Kaspersky Lab Closing U.S. Division; Laying Off Workers
Russian cybersecurity firm, Kaspersky Lab, has told workers in its U.S.-based division that they are being laid off this week and that it is closing its U.S. business, according to several sources. The sudden move comes after the U.S. Commerce Department announced last month that it was banning the sale of Kaspersky software in the U.S. beginning July 20. The company has been selling its software here since 2005.
Kaspersky confirmed the news to Zero Day, saying that beginning July 20 it will "gradually wind down" its U.S. operations and eliminate U.S.-based positions as a result of the new ban, despite initially vowing to fight the ban in court.
"The company has carefully examined and evaluated the impact of the U.S. legal requirements and made this sad and difficult decision as business opportunities in the country are no longer viable," the company said in a statement. Kaspersky did not say how many workers in the U.S. division were being let go except to say "it affects less than 50 employees in the U.S." Workers have told Zero Day that they are receiving severances but declined to discuss the nature of the severances.
The U.S. Commerce Department announced the ban in June after what it said was an "extremely thorough investigation." Commerce officials did not elaborate on the nature of the investigation or what it uncovered, but officials cited national security concerns that Kaspersky or the Russian government could use its software to spy on American customers or sabotage systems.
The Department of Homeland Security had previously issued a directive in 2017 banning federal government agencies and departments from installing Kaspersky software on their systems. An amendment passed in the 2018 Defense Authorization Act also banned the use of Kaspersky software on U.S. military systems. These bans only covered government systems, not commercial systems, however. So the Commerce Department ban last month effectively puts an end to Kaspersky's commercial business in the country as well.
DHS didn't cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets.
Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker's machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker's machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code.
Antivirus software – whether made by Kaspersky or U.S.-based firms like Symantec – requires excessive privileges and access to files in order to scan them for malicious code. Given the potential for abuse, and Russia's adversarial relationship with the U.S., the government has deemed Kaspersky software a risk, though officials have never provided evidence that Kaspersky or the Russian government used its software to spy on customers.
In discussing the recent ban, Commerce officials said they acted after they were alarmed to discover that U.S. state and local governments and critical infrastructure were using the software, in light of the Russian government’s ability to compel Russian companies to assist it with surveillance.
"Given the Russian government’s continued offensive cyber capabilities and capacities to influence Kaspersky’s operations ... we have to take the significant measure of a full prohibition if we’re going to protect Americans and their personal data," U.S. Secretary of Commerce Gina Raimondo told reporters in a phone call last month. "When Americans have software from companies owned or controlled by countries of concern – such as Russia, such as China – integrated into their systems... those countries can use their authority over those companies to abuse that software to access and potentially exploit sensitive U.S. technology and data."
Asked if officials had evidence that the Russian government was using Kaspersky software to spy on customers, Raimondo and other government officials declined to say.
"In terms of specific ... instances of the Russian government using [Kaspersky software to spy] we generally know that the Russian government uses whatever resources available to perpetrate various malicious cyber activities," one senior Commerce official said on background. "We do not name any particular actions in this final determination, but we certainly believe that it’s more than just a theoretical threat that we describe."
The company accused the Commerce Department of basing its decision on the current "geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services."
For years before Kaspersky began selling software in the U.S. its code was embedded in software and hardware appliances of other companies – cybersecurity firm F-Secure, for example, used the Kaspersky antivirus engine in its own software between 1996 and 2006. Kaspersky code was also embedded in routers, firewalls and other devices sold in the U.S.
The company didn't begin selling its own standalone software products in the U.S. until 2005. Its sales here rose rapidly over the years due to aggressive marketing and software giveaways and deals that made the company a household name. Last year the company reported its global earnings were $721 million and, until the ban was announced last month, its sales in the U.S. comprised "just under 10%" of its total revenue. The company also claims there are "more than a million endpoints" in U.S. being protected by Kaspersky products.
The recent ban on new sales of its software in the U.S. also prevents Kaspersky from providing updates for software already being used in the U.S. – that ban begins September 29. This means the Kaspersky antivirus software will become less effective over time, since the company will not be able to update it with signatures to detect new threats as they're discovered. Kaspersky software also continues to be embedded in systems sold by other vendors; the ban means that those vendors and customers who have it embedded in systems will have to replace the Kaspersky code with a different solution.
Raimondo said, however, that users of the software will not face legal penalties if they continue to use Kaspersky products.
"U.S. individuals and businesses that continue to use or have existing Kaspersky products and services are not in violation of the law," Raimondo said. "However, I would encourage you in as strong as possible terms to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”
In addition to the ban, the Commerce Department put three Kaspersky entities on its trade-restrictions entities list, which would prohibit U.S.-based suppliers from doing business with Kaspersky.
Updated: To add Kaspersky statement about the number of workers in the U.S. affected by its decision to close the division.