The US Telecoms Regulatory Authority (FCC) has added the products and services of the Russian security publisher Kaspersky to the list of equipment affecting national security. The company is also excluded from HackerOne’s bug bounty program.
Dark clouds gather over Kaspersky’s head. Having become persona non grata in several European countries following the war in Ukraine which led to a wave of embargoes on many Russian companies, Kaspersky was already in trouble in the United States where its products were already banned from government agencies for cause. risk of cyber espionage. This time, the cursor is placed a notch further with the decision taken by the American telecoms regulatory authority (Federal Communications Commission or FCC) at the end of last week. The institution has indeed placed the Russian publisher on the list of equipment and services presenting an “unacceptable risk to the national security of the United States or the safety and security of American citizens”.
This “covered list” includes all products, solutions and services provided – directly or indirectly – by Kaspersky and all its companies (parent company, subsidiaries, etc.). On this list published on March 25, 2022, the FCC also places the telecommunications and video surveillance services of China Mobile International USA and China Telecom (Americas). The last salvo of foreign solutions banned from the United States dates back to March 12, 2021 and concerned telecommunications services Huawei Technologies, ZTE, Hytera Communications, Hangzhou Hikvision Digital Technology Company and Dahua Technology Company.
Turn off the tap to finance the purchase and maintenance of solutions
Kaspersky’s presence on the list means, as Reuters points out, that money from the FCC’s $8 billion annual Universal Service Fund (USF) cannot be used to buy or maintain its products. . This fund is used for different purposes such as telecommunications for rural areas, low-income customers, public facilities in schools, libraries, hospitals… The FCC decision is not directly intended to constrain government agencies and public administrations directly to no longer use Kaspersky solutions, but a halt to these subsidies could well seriously harm the group’s activity. By acting in this way, does the United States intend to avoid one more open conflict with Russia? We suspect that the next step would be an outright ban on the use of solutions and services
Following this decision, the Russian publisher located in Moscow reacted the same day in an official press release highlighting a palpable tension: “As there has been no public evidence to justify these actions otherwise since 2017, and that the FCC announcement specifically references the 2017 Department of Homeland Security act as the basis for today’s decision, Kaspersky believes the current extension of such a ban to entities that receive grants are also unsubstantiated and constitute a response to the geopolitical climate rather than a full assessment of the integrity of Kaspersky’s products and services”. The American press had echoed the initial training of Eugene Kaspersky, a course in cryptography in an institute partly financed by the KGB. She mentioned the links kept with the FSB, denied by the principal concerned.
Remuneration of hackers in Russia, Belarus and Ukrainian separatist regions suspended
In parallel with the FCC’s action against Kaspersky, the publisher is also stuck with the HackerOne bug bounty platform. “We have suspended programs for customers based in the countries of Russia, Belarus and sanctioned areas of Ukraine. However, HackerOne will not block access to vulnerability disclosures submitted before the services were suspended,” HackerOne explained. “We have suspended payments to hackers in sanctioned regions. All payments due to hackers in Russia or Belarus are withheld until the situation changes.”
A situation that made the Russian publisher react again: “We are sad to announce that the Kaspersky bug bounty program hosted on the HackerOne platform has been suspended indefinitely due to unilateral action by HackerOne. […] Kaspersky finds this unilateral action to be unacceptable behavior, especially vis-à-vis the key players in the community coordinating this vulnerability program where trust between all parties is paramount to designing more secure products and services.”