In a last-minute voice vote on December 7, a provision was added to the $700 billion National Defense Authorization Act that bars federal agencies from using Kaspersky anti-virus software."The case against Kaspersky Lab is overwhelming," said Senator Shaheen (D-NH). "The strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented." The Department of Homeland Security has alleged "ties between certain Kaspersky officials and Russian intelligence," yet no evidence has been provided.Yesterday Kaspersky responded by filing suit against the DHS for banning its product, claiming DHS "relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports." Without proof, how are we to judge whether Kaspersky is a real threat or whether this is merely protectionism for U.S. vendors, an old tactic? Check Point Software, an Israeli firm, was blocked from selling to federal agencies in the 1990s. Huawei, the Chinese networking giant, has been effectively blocked from doing business in the U.S. Cisco was the U.S. vendor that benefited most from both of these actions.
The bottom line: What if Spain or Germany were to make similar claims against McAfee or Symantec to support their own vendors? The U.S. cybersecurity industry is not well served by unsubstantiated claims about the trustworthiness of security products, which only muddy the waters and encourage blowback.