Kaspersky Labs Confrontation Sets Template
Measures from Cybersecurity and Infrastructure Security Agency and Justice Department set tone for cybersecurity supply chain trust.
How the U.S. government responded to the vulnerabilities created by anti-virus software and other products from Russia’s AO Kaspersky Laboratories is an important demarcation point in the growing awareness of and need for supply chain trust and assurance. Before that, conversations regarding supply chain risk management “were sort of siloed off to the side,” explains Daniel Kroese, acting deputy assistant director for the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center at the Department of Homeland Security.
The Kaspersky products installed on U.S. government networks created great vulnerabilities, including reporting information back to Russia. As a result, the Department of Homeland Security (DHS) in September 2017 issued a Binding Operational Directive (BOD-17-01) to all federal executive branch departments and agencies to remove within 90 days all Kaspersky-branded products in use—although the BOD did not address Kaspersky code that other companies embedded in their tools. The DHS then worked with the Department of Justice (DOJ) to build a defensible framework for that action, which is having a lasting impact, Kroese suggests.
“Oftentimes we sort of forget about the success stories in government,” he asserts. “And by and large, I think we had 99 percent compliance by 110 days. So, it wasn’t perfect, but generally a pretty good success story…. And that framework is a really good forcing mechanism to kind of kickstart what is going to be a multidecade engagement for us of continuing to fine-tune the way that we think about supply chain risk management, about how you assess a level of trust and insurance for a third party that you do business with.”
The DHS and DOJ framework to support the binding directive had to be evidence- and intelligence-based “to show that we weren’t acting in an arbitrary or capricious way, that we had a holistic lens to understand the risks, particularly the third-party risks, and that we applied it in a fair and consistent way,” Kroese explains. “The result of that effort was a defensible decision to ask executive branch agencies to remove the software.”
The framework addressed the technical specifications of the product, outlined criteria regarding the country of origin of the manufacturer and defined the relationships between the corporate officials and the Russian government. “In the briefings that we put together when we were working with the DOJ, we distilled our holistic lens of supply chain risk management really into three buckets,” he states. “The first bucket, which is maybe the easiest to understand, was just the technical specifications of the product. If you can kick something out of the system just for being a leaky, buggy, bad product, then you don’t even have to start talking about some of the country-of-origin issues. And we felt we were on really solid footing in terms of Kaspersky Labs, showing how the data that was collected on the network systems was being transmitted back to Russia. With the technical specifications, we could say, ‘I don’t care what the name of this product is; this is not a good product.’ And we think just on that ground alone, we made a compelling case.”
Kroese continues, “Bucket two is the country of origin for the manufacturer. It is not naming a list. It’s not ‘these are the good countries; these are the bad countries.’ It is setting criteria about the rule of law, due process and independent judiciary or lack thereof in a country, and laying out a framework, saying that if the manufacturer exists in a country that has processes and schema that look like this, it gives us pause for concern. And then the third bucket was the relational piece, of what is the relationship between the leaders at that organization, that manufacturer, and high-ranking government officials in that country. So, we laid out what we thought was an inappropriately cozy relationship between some of the KL [Kaspersky Laboratories] leadership and the Russian intelligence apparatus.”
Most importantly, he notes, is that framework held up in court, litigated all the way up to the U.S. Court of Appeals for the District of Columbia Circuit, known as the D.C. Court of Appeals, which made a unanimous three to zero decision in favor of the U.S. government.
“We went through this in a really systematic way and laid out these three buckets, which in our opinion was highly defensible, and ultimately the courts agreed with us, and that was really a lasting impact,” Kroese shares. “Obviously there is a security and resiliency benefit for our federal enterprise of not having those risky products on our systems, but the lasting impact from having that framework is something that has really set us up for a lot of the collaborative activity we are working on now.”
The Cybersecurity and Infrastructure Security Agency (CISA) official also cites a certain guiding impact of DHS’ actions on the industry. “There are a lot of things the private sector does really well,” he stated. “There are a few things that the government and only the government can do, and we need to lean in and embrace our role there. CISA likes to describe ourselves as the nation’s cyber risk advisor, but we don’t have regulatory authority, so we can’t require certain activity. But central to that effort is that sometimes you can be the North Star. You can put something up that the industry can follow. I think it’s telling that after the Kaspersky Labs binding operational directive, a whole host of big box retailers, Best Buy and others, stopped selling KL products. They did that because a very defensible case was publicly presented, advising the nation of why it’s probably a good idea from our risk management perspective to not have this on your system.”
For CISA, those are the two lasting benefits—the intellectual rigor of the framework and recognizing that the government can be a guiding entity.. “We can call out bad things, and people will pay attention,” Kroese states.
You may also be interested in: