Security News

Biden Administration At Odds Over Sanctioning Kaspersky: Report

Michael Novinson, Steven Burke

The National Security Council has pressed the Treasury Department to ready sanctions against Kaspersky, but Treasury has raised concerns over the size and scope of the punishment being considered, the Wall Street Journal reported.


The National Security Council and Treasury Department are at loggerheads over whether Moscow-based cybersecurity giant Kaspersky should be sanctioned following Russia’s invasion of Ukraine.

The Wall Street Journal said Wednesday that the National Security Council has pressed the Treasury Department to ready sanctions against Kaspersky amid longstanding allegations that the Russian government could exploit Kaspersky’s technology to install malicious software on the networks of its customers. Kaspersky has strongly denied this along with alleged links to Russian intelligence services.

Sanctions experts with the Treasury Department, however, have raised concerns over the size and scope of the punishment being considered for Kaspersky, The Wall Street Journal reported. Although Treasury officials have been working to prepare a sanctions package, one official told the Journal that sanctions against Kaspersky have been put on hold for now.

[Related: Kaspersky: We’re ‘Not Affected’ By The Sanctions On Russia]

The Treasury Department declined to comment to The Wall Street Journal and didn’t immediately respond to a CRN request for comment. Kaspersky, meanwhile, told CRN that expanding prohibitions or limitations on the use of the company’s technology are a response to the geopolitical climate and don’t stem from a comprehensive evaluation of the integrity of the company’s products and services.

“The U.S. Government’s lack of response to Kaspersky’s good faith outreach, while proceeding to take actions to further limit Kaspersky, clearly indicates that such regulatory restrictions are political decisions based on speculation rather than facts,” Kaspersky told CRN in an emailed statement. The company’s software has been banned from federal civilian and military networks since December 2017.

In addition, Reuters said Thursday that the U.S. government has privately warned American companies that Moscow could manipulate software designed by Kaspersky to cause harm. A senior U.S. official said Kaspersky’s Russia-based staff could be coerced into providing or helping establish remote access into their customer’s computers by Russian law enforcement or intelligence agencies, Reuters reported.

“Moscow software engineers handle the [software] updates, that’s where the risk comes,” the U.S. official told Reuters. “They can send malicious commands through the updaters and that comes from Russia.”

A Kaspersky spokeswoman told Reuters that the briefings about purported risks of Kaspersky software would be “further damaging” to Kaspersky’s reputation “without giving the company the opportunity to respond directly to such concerns,” adding that it “is not appropriate or just.” The company’s statement to CRN did not reference the U.S. government briefings reported by Reuters.

Sanctions of this nature typically block or freeze the assets of companies or individuals who are targeted and bar U.S. citizens from engaging in transactions with those companies or people. Some U.S. officials have argued that sanctioning company co-founder and CEO Eugene Kaspersky personally could be seen as less aggressive than going after Kaspersky the company given its size, The Wall Street Journal said.

Eugene Kaspersky previously served in the Soviet military intelligence service as a software engineer and issued a statement in early March that failed to condemn Russia for invading Ukraine or even mention Russia. At the same time, U.S. officials acknowledge that the relationship between Kaspersky the firm and the Russian state is similar to how U.S. based cyber firms cooperate with U.S. intelligence agencies.

This would not be the first time the Biden administration sanctioned Russian companies for their relationship with the Russian government. In April 2021, the U.S. Treasury Department sanctioned six Russian technology vendors – including most notably Positive Technologies – for helping the country’s intelligence agencies carry out malicious cyber activities including the SolarWinds hack.

Positive Technologies allegedly hosted large-scale conventions that were used as recruiting events for the Russian Federal Security Service (FSB) and Main Intelligence Directive (GRU) and provided network security technology to foreign governments, Russian firms and Russian government clients, including the FSB. Positive Technologies denied the Treasury Department’s accusations, calling them “groundless.”

In mid-March, Germany warned that the Russian government could leverage Kaspersky’s antivirus software as a vehicle for cyberattacks in Europe. Eugene Kaspersky fired back in an open letter the following day, alleging that the decision was made on political grounds alone and isn’t supported by objective evidence or technical details.

“I consider the BSI [German government] decision as an unwarranted and unjust attack on my company and specifically on Kaspersky employees in Germany and Europe,” Eugene Kaspersky wrote in the open letter. “We consider this decision to be unfair and outright wrong.”

Then on March 25, the U.S. Federal Communications Commission added Kaspersky to its list of telecommunications equipment and service providers considered a national security risk. The move made Kaspersky the first Russian firm on the list, which previously only included Chinese companies. Kaspersky similarly asserted the FCC decision is being made on political rather than technical grounds.

The renewed scrutiny on Kaspersky has reverberations in the channel, with one of the top distributors in Australia and New Zealand cancelling its contract. The Australian Financial Review reported that Dicker Data’s partnership with Kaspersky will cease next month due partly to the heritage of COO Vladimir Mitnovetski, who has roots in Ukraine. As a result, Leader will be Kaspersky’s only Australian distributor.

Future Tech Enterprise, No. 100 on the CRN SP500, a Microsoft Defender security software provider that does not resell Kaspersky, is planning to reach out to its customers to warn them of the potential risks with Kaspersky software in the wake of the FCC’s decision to single out the software maker as “an unacceptable risk to national security or the security and safety of United States persons.”

“Based on the new information we have, we will reach out to our existing customer base, make them aware of the cybersecurity risk and remediate where customers are using the Kaspersky software,” he said. “Our rationale is that the United States government has done their due diligence and deemed Kaspersky software a risk. As a good corporate United States citizen we are going to act on that information.”

Bob Venero, CEO of Fort Lauderdale, Fla.-headquartered solution provider Future Tech Enterprise, No. 100 on the CRN SP500, believes there is a threat that Russia could use Kaspersky software to launch a cyber attack. “The U.S. government has effectively put Kaspersky on a no fly zone based on the cybersecurity threat in the wake of Russia’s invasion of the Ukraine,” said Venero. “Is there a risk and a potential threat from using Kaspersky software? I believe there is. Russia has been very clear that they are not happy with US interference in the Ukraine. If there is an opportunity to express that unhappiness like we have done with US sanctions on Russia I am sure they are going to take advantage of that.”

Future Tech, which has a substantial federal government business, has doubled down on its own internal cybersecurity efforts and reached out to customers in the wake of the Russia invasion of Ukraine, said Venero. In fact, Future Tech CIO Fred Hoffman issued an alert to company employees to be more diligent in their cyber hygiene and what links they click on in the wake of the war. “We are doing security testing and going above and beyond to make sure we are secure,” said Venero.

Venero sees cybersecurity threats continuing to increase even as companies double down to protect themselves with additional security technology services and software. “Over our 25 years in business, we have consistently seen cybersecurity become more mission critical as part of a solution provider offering,” he said. “Over the last year, security has grown exponentially in comparison to other lines of technology and services that we provide to customers.”

Sponsored Post