US says Kaspersky Poses Unacceptable Risk to National Security
The Federal Communications Commission (FCC) added Russian cybersecurity firm Kaspersky to its Covered List, saying it poses unacceptable risks to U.S. national security.
Kaspersky services covered by this decision include information security products, solutions, and services supplied by Kaspersky or any linked companies, including subsidiaries or affiliates.
FCC’s national security ban list was also expanded to include Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas.
The decision was taken following requirements in the Secure and Trusted Communications Networks Act of 2019 [PDF].
According to FCC Commissioner Brendan Carr, their addition to the Covered List means that they are prohibited from receiving support through FCC’s Universal Service Fund.
“I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list,” Carr said [PDF].
“Their addition, as well as Kaspersky Labs, will help secure out networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.”
U.S. federal agencies were first ordered to remove Kaspersky-branded products from federal information systems via a Binding Operational Directive (BOD) issued by the Department of Homeland Security in September 2017.
HackerOne suspends Kaspersky’s bug bounty program
Earlier today, HackerOne blocked Kaspersky’s access and indefinitely suspended its bug bounty program.
HackerOne’s decision to disable the Kaspersky bug bounty program follows another blow received by the Russian company after Germany’s Federal Office for Information Security, BSI, warned companies against using Kaspersky products.
The BSI suggested the Russian authorities could force the antivirus provider into allowing Russian intelligence to launch cyberattacks against its customers or have its products used for cyberespionage campaigns.
Today’s decision to designate Kaspersky as a national security threat follows previous decisions to ban and revoke China Unicom Americas’ license over serious national security concerns in January 2022.
The FCC also added Chinese telecommunications companies Huawei, ZTE, Hytera Communications, Hikvision, and Dahua to its ban list on March 12, 2021.
Huawei and ZTE were designated as national security threats to the integrity of U.S. communications networks or the communications supply chain in June 2020.
Update: Kaspersky sent the following statement after the article was published:
Kaspersky is disappointed with the decision by the Federal Communications Commission to prohibit certain telecommunications-related federal subsidies from being used to purchase Kaspersky products and services. This decision is not based on any technical assessment of Kaspersky products – that the company continuously advocates for – but instead is being made on political grounds.
Kaspersky maintains that the US Government’s 2017 prohibitions on federal entities and federal contractors from using Kaspersky products and services were unconstitutional, based on unsubstantiated allegations, and lacked any public evidence of wrongdoing by the company. As there has been no public evidence to otherwise justify those actions since 2017, and the FCC announcement specifically refers to the Department of Homeland Security’s 2017 determination as the basis for today’s decision, Kaspersky believes today’s expansion of such prohibition on entities that receive FCC telecommunication-related subsidies is similarly unsubstantiated and is a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky’s products and services.
Kaspersky will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate with U.S. government agencies to address the FCC’s and any other regulatory agency’s concerns.
Kaspersky provides industry leading products and services to customers around the world to protect them from all types of cyberthreats, and it has stated clearly that it doesn’t have any ties with any government, including Russia’s. The company believes that transparency and the continued implementation of concrete measures to demonstrate its enduring commitment to integrity and trustworthiness to its customers is paramount.