There is a bit of a tongue-in-cheek theory which states that politicians will often expend a lot of energy to appear to be going to great lengths to address a problem while actually doing very little to solve it. While this might bring a chuckle to some when mentioned, there are times when it seems sadly accurate. Some of the times are when we hear political talking heads discussing a complex and nuanced problem stampede towards a “ban” on something. There are examples of this throughout history and they keep popping up in modern times. A recent example is the “ban” on Kaspersky. On the surface the move is portrayed as a national security move due to perceived connections with the Russian Government. However, considering this is not the first time this has been talked about, I have to wonder if that is really what is going on.
Back in 2017 there was a series of leaked emails which appeared to show that Kaspersky was more cooperative with the government of their home country (Russia) than was acceptable. There was an immediate cry for a ban on the software in the US for both government and business verticals. The claims back then did not truly appear to show any unusual cooperation between Kaspersky and the Russian Government and things sort of fizzled out without much fuss. Now, things are a bit different although the accusations are the same. In a recent conversation with Chris Henderson, senior director of threat ops at Huntress we covered why this is not the greatest move and why the issues around Kaspersky are a missed opportunity to move secure by design forward. One of the key points of my conversation with Chris was that there was not a ton of hard evidence to support the accusations (much like in 2017). It also seemed that the steps taken were a bit short sighted and rather impactful to organizations. Although the action taken is not a real ban on Kaspersky, you can still own it, it does prevent updates to the product including engine, signature, and model updates making it useless given the always inflight nature of cybersecurity. So what are companies to do? They now have to do a rip-and-replace of a product which they might have a contract for, and in 90 days (actually less). If you are at all familiar with most organizations’ procurement cycles, much less mean time to remediation, you will know just how impactful this is.Chris and I agreed that Small to Medium businesses are going to the most impacted here as they are not set up to perform this kind of shift mid budget. So now there will be a number of companies who will not be getting updates and will be exposed to compromise thanks to this move. To add to this, there are also possibly companies which might not do anything despite not getting updates (the agent might actually still report as secure or clean). Part of this, as Chris stated, is a lack of proper communication on what this ban actually meant to users of Kaspersky (no updates, no signature or behavior engine updates, etc.)This might sound like an odd take on things when we are talking about “national security”, but the reality is that there have always been restrictions on the import and export of technology, the severity of these restrictions just seem to change based on what the business market wants. Back in the 90s’ there was an outright export ban of certain encryption technologies and there were regulations which prevented the use of technologies (including parts) by the US government from non-aligned countries. As the US started falling behind in manufacturing and assembly of more advanced technologies, and larger manufacturing companies began to push their manufacturing to “less expensive” regions these bans and regulations seemed to go away leading us to a current landscape. The question has always been, are these restrictions and regulations effective? The simple answer is, not really. As with most restrictions and regulations they are often either too vague or contradictory. Yes, they all have a basic set of standards, but if you look through different “standards” you can typically find where one standard contradicts with another leaving enough of a gap for an enterprising company to take a shortcut. So, what could have been different? According to Chris, there are quite a few things. First this was a chance to really push Secure by Design. There could have been a pause on the sale of Kaspersky while an independent watch dog organization reviewed the product and ensured it was safe for use by US businesses. Guard rails could have been set up to keep the product from critical infrastructure and government agencies and contractors. These same agencies could also be utilized to review products when there is a breach of an organization to see if there was a lack of compliance with the secure by design standards. Of course, all of this is a lot more complicated than just saying “see we did something by banning the bad thing.” However, kneejerk reactions like this one have an unintended reaction. It impacts confidence in law and regulation makers. This in turn can make organizations less likely to comply with those regulations and more likely to find ways around them. If instead regulations are more thought out and work to find a real solution to a challenge, there is a better chance that they will be followed. Now, it is also important to remember that Kaspersky is not what I would call a top-tier product and does not have a massive footprint in the US. Yet, it is important in the scope of how to properly move the needle on making sure products (not just security products) are becoming secure by design. It represents a lost opportunity to test out new options to hold companies accountable which could then scale to companies with larger footprints. Still, in the interest of being seen as doing something now, we get what we have.