Fed Kaspersky Ban Made Permanent by New Rules

Fed Kaspersky Ban Made Permanent by New Rules … practice is allowed to have Kaspersky software or services in any of its systems, either.
A new set of regulations converts the government ban on using Kaspersky products from a temporary rule to one that’s permanent.

The Federal Acquisition Regulation Council has published a final, formal regulation that bars government agencies, departments, and bureaus from buying security software and services from Kaspersky Lab. This new rule replaces a temporary regulation that had instructed Federal purchasers on how they should act in abiding with terms of the 2018 National Defense Authorization Act.

The new regulation, spelled out in Sections 1634 (a) and (b) of the National Defense Authorization Act for Fiscal Year 2018, is a blanket prohibition that extends beyond the government itself; no contractor with a government practice is allowed to have Kaspersky software or services in any of its systems, either.

Kaspersky was hit with the prohibition in 2017 because of concerns that it could be serving as a “backdoor” attack surface for agents of Russia’s government. Kaspersky has protested that the regulation is unconstitutional because it targets a single company, not a set of behaviors.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Pros’ Painless Guide to Machine Learning, AI, ML & DL.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

US Finalizes Rule Banning Kaspersky Products From Government Contracts

U.S. Finalizes Rule Banning Kaspersky Products From Government … products provided by or using software made by Russia-based Kaspersky Lab.

As of Tuesday, government agencies—civilian and defense—have an official, final rule prohibiting them from using cybersecurity products provided by or using software made by Russia-based Kaspersky Lab.

The federal agencies that lead the Federal Acquisition Regulation Council—the Defense Department, General Services Administration and NASA—will publish a final rule Tuesday to the Federal Register outlining how agencies should abide by a provision in the 2018 National Defense Authorization Act restricting the use of Kaspersky products.

Legislators enacted the law in response to concerns from the U.S. intelligence community that Kaspersky executives—some of whom are former Russian intelligence officers—have close ties to Russian government officials. U.S. officials also expressed concern that Russian law would compel the company to share sensitive cybersecurity information on U.S. agencies gleaned through their platform with the Russian government.

Agencies were already under mandate from the Homeland Security Department to remove all Kaspersky products from their systems by October 2017, but the acquisition rule extends that to contractors providing services to federal agencies.

The rule restricts any federal agency from purchasing or otherwise “contracting for hardware, software and services developed or provided by Kaspersky Lab or its related entities, or using any such hardware, software or services in the development of data or deliverables first produced in the performance of the contract,” as stated in the contract clause added to the Federal Acquisition Regulation. The rule notes this includes subcontractors at all levels.

The ban goes so far as to restrict the use of Kaspersky products on any IT system that touches government work, even so far down as payroll systems for a contractor with a federal practice, according to Alan Chvotkin, executive vice president and counsel for the Professional Services Council, a trade group representing federal contractors. While a vendor’s commercial practice would be exempt from the rule, the government’s intentions are unambiguous, he said.

“The clear message from the U.S. government—and the smarter action for companies is—don’t even risk trying to segment or segregate, just get it out of your systems,” he told Nextgov.

The final rule also reasserts that the prohibition extends to purchases below the simplified acquisition threshold, designed to exempt small purchases whenever possible. The rule adds another layer, as well, extending the prohibition to all commercial off-the-shelf products.

“While the law does not specifically address acquisitions of commercial items, including COTS items, there is an unacceptable level of risk for the government in buying hardware, software or services developed or provided in whole or in part by Kaspersky Lab,” the rule states, citing a determination by the Office of Federal Procurement Policy. “This level of risk is not alleviated by the fact that the item being acquired has been sold or offered for sale to the general public, either in the same form or a modified form as sold to the government, nor by the small size of the purchase.”

Publishing of the final rule represents the final word in the years-long effort to remove Kaspersky from federal systems, at least for agencies and the contracting community, Chvotkin said.

Kaspersky maintains the rule is illegal, claiming it targets a single company and is therefore unconstitutional.

“Kaspersky maintains that the statutory provisions underlying the now final rule, Sections 1634 (a) and (b) of the National Defense Authorization Act for Fiscal Year 2018, were unconstitutional, were based on unsubstantiated allegations, and lacked any public evidence of wrongdoing by the company,” the company said in a statement Monday to Nextgov. “Through its Global Transparency Initiative, Kaspersky continues to demonstrate its ongoing commitment to assuring the integrity and trustworthiness of its products and the protection of its users’ data.”

The council published an interim rule in June 2018 to meet the law’s Oct. 1, 2018, deadline. Since that time, the group has taken in some additional comments but opted to finalize the interim rule without changes.

The council received three comments after publishing the interim rule, “one of which was outside the scope of the rule,” according to the notice set to publish Tuesday.

One commenter suggested the government develop a specific list of companies and products that have been prohibited, as well as a methodology for how such a list would be built and amended.

The council noted the idea had been brought up before, including in the preamble to the interim rule, which asked for public comments on how “a list might be developed and maintained.” However, “no public input was offered,” the notice states.

“Due to the continually evolving nature of technological product and service offerings, including third-party products that may either add or eliminate inclusion of elements such as Kaspersky Lab software, and the lack of suggestions for how this challenge might be managed, DoD, GSA and NASA have concluded that providing a definitive list of hardware, software, or services subject to the definition of ‘covered article’ is impractical, particularly in regulation,” the notice states.

Another comment suggested the process for finalizing the rule should have been faster, given the urgency of the problem. The council responded that the interim rule was in full effect before the Oct. 1, 2018, deadline and was meant to be “one tool to help agencies in their implementation … but the rule did not impact or impair any other planned or ongoing efforts agencies undertook to address the presence of covered articles.”

Related Posts:

  • No Related Posts

Russian Cybersecurity Firm Kaspersky to Set Up Data Transparency Centre in India

Russia-based cybersecurity firm Kaspersky is planning to set up a data … voluntarily with the Kaspersky Security Network, together with our software …

Russia-based cybersecurity firm Kaspersky is planning to set up a data transparency centre in India, a senior company official has said.

Kaspersky Managing Director (Asia-Pacific) Stephan Neumeier made the remarks while replying to a question on the company’s future investment plan with respect to India.

“India is no doubt a key market for us. The country will be releasing a policy on cybersecurity. Kaspersky will first study the policy and accordingly will plan to set up transparency centre in India,” he said in an interview here.

The MD, however, did not disclose the investment amount for the project.

The centre in India will be Kaspersky’s second in the Asia Pacific region and fourth in the world after the ones in Switzerland, Spain and Malaysia.

The company recently opened its first transparency centre in the APAC region in Malaysia.

“The transparency centres in Switzerland and Spain serve as a facility for trusted partners and government stakeholders to review the company’s code, software updates, and threat detection rules. In addition, the storage and processing of user data from some regions, shared voluntarily with the Kaspersky Security Network, together with our software development infrastructure will all be relocated from Russia to Switzerland,” Kaspersky said explaining the function of a transparency centre.

India will be releasing a cybersecurity strategy policy in January next year.

While noting that the global health and pharmaceutical industry is facing threat of data breach, Neumeier further said his company is in talks with few top hospitals in South India to provide cyber security protection to them.

He also said that in India, Kaspersky has emerged as a strong alternative to the western players and is among the top cybersecurity providers in the consumer market in India.

Neumeier had last year said India has the potential to become the top market in terms of mobile consumers in the APAC region in next 5-10 years, driven by a sharp increase in usage of handsets and tablets and there is a need for raising awareness about cybersecurity among younger generation. PTI ABI ABI

Like this content? Sign up for our daily newsletter to get latest updates.


Related Posts:

  • No Related Posts

Kaspersky to set up data centre in India

Anti-virus software company Kaspersky will set up a data centre and a … Kaspersky’s India data centre will meet the likely cyber security policy that will …

Anti-virus software company Kaspersky will set up a data centre and a transparency centre in India.

Russia-based Kaspersky is currently facing spying allegations in several European markets and United States.

Kaspersky’s India data centre will meet the likely cyber security policy that will mandate firms to store and process data locally.

“We will study the policy and will plan the data centre accordingly. The proposed centre will be on the lines of the one it set up in Zurich (Switzerland),” Stephan Neumeier, managing director of Kaspersky (Asia Pacific), said.

Kaspersky has already set up Asia Pacific’s first Transparency centre in Kaula Lumpur, Malayasia.

“But the upcoming Indian policy on cyber security would require us to invest on a facility to store and process the data that we generate locally,” said.

The centre in Asia Pacific is the third for Kaspersky after Zurich and Madrid. The proposed centre will help Kaspersky’s clients to see the source code and have a look at its products, software updates and threat detection rules.

Kaspersky claims it’s a number two cyber security provider in the consumer market in India, is among the top-4 players in the business-to-business segment and number 3 in the small and medium sector space.

The share of consumer business reached about 50 percent in South Asia about 70 percent three years ago.

Kaspersky Lab earlier said it plans to open a data center in Switzerland to address Western government concerns that Russia exploits its anti-virus software to spy on customers.

Kaspersky Lab said part of the new facility would be based in Zurich, and the company had chosen Switzerland for its “policy of neutrality” and strong data protection laws.

The United States last year ordered civilian government agencies to remove Kaspersky PC software from their networks. Kaspersky has strongly rejected the accusations and filed a lawsuit against the U.S. ban.

Kaspersky Lab said it also plans to open similar centers in North America and Asia by 2020.

Western security officials say Russia’s FSB Federal Security Service, successor to the Soviet-era KGB, exerts influence over Kaspersky management decisions, though the company has repeatedly denied those allegations.

2,000 MSPs have joined the ecosystem across North and Latin America, the Middle East, and Africa, with the highest number of partners registering in Europe.

“This recent update to our MSP Partner Program is part of a larger improvement plan focused on existing and new partners, their profitability, business needs and access to tools and security solutions,” said Ivan Bulaev, head of Global Channel at Kaspersky.


Related Posts:

  • No Related Posts

Kaspersky: PH top APAC country with most number of attacks on medical devices

Yangon, Myanmar — Legacy and open source systems, outdated software, and vague, or the lack thereof, security postures are just few of the reasons …

Yangon, Myanmar — Legacy and open source systems, outdated software, and vague, or the lack thereof, security postures are just few of the reasons the Philippines — as well as other countries — is the top Asia Pacific country that recorded the most number of attacks against medical devices in the healthcare industry. It placed second globally after Venezuela.

These are the findings of the cybersecurity firm Kaspersky presented at its annual Cybersecurity Weekend 2019, which also shed light on the reasons cybercriminals are showing great interest in the medical sector.

Based on its collected data, Kaspersky found out that 7-in-10 of medical machines in Venezuela (77%), the Philippines (76%), Libya (75), and Argentina (73%) have become entry points for hackers to infiltrate hospital and pharmaceutical networks.

Two more countries in APAC were in the Top 15 nations with the most number of detected infections and these are Bangladesh (58%) and Thailand (44%).

Yury Namestnikov, Director of Global Research and Analysis Team, Russia, Kaspersky Lab, highlighted how clicking on a malicious link in a phishing email can lead to a cyber attack.

He also explained how outdated software or discontinued support services for Microsoft Office and the like could expand a network’s vulnerability. Office tops the list of exploit targets against medical organizations, which also includes web, USB, and (outdated) Android devices.

“Please patch (your) Office (systems),” advised Namestnikov. “All hacks lead to that.”

Network servers are not the only attack surface for hackers. Majority of the attacks are coursed through end-users’ computers, mobiles and tablets, IoT gadgets, as well as hospital machines that are connected to the internet inside a healthcare facility.

While hospitals and medical institutions have learned their lessons after the Wannacry ransomware attack in 2017, cybercriminals have shifted their target on pharmaceutical companies.

“As of 2019, pharmaceutical companies have fallen victims with 49% of attacks on devices compared to 44% in 2017 and 45% in 2018,” Namestnikov said.

Pakistan is No. 1 on the list with 54% recorded attacks on its pharmaceutical companies. In APAC, Indonesia tops the list (46%) and placed fourth globally. APAC dominated the list with India (45%), Bangladesh (42%), and Hong Kong (39%) rounding up the countries in the region. Brazil, Egypt, Mexico, Peru, and Spain complete the top 10 list.

In 2019, APT (advanced persistent threat) groups such as Cloud Atlas and APT10 (MenuPass and a Chinese-speaking APT) have set their sights on medical universities, research, and clinics as potential targets.

Namestikov said medical institutions need to rethink their cyber hygiene and start security awareness from the ground up.

“Organizations should at least do a minimum of cybersecurity,” Namestikov said.

Related Posts:

  • No Related Posts