The shift started in 2017 with a Department of Homeland Security (DHS) ban on using Kaspersky products on any government computer systems. Now, the Department of Commerce has given the company a final push to leave the United States.
As of July 20, 2024, Kaspersky is “prohibited from entering into any new agreement with U.S. persons involving one or more information and communications technology (ICTS) transactions,” and as of September 30, 2024, they can no longer provide antivirus signature or codebase updates.
Put simply, time’s up for the Russia-based security firm. But what (if anything) does this mean for U.S. organizations?
2017: Frustrating foreign interference
2016 was a tough year for federal cybersecurity, prompting serious concerns about foreign interference in U.S. political affairs.
Concerns led to investigations, which led the DHS to ban the use of Kaspersky products on any federal computers. In September 2017, agencies were told they had 90 days to remove all Kaspersky products from their systems. Some large private companies, such as Best Buy, also chose to follow suit, marking the start of a slow decline in Kaspersky solution use.
The company itself firmly denied any foreign influence, arguing that no credible evidence was presented and that accusations were based on false assumptions.
2024: Unacceptable security risk
2024 saw the Department of Commerce take the Kaspersky censure a step further. A statement from the company says that the decision “was based on the geopolitical climate rather than on the evaluation of the integrity of the company’s solutions, and deprives U.S. users and companies of best-in-class protection.”
From the perspective of the DoC, Kaspersky products represent risk because they could be used to collect and store information about U.S. citizens — information that could then be passed to foreign actors or governments. While this is true of any solution owned and operated by an international organization, the Department of Commerce highlighted the need for Kaspersky to follow Russian laws in its business operations, laws that could potentially put U.S. companies and citizens at risk.
According to the decision, “Kaspersky’s global virus scanning operation puts it at the forefront for identifying new vulnerabilities in existing software, providing it with significant non-public information for ways to exploit certain versions of software, as well as a list of devices that run that software. This capability, if leveraged by the Russian government, greatly enhances its ability to conduct cyber espionage and to steal sensitive data.”
Potential impacts on the U.S. cybersecurity market
While Kaspersky products remain popular worldwide, they don’t top the antivirus charts in the United States. According to recent research, paid tools such as Norton and McAfee capture significantly more market share than Kaspersky, while built-in defensive tools such as Microsoft Defender are also gaining ground.
In part, Kaspersky’s falling star was likely tied to the 2017 decision. Although it didn’t prevent private organizations from using Kaspersky products, companies looking to work with government agencies were better served using other solutions to meet evolving federal standards.
It is worth noting that Kaspersky’s research teams are well-known for finding and exposing hacker groups, making them a valuable part of the overall security landscape. The shift off U.S. soil won’t affect this work, however, meaning U.S. businesses can still benefit from this work.
Will this decision affect private enterprise operations?
Bottom line? After the 2017 decision, Kaspersky’s days were numbered. Regardless of their affiliation (or lack thereof) with the Russian government, the company posed a potential risk to U.S. national cybersecurity. While their departure reduces market choice, the sheer number of available antivirus tools combined with the falling popularity of Kaspersky products in the United States means the Department of Commerce’s decision should have minimal impact on private enterprise operations.