The Federal Communications Commission added Russia-based cybersecurity giant Kaspersky on Friday to the “Covered List” of companies that pose an “unacceptable risk to the national security of the United States.”
The decision essentially puts Kaspersky in the same class as Chinese telecommunications hardware makers Huawei and ZTE, which were among the first added to the list in 2021.
In a public notice issued Friday, the agency said that the Kaspersky decision is based on a 2017 ruling by the Department of Homeland Security (DHS), which banned the company’s products and services from U.S. government use.
As of Friday afternoon, it was unclear if the ruling effectively wipes out Kaspersky’s U.S. business. Under the 2021 Secure Equipment Act, companies on the Covered List are banned from having a presence in U.S. telecommunications networks.
The FCC ruling applies to “information security products, solutions, and services supplied, directly or indirectly” by the company or “any of its predecessors, successors, parents, subsidiaries, or affiliates.”
Kaspersky issued a statement saying that the 2017 DHS ruling was “unconstitutional, based on unsubstantiated allegations, and lacked any public evidence of wrongdoing by the company,” and there has been “no public evidence” since then to justify the decision. Friday’s announcement is a “a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky’s products and services,” the company said.
The FCC decision comes as other governments have classified Kaspersky as a potential threat against the backdrop of Russia’s invasion of Ukraine.
Kaspersky, which has a long history of selling antivirus services in the U.S., is the first cybersecurity company and first Russian entity on the list. So far the emphasis has been on hardware providers. In addition to ZTE and Huawei, it also includes video surveillance company Hikvision and two-way radio company Hytera.
The FCC did not immediately respond to questions from CyberScoop.
Company founder Eugene Kaspersky has repeatedly said that the company has independence from the Kremlin.
“No evidence of Kaspersky use or abuse for malicious purpose has ever been discovered and proven in the company’s twenty-five years’ history notwithstanding countless attempts to do so,” he wrote in a March 16 blog post.
Friday’s additions to the Covered List also included China Mobile and China Telecom.
The FCC announcement also comes as Kaspersky said publicly that its use of the HackerOne bug bounty platform had been “suspended indefinitely.” The San Francisco-based company’s software allows companies to collect information from white-hat hackers and pay them freelance fees for the vulnerabilities they discover.
“The platform blocked Kaspersky’s access to the program and made Kaspersky’s bug bounty page at HackerOne unavailable to researchers,” Kaspersky said in a tweet. “HackerOne has frozen existing funds and discussions for already reported vulnerabilities.”
In a brief statement provided to CyberScoop, a HackerOne spokesperson implied that the decision was not final.
“Our conversations with Kaspersky are ongoing, and we will continue to work with their team to address their concerns,” the spokesperson said.
HackerOne had announced last week that because of U.S. sanctions related to the war in Ukraine, it was suspending relationships with companies from Russia and Belarus.