The Federal Communications Commission (FCC) has added Kaspersky Lab, a Russian cybersecurity company, to its “Covered List” (CL), a national security blacklist for telecommunications and other sectors which fall under the FCC’s purview. The move will disallow the use of federal subsidies under the FCC’s oversight, which includes the $8 billion Universal Service Fund for supporting telecom deployments in rural and underserved communities. It is also widely viewed as a symbolic gesture after a 2017 presidential order banned the use of Kaspersky Lab services and software by federal agencies. Kaspersky has repeatedly contested these determinations, offering full cooperation for investigation and asserting these decisions are not based on any technical criteria, and possibly unconstitutional. A number of Chinese telecom equipment and service companies have also been added to the FCC’s CL.
Under current elevated tensions, attacks by Advanced Persistent Threats (APT), including nation state sponsored groups, have an elevated likelihood in many organizations’ threat models, particularly those that provide essential infrastructure or whose interruption would have a disruptive effect on the general population. Supply chain attacks have been documented as a favored method of evading defensive controls and mitigations. By installing backdoors into trusted software or hardware, threat groups with appropriate resources gain the ability to evade perimeter defenses. In addition, other trusted relationships such as counterparties, suppliers, contracted vendors, et al., are also at risk for Business Email Compromise (BEC) and other attempts to take advantage of trusted access. For this reason, smaller organizations are also at elevated risk as potential stepping-stones for compromising larger organizations. Organizations are advised to adopt increased vigilance and move toward zero-trust methodologies, as well as investing in comprehensive defense-in-depth and post-exploitation strategies.