U.S. Policy Toolkit for Kaspersky Labs

In February, the White House attributed “the most destructive and costly cyberattack in history,” a summer 2017 attack affecting critical infrastructure and other victims around the world, to Russian intelligence services. The malicious code used in the attack, known as NotPetya, permanently encrypts the data on the computers that it has infected, essentially destroying them. Ground zero for the malware was Ukraine, but it self-propagated and quickly spread to Asia, Europe and the United States, costing its victims billions of dollars in damage.

Russia’s hand in the NotPetya attack ought to send a chill down the spine of anybody who uses products by the Moscow-based antivirus company Kaspersky Labs. Russian law and practice, as Andrei Soldatov and Irina Borogan have documented, grants Russian intelligence agencies virtually unfettered authority to compel any internet-facing business in Russia to support their operations. And Kaspersky antivirus software—as others have pointed out (here, here and here)—would furnish Russian intelligence with an extraordinarily powerful vector to hijack any computer running the software.

President Trump signed legislation in December 2017 banning Kaspersky products from use by Federal agencies. The legislation, Section 1634 of the National Defense Authorization Act for Fiscal Year 2018, codifies in law a somewhat narrower ban issued by the Department of Homeland Security (DHS) in September 2017. The Department of Homeland Security explained the ban as a consequence of its “concern[s] about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”

Kaspersky has lodged legal challenges in federal court against both bans. The cases raise interesting questions of administrative and constitutional law, but also invite a separate question about the adequacy of the federal government’s toolkit for dealing with cyber risks of the sort posed by Kaspersky. The bans are limited in direct scope to federal agencies, but the risks of using Kaspersky are clearly much broader than that. After all, the federal government is neither the only provider of critical services to Americans, nor the only custodian of sensitive data. Indeed, most critical infrastructure in the United States is privately owned or operated, and many private companies possess sensitive data that Russian intelligence might find useful to steal or exploit. Use of Kaspersky software by these non-federal entities raises national security risks too.

The U.S. is not powerless against this, or similar, threats. It has many tools in reserve for potentially addressing the broader national security risks of Kaspersky software, and I present six of them below. These tools also incidentally illustrate that there is more to the cyber policy toolkit than “on-network” actions such as offensive cyber operations, hack-back, and network defense, which animate much of the public debate about cyber policy. The cyber policy toolkit can and should incorporate all tools of American power to achieve U.S. national security and foreign policy objectives.

Tool #1: Critical Infrastructure Authorities

According to press reports, the U.S. government has provided briefings to critical infrastructure and information technology companies alleging that use of Kaspersky software presents a national security risk, due to the company’s obligations under Russian law to enable Russian intelligence operations; its history of operational collaboration between the company and the Russian government; and other worrying behavior. DHS, the FBI, and their partner agencies have authorities under the Homeland Security Act, the Cybersecurity Act of 2015, and other relevant statutes, executive orders and presidential policy directives for supporting the cybersecurity efforts of U.S. critical infrastructure. This outreach enables the U.S. government to better assess the scope of the nation’s exposure to cyber threats from Russia and other actors; provide U.S. critical infrastructure with more tailored, actionable threat information, including relevant classified information if it has any; and more effectively partner with critical infrastructure and I.T. providers to develop defensive strategies.

Tool #2: Industry Survey Authority under the Defense Production Act

Of course, a critical infrastructure company could rebuff this outreach, or insufficiently implement agency recommendations. If outreach on voluntary terms failed to furnish the government with sufficient data about the threat or generate confidence that critical infrastructure is taking the threat seriously, the U.S. government could turn to a second tool: the authority granted by section 705 of the Defense Production Act (DPA) to the Bureau of Industry and Security (BIS)—an agency of the Department of Commerce—to “obtain information in order to perform industry studies assessing the capabilities of the United States industrial base to support the national defense.” The law and its implementing regulations require any recipient of an information request under this authority to produce the requested information or face civil and criminal penalties. The law also requires the government to abide by strict confidentiality and handling requirements about the data it acquires.

In 2015, BIS used this tool to initiate a “U.S. Biomedical Industry Cyber Security Assessment” on “the effect of cyber security threats on the U.S. biomedical industry.” The government could launch a similar survey of U.S. critical infrastructure’s use of Kaspersky software, in order to generate a more comprehensive threat assessment, inform mitigation strategies and send a strong signal to critical infrastructure about the significance of the threat.

Tool #3: U.S. Export Control Law

Russia has long been an avid pursuer of sensitive dual-use technologies through clandestine means. Indeed, key elements of the modern export control regime have their roots in Cold War-era efforts by the U.S. and its allies to constrain Soviet military power through the Coordinating Committee for Multilateral Export Controls.

BIS could issue an interpretation of its Export Administration Regulations (EAR) that a person or company is effectively exporting technology to Russia if it stores or processes controlled technology on a computer that uses Kaspersky software. BIS could argue that Kaspersky software enables a “foreign person”—namely, the Russian government—to undertake “visual or other inspection” of data on the computer, which would amount to a “release” of the data under EAR §734.15. Such a release, even if it occurs solely in the United States, constitutes a controlled “export” under EAR §734.13. If the data is the type of military, dual-use, or commercial data that cannot be exported to Russia without a license, the custodian of the data could not lawfully use Kaspersky software on a computer that can access the export controlled-data without first acquiring an export license from BIS.

Such an interpretation would also be consistent with the clear statement in §734.18 of the EAR that “sending, taking, or storing” unclassified export controlled-data overseas is considered an export, unless the data is encrypted end-to-end with strong encryption and is not intentionally stored in certain countries, including Russia. As applied to cloud computing, for example, this language has meant that unclassified export controlled-data cannot be sent, taken to, or stored on cloud resources in a foreign country unless these security requirements are met. The fact that Kaspersky software, as DHS explains, has “broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems,” raises identical concerns about foreign access to controlled data. Indeed, as BIS explains in the context of how §734.18 applies to cloud computing, the security requirements are:

intended to prevent exports of controlled data in unencrypted form resulting from defining security boundaries to include multiple countries. Any release of controlled data to non-U.S. nationals within the security boundary of a corporate intranet … would be treated as a deemed export requiring appropriate authorization, as is the case today.

Kaspersky products put Russian intelligence services squarely inside the security boundary of any company that uses them.

Because failure to comply with the EAR’s licensing requirements is subject to significant civil and criminal penalties, companies in the U.S. and abroad with controlled technology would have strong incentive to avoid Kaspersky products. The effects would be even stronger if other countries participating in global export control regimes followed the U.S. lead—though success in this regard could depend on whether the U.S. government has additional information about Kaspersky that it might be willing to share with key partners, such as European countries.

Tool #4: Department of Commerce Entity List

Fourth, the EAR also gives the U.S. government the authority to effectively blacklist a foreign company from the U.S. market. Specifically, under §744.16 of the EAR, BIS, in coordination with the departments of Defense, State and Energy, has the authority to impose license requirements on the export, re-export, and transfer of all U.S.-origin and other items subject to the EAR if the agencies “reasonably believe [the company] to be involved, or to pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.” This list of around 1,000 foreign companies and individuals is known as the “Entity List.”

One of the most significant recent examples of Entity List use involves the Chinese telecommunications company ZTE, which was added in March 2016 for egregious efforts to evade U.S. export controls. BIS and its partner agencies removed the company from the Entity List in March 2017 after a year of negotiations. The company paid a record $1.19 billion fine, pled guilty to various criminal charges and overhauled its internal export control compliance regime.

The law does not define what constitutes “activities contrary to … national security or foreign policy,” so the scope of the authority on its face is very broad. In practice, the authority has been used primarily against entities that violate U.S. export control laws, are associated with terrorism, or are subject to various economic sanctions imposed by other agencies, such as those levied by Treasury’s Office of Foreign Assets Control. If BIS and its interagency partners were to determine that Kaspersky is involved, or poses a significant risk of being or becoming involved, in activities contrary to the national security interests of the United States, BIS could use the economic leverage created by denial of access to the U.S. market to pressure Kaspersky to take remedial actions that address U.S. national security concerns. If Kaspersky did so, BIS, in coordination with the other agencies, could remove it from the Entity List or modify the scope of the listing.

The effects of designating Kaspersky for inclusion on the Entity List would be two-fold. First, the designation could effectively shut Kaspersky out of the U.S. market by requiring any company or person, anywhere in the world, to acquire a license from BIS, pursuant to EAR §744.11 and §744.16, before conducting any meaningful business with designated Kaspersky entities. BIS has virtually unfettered discretion to determine its licensing policy. The license review policy for the vast majority of entities on the list is a presumption of denial.

Second, the designation would disrupt Kaspersky’s global business operations. The licensing requirement under EAR §744.11(a) is potentially sweeping in its scope. It could cover the export of nearly any item from U.S. soil, even if the item were produced elsewhere. It could cover items that originated from the U.S., regardless of their current location and how they got there. It could even cover an item manufactured overseas that never touched U.S. soil if it nevertheless contained U.S.-origin items or if the foreign manufacturing facility incorporated U.S.-origin technology.

The bureau holds persons that violate the licensing requirement strictly liable for their actions—ignorance is no defense, and the penalties can include civil and criminal sanctions. No prudent executive would profess to have perfect information about their immediate supply chain, their supplier’s supply chain, that supplier’s supply chain, and so on. If executives facing strict liability choose to do business with an entity on the Entity List without BIS approval, they will be rolling the dice with their company’s fortunes and potentially their own personal liberty. So for companies with a global supply chain such as Kaspersky, an Entity List designation chases away not only their customers, but their business partners and suppliers as well.

As a matter of practice, BIS prefers to disclose the factual predicate for a listing—as it did, for example, in the aforementioned case of ZTE, where it published the internal ZTE documents that established ZTE’s wrongdoing when it listed the company. For Kaspersky, this factual predicate could include publicly known facts about the nature of antivirus software generally and Kaspersky’s software specifically; Russia’s laws mandating that Russian companies support Russian intelligence operations on demand; and the extraordinary threat that Russian intelligence poses to U.S. national security. Collectively, this factual record would arguably establish a prima facie case that Kaspersky “pose[s] a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.” On the other hand, given the severity of the punishment and the largely circumstantial evidence about Kaspersky in the public record, a reasonable norm of proportionality might counsel against an Entity List designation at this time.

Tool #5: Federal Trade Commission Section 5(a) Authority

The Federal Trade Commission (FTC) has the authority under Section 5(a) of the FTC Act to investigate and initiate enforcement action against companies that have engaged in “unfair or deceptive acts or practices.” One of the FTC’s more prominent lines of enforcement activity under Section 5(a) has focused on companies failing to abide by their own terms of service and marketing claims. A company can run afoul of Section 5(a) by acting contrary to these claims, or by omitting material information about features and practices from them.

Antivirus software is inherently intrusive—it has to be, in order to identify and block threats. And while it is true that antivirus terms of service are therefore legitimately broad in scope, there is no obvious security need for Kaspersky’s apparent practice of exfiltrating harmless files from a customer’s computer. The practice arguably exceeds most consumers’ expectations about what their antivirus software is doing. For Kaspersky, this practice raises the specter of the FTC confronting it with a complaint that such a practice is a “material omission” about security- and privacy-related aspects of its software, and thus constitutes an unfair or deceptive act or practice.

It is worth noting that many states have similar consumer protection laws, and could potentially launch investigations of their own.

Tool #6: Treasury Sanctions

A sixth and final tool discussed is the Treasury Department’s authority under Executive Order (EO) 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” to impose sanctions on entities that engage in certain kinds of malicious cyber activity. The order lays out four categories of sanctionable conduct:

• “[H]arming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector” [EO 13694 §1(a)(i)(A)];
• “[S]ignificantly compromising the provision of services by one or more entities in a critical infrastructure sector” [EO 13694 §1(a)(i)(B)];
• “[C]ausing a significant disruption to the availability of a computer or network of computers” [EO 13694 §1(a)(i)(C)]; and
• “[C]ausing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain” [EO 13694 §1(a)(i)(D)].

If the U.S. government had specific facts establishing that Kaspersky entities in Russia or another foreign country had engaged in any of the conduct described above, or had conspired in some way with others who had engaged in the conduct under §1(a)(ii) of the order, then it could potentially sanction those entities. As with the Entity List, however, the government would have to be willing to disclose these specific facts publicly in court or in an administrative proceeding should Kaspersky sue the government to challenge the sanctions.

Conclusion

By now, some readers are no doubt protesting that it would be hypocritical for the U.S. government to use these tools against Kaspersky, on the grounds that Russian laws mandating that Kaspersky aid Russian intelligence operations are no different than the obligations imposed by the Foreign Intelligence Surveillance Act (FISA) on companies in the United States. That argument rests on a false equivalence: The United States, despite its blemishes, is not Russia, and that matters as a point of principle. Whatever one thinks about the various issues at stake in FISA—the boundaries of U.S. law governing surveillance, the role of Congress in authorizing and reauthorizing various elements of FISA, the effectiveness of congressional and judicial oversight of FISA, and the rights and responsibilities of private companies—these arguments are fundamentally about whether the current legal regime strikes a reasonable balance across many different and important equities. It is a given, however, that boundaries on surveillance authorities not only exist—U.S. intelligence operations are bound by the rule of law—but that the balance of equities captured by these boundaries is a topic of legitimate discussion and debate in our democracy.

None of this is true of Russia, whose intelligence services operate at the whim of President Vladimir Putin with no democratic accountability, independent oversight or meaningful transparency about normative and operational boundaries. These services have amassed an extraordinary track record of political assassination, human rights violations and attacks on democratic institutions, including interference with elections in the United States and Europe. It is immaterial from a threat perspective whether Kaspersky is an enthusiastic collaborator with Russian intelligence or a forced conscript. As long as Kaspersky’s business operations and personnel are vulnerable to coercion by Russian state actors, the company and its executives are virtually powerless to resist Russian demands.

So the problem with Kaspersky is not simply that it is a foreign company or even that it has a relationship with a foreign government. Rather, it is the fact that Kaspersky products furnish Russia—an authoritarian government that is openly and aggressively committed to destroying liberal democracy as we know it—with a turnkey cyber attack platform. And it is manifestly not in the U.S. national security interest that Russia wield such a capability.