Full Report
Kaspersky ICS CERT received a letter from FIRST, notifying that its membership has been temporarily suspended. Kaspersky is disappointed by this decision and believes that it hurts the international community of experts and the cybersecurity industry as a whole.
Analysis Summary
# Industry News: FIRST Suspends Kaspersky Membership Amid Growing Geopolitical Pressures
## Summary
Kaspersky has been notified by the Forum of Incident Response and Security Teams (FIRST) that its membership, specifically regarding its Industrial Control Systems Cyber Emergency Response Team (ICS CERT), has been temporarily suspended. This move marks a significant fracture in international cybersecurity cooperation and reflects the mounting isolation of Russian-linked entities from global security standards bodies.
## Key Details
- **Date:** March 28, 2022
- **Companies Involved:** Kaspersky (ICS CERT), FIRST (Forum of Incident Response and Security Teams)
- **Category:** Industry Partnership / Regulatory & Policy
## The Story
FIRST, a global confederation of incident response teams that facilitates the sharing of information about cyber threats, has suspended Kaspersky’s membership. Kaspersky expressed disappointment, stating that the decision was not based on technical or security failings but rather influenced by the geopolitical climate. This suspension restricts Kaspersky’s access to specialized working groups, private mailing lists, and synchronized incident response protocols that are standard for top-tier global security firms.
## Business Impact
### For the Companies Involved
- **Kaspersky:** Faces a reputational blow and a reduction in real-time "early warning" data from global peers. This could impact the speed at which they issue patches or threat intelligence for non-Russian threats.
- **FIRST:** Risks losing visibility into threats originating from or targeting the Russian-speaking region, where Kaspersky has deep visibility.
### For Competitors
- **Western Competitors:** US and EU-based security firms may see this as an opportunity to displace Kaspersky in sensitive critical infrastructure accounts, citing "official" isolation from international standards bodies as a risk factor.
### For Customers
- **ICS/SCADA Operators:** Industrial customers relying on Kaspersky for threat intelligence may face lag times in receiving updates that were previously streamlined through FIRST’s information-sharing infrastructure.
### For the Market
- This signals a "Balkanization" of the cybersecurity industry, where technical cooperation is being superseded by geopolitical alignment, potentially creating silos of information.
## Technical Implications
The suspension likely removes Kaspersky's access to FIRST's automated Information Sharing and Analysis Centers (ISACs). Technically, this may result in a decrease in "cross-pollination" of malware samples and vulnerability data between Kaspersky and other leading incident response teams, potentially leading to diverging threat databases.
## Strategic Analysis
- **Market Positioning:** Kaspersky is being pushed further into a "neutral" or "Eastern-focused" market position, as Western institutional doors close.
- **Competitive Advantage:** Kaspersky’s advantage has always been its elite researchers (GReAT); losing a seat at the FIRST table diminishes their ability to influence global security standards.
- **Challenges:** The primary challenge is maintaining the efficacy of their ICS CERT without the collaborative benefits of FIRST’s global network.
## Industry Reactions
- **Analyst Opinions:** Analysts view this as an inevitable consequence of the 2022 geopolitical shift, noting that "trust"—the foundational currency of FIRST—has become collateral damage.
- **Expert Commentary:** Some experts warn that excluding a major player like Kaspersky creates a "blind spot" in global threat telemetry, which ultimately benefits threat actors.
## Future Outlook
- **Predictions:** Expect further isolation of Russian technical firms from international standards bodies (like ISO or IETF) and a potential rise in the importance of regional sharing centers (e.g., in the BRICS nations) as alternatives to FIRST.
- **What to watch for:** Whether other vendors associated with specific nation-states face similar scrutiny, and if Kaspersky attempts to form a rival incident response federation.
## For Security Professionals
Practitioners should review their reliance on a single source of threat intelligence. For those using Kaspersky in ICS environments, it is critical to ensure multi-vendor telemetry is in place to compensate for any potential delays in data sharing resulting from this suspension. Over-reliance on "isolated" vendors increases the risk of missing globally identified emerging threats.