We've reported before that the F.B.I. has warned companies not to use Kaspersky Lab software. The concerns surrounding Kaspersky, whose software is sold throughout the United States, are longstanding. The F.B.I., aided by American spies, has for years been trying to determine whether Kaspersky’s senior executives are working with Russian military and intelligence, according to current and former American officials. The F.B.I. has also been investigating whether Kaspersky software, including its well-regarded antivirus programs, contain back doors that could allow Russian intelligence access into computers on which it is running. The company denies the allegations. Elaine C. Duke, the acting secretary of Homeland Security, ordered federal agencies to develop plans to remove Kaspersky software from government systems.

At a Senate hearing in May, a number of senior American security officials, including the chiefs of the F.B.I. and the C.I.A., were even more blunt when asked if they would be comfortable with Kaspersky software running on their agencies’ systems: “No,” they said.

This presents quite a dilemma for global corporations as 5.5% of Windows anti-malware is supplied by Kaspersky. This equates to roughly 400 million users and 270,000 corporate clients worldwide.

You see, if the software does indeed have a back door which is the only reason U.S. agencies would ban it, this means all 400,000,000 users and 270,000 companies were potentially breached. In the cybersecurity world, if a cyberattacker has access to your systems, you have to assume a breach.

Put succinctly, it is likely these organizations need to take action as a result.

As the F.B.I. is responsible for advising companies not to use this software because of backdoors, we reached out to them to ask them what organizations who have used it need to do now.

We presented the Federal Bureau of Investigation with the following corporate scenarios, where users had Kaspersky software on their computers and asked for their comment:

• Do they need to report usage of Kaspersky products as a possible breach – there are numerous compliance organizations such as HIPAA, PCI, etc. which have procedures for breaches – where does use of this software fall?
• The NCSL has a list of security breach notification laws which vary by state. Do companies have to scour state by state to see if use of this software could be considered a violation?
• FINRA requires companies to have a response when assets have been compromised, what should they do if they were a Kaspersky user?
• Should companies who are concerned utilize dark web scanning tools to cross-reference their customer databases to see if their information could have leaked out?
• Are you aware of any instances where information was taken off a computer via Kaspersky software?
• What other warning signs should organizations look for which may signify their information has been compromised?

We presented the Bureau with these questions on August 24th as well as September 1^st. We did not hear back.

The bottom line is this is a huge mess. We have only listed a few questions for the F.B.I to answer, there are likely ten more we could have asked.

We understand the reluctance to answer these questions but the challenge is many CISOs, CIOs and CEOs do need to know how to handle this problem. Do they just hope it goes away when they switch to another antivirus vendor or do they treat it as a breach and report the action to the appropriate agencies listed above?

This situation is likely to get worse before it gets better. It’s a good idea to call some experts in to ascertain what your organization’s liability may be if you had any Kaspersky users in your company.