland Security Secretary Alejandro Mayorkas told Axios in a brief interview Monday that his department already has the tools it needs to help critical infrastructure organizations meet Commerce's implementation deadlines.
- "I don't think it's a new muscle that we have to develop," Mayorkas said. "This one is going to be a little bit more complicated — Kaspersky does have a footprint, and it's a matter of unwinding that."
