The Federal Communications Commission’s Public Safety and Homeland Security Bureau has added three companies to the list of communications equipment and services that pose a threat to national security through access to user information. AO Kaspersky Lab, China Telecom (Americas) Corp and China Mobile International USA Inc were enterprises added to the list, due to their affiliations with Russia and China, respectively. Kaspersky operates as a cybersecurity and antivirus software provider, while the two Chinese companies are in the telecommunications field.
According to the FCC’s news release, “Based on the required actions by federal agencies in response to the threats identified in the BOD, we interpret the BOD to be a finding from the Department of Homeland Security that Kaspersky-branded products pose an unacceptable risk to the national security of the United States. Further, by requiring federal agencies to remove Kaspersky-branded products we find that the Department of Homeland Security has determined that its products are capable of posing an unacceptable risk to the national security of the United States and its people.”
Kaspersky’s inclusion stems back to a Binding Operational Directive from September 2017, issued by the Department of Homeland Security and requiring that the Russian company’s products be removed from federal information systems.
The announcement, released March 25, lists the three organizations being deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019. The bill establishes “a mechanism to prevent communications equipment or services that pose a national security risk from entering U.S. networks, and a program to remove any such equipment or services currently used in U.S. networks,” per Congress’ website.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Additionally, the legislation prohibits the use of certain federal funds to obtain communications equipment or services from a company that poses a national security risk to U.S. communications networks. The list was initially published March 2021, and is maintained by the FCC, per the act’s outline.
“Last year, for the first time, the FCC published a list of communications equipment and services that pose an unacceptable risk to national security, and we have been working closely with our national security partners to review and update this list,” said Chairwoman Jessica Rosenworcel via news release. “Today’s action is the latest in the FCC’s ongoing efforts, as part of the greater whole-of-government approach, to strengthen America’s communications networks against national security threats, including examining the foreign ownership of telecommunications companies providing service in the United States and revoking the authorization to operate where necessary. Our work in this area continues.”
The two Chinese companies in question, China Telecom (Americas) Corp and China Mobile International USA Inc, services were found to be in association with its section 214 authorizations, finding that both companies “posed substantial and unacceptable risks to U.S. national security and law enforcement concerns.”
Section 214 is an application for international companies to operate legally in the U.S., and the organizations were found to be in violation of the terms included with the application.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
“It’s interesting to me that the [Department of Homeland Security] actually banned Kaspersky five years ago and the FCC is citing the DHS findings as reasons why Kaspersky should be added to their list,” said Bryan Hornung, chief executive officer and founder at Xact IT Solutions. “The Chinese Telecom directive was less surprising. China Telecom’s operations as a carrier in the United States pose substantial and unacceptable risks to U.S. national security and law enforcement concerns. Because we are unable to discern what type of traffic is being sent back to China prompted this warning. These types of warnings are helpful as private businesses and state and local governments make buying decisions around technology.”
The FCC did not provide guidance or direction on what current users of Kaspersky’s software should do with this information, as the mandate only applies to those in federal positions. These types of warnings are helpful as private businesses and state and local governments make buying decisions around technology.