On the heels of the recent U.S. ban on Kaspersky antivirus software, it was expected that Kaspersky would begin to remove resources in the U.S. However, few expected them to lay off all the U.S.-employee base with such efficiency.

In some quarters this regulatory action by the Department of Commerce is interpreted to represent a decisive step in strengthening national security and protecting sensitive data from potential exploitation. In others, the move is being seen as politically charged amid increasing geopolitical tensions and rising concerns over cyberthreats posed by state actors like Russia and others like China, North Korea and Iran.

Regardless of whether it is interpreted as good or bad policy – the U.S. federal government’s decision to prohibit new sales of Kaspersky software, effective July 20, 2024, underscores the urgency for U.S. and allied enterprise leaders to mitigate risks associated with Russian cybersecurity products.

Kaspersky’s decision this week (July 15) to lay off all U.S. workers is another unfortunate result in a long fight between the company and the U.S.

Things like software vendor selection are no longer something that should be left as a discretionary choice for chief information security officers (CISOs) but should include CEO/CFO and board director engagement to understand long-term impacts on political risk in the organizational security hardware and software stacks.

This new ban is not an isolated incident but part of a broader trend among Western-allied governments who see state-backed cyberthreats at a geopolitical scale, rather than as isolated market risks or business challenges. Since 2017’s CISA Binding Operational Directive – when the Department of Homeland Security first banned Kaspersky from networks used by all federal, executive branch, departments and agencies – other nations, including Britain’s National Cyber Security Center in the UK, Lithuania, the Netherlands, Germany and others have followed suit. The European Union labeled Kaspersky as “malicious” in 2018, and recent actions by Germany and Italy to curb its use in the public sector further highlight the global consensus on this issue.

A November 2022 FCC action banned the sale of hardware and communications equipment from several Chinese companies amid concerns over national security. In that instance, the focus was on hardware and equipment from five Chinese companies, including Huawei and ZTE. Other companies at that time, included Hikvision, Dahua and Hytera, which make video surveillance equipment and two-way radio system

How Organizations Must Comply

For U.S. organizations, especially those responsible for critical infrastructure, this ban signals the need for immediate action. Chief Information Security Officers (CISOs), C-suite executives and board members must assess their reliance on Kaspersky products and plan for a transition to alternative solutions. This is not just a regulatory compliance issue but a strategic imperative to safeguard organizational assets against potential cyberthreats.

The phased implementation of the ban provides a timeline for organizations to adapt. By September 29, 2024, Kaspersky will be prohibited from providing any software updates, including critical security patches. This means that continued use of Kaspersky products beyond this date will expose users to increased cybersecurity risks. Organizations must act swiftly to identify and deploy alternative cybersecurity measures to ensure ongoing protection.

Broader Implications and Strategic Considerations

It is essential to recognize the broader implications of this ban. Kaspersky’s connections to Russia’s Federal Security Service (FSB) and allegations of data leaks to the Russian government are well-documented. The risk of malicious activities through Kaspersky software is not hypothetical; investigations have repeatedly demonstrated this threat. The recent alignment between Russia and North Korea further complicates the geopolitical landscape, making the timing of this ban particularly significant.

This threat is not exclusive to Russia; it is a rising risk with China as well, where commercial organizations are beholden to the requirements of their government to aid them in intelligence work and provide information whenever requested. Related concerns have been raised about the behaviors of Chinese technology firms, exemplified by the scrutiny over TikTok’s data practices and potential influence by the Chinese government. Lawmakers passed a law this year to force China-based ByteDance to divest its ownership in TikTok or face a ban.

Now, allied governments are intervening on a more systematic basis to protect their innovation economies from known threats. China has invested heavily in the development of critical technologies, which enable it to supply key components and equipment to industries including semiconductors, biotechnology, artificial intelligence, advanced energy and other critical sectors. The U.S. therefore relies heavily on China for its supply chain, such as semiconductors, overhead capabilities and network hardware. This creates a strategic vulnerability for the U.S., as China could potentially sabotage, manipulate, or restrict access to these upstream components and equipment.

Reports have highlighted the extent of Chinese infiltration across many areas of American society including the science and technology sectors, raising alarms about the integrity and security of critical information. Additionally, North Korea’s insider threat plots to place bad actors within major corporations further illustrate the coordinated efforts by rogue nations to steal intellectual property and undermine the commercial foundations of free-world economies, in turn weakening their governments. CEOs and Boards can no longer view these incidents in isolation; they represent a concerted strategy by adversarial states to exploit vulnerabilities in the global economic and technological landscape.

The move to ban Kaspersky is a clear message to Russia and other adversaries that the U.S. and its allies will not tolerate cyberespionage and other digital threats. This proactive stance is crucial as we navigate an era of increasing cyber aggression from state-backed actors in Russia, China, Iran and North Korea. The ban is part of a broader strategy to enhance national cybersecurity by reducing dependency on potentially compromised foreign software.

Actionable Steps for Compliance and Security

In conclusion, the U.S. ban on Kaspersky software is a necessary and prudent measure to protect national security. But beyond immediate compliance, this ban serves as a crucial reminder of the evolving cyber threat landscape and the importance of vigilance in our cybersecurity practices. CEOs and Boards should take steps to evaluate the growing risk associated not only with direct investments in nations with adversarial governments but also evaluate their attractiveness as a target due to their important role in powering free world innovation economies. While this is typically the purview of corporate cybersecurity leaders and teams, C-level executives would be well advised to incorporate these topics as part of top-down corporate strategic and investment discussions.

As we move forward, it is imperative to not just react to bans but to anticipate and prepare for future threats in a holistic way. The message is clear: national security and corporate cybersecurity are deeply interconnected. As CISOs and executives, we must stay ahead of the curve, adapt to changing threats, and protect our assets from those who seek to exploit vulnerabilities. The Kaspersky ban is a pivotal step, but it is only the beginning of a broader effort to secure our digital future.