The decision of antivirus vendor Kaspersky to exit the U.S. has highlighted software supply chain and cybersecurity knock-on effects for customers, with software testing and vendor selection impacted after a rival product was pushed onto devices in place of the outgoing one.

The lifecycle of a piece of software is finite. Whether it’s an operating system, application, driver or firmware, eventually development and support will come to an end, necessitating a change to an alternative solution. But what happens when that change falls outside of the expected lifecycle?

Amid changing regulations and geopolitical stability, a variety of technology supply chains have been and are continuing to be disrupted to satisfy sanctions, national security and other concerns. This disruption is not limited to hardware, with software and services also being affected by such restrictions. How will that affect cybersecurity professionals, as well as the wider organization, when it comes to ensuring security and business continuity?

In July 2024, antivirus vendor Kaspersky announced its intention to exit the U.S. market in response to U.S. government restrictions. It was added it to the Entity List, a catalog of "foreign individuals, companies, and organizations deemed a national security concern". This was compounded by a government ban on sales and software updates for Kaspersky antivirus software in the U.S. starting on September 29, 2024, again citing potential national security risks.

On the eve of this deadline, Kaspersky opted to migrate its U.S. customer base over to a different product, from a different vendor to maintain coverage and fulfil contractual obligations. It did this by removing its own product from endpoint machines, replacing it with an antivirus solution from UltraAV.

The approach taken has highlighted an interesting consideration for other software providers needing to exit a market or sector, as well as the operational, training and support implications for cybersecurity and IT professionals that will be impacted by a sudden and potentially imposed change in technology vendor or solution.

When Supply Chains Switch Path

Kaspersky’s move was not entirely unexpected, with both the wind down of its U.S. business and the intention to migrate users over to the UltraAV product being communicated ahead of time. However, the sudden timing of the technology change was not so clear to some customers, taking place without an opportunity for them to pre-test and understand the new solution before deployment.

This represents a learning opportunity for the entire sector – vendors and users – given this is not a one-off scenario. The implications are also not just restricted to when a complete change of solution occurs. The same considerations also apply when a software vendor rolls out a major new feature – one that fundamentally changes the way a piece of software works or how users interact with it – as part of a routine push update. For example, rolling out an integrated artificial intelligence (AI) component like a large language model (LLM) before it has been tested and before policies and training are in place.

For cybersecurity professionals in particular, changes like these highlight challenges with maintaining software supply chain security. A vendor pushing out a point update of its existing solution can be problematic enough, as was seen earlier this year when CrowdStrike deployed an update that failed on a variety of customer systems. However, instigating a complete technology change or a switch from one vendor to another via a push update is contrary to many established cybersecurity processes and policies.

Alongside the Kaspersky news, the U.S. Commerce Department has proposed prohibiting key Chinese software and hardware in connected vehicles on U.S. roads due to national security concerns. If this proceeds beyond the consultation stage, it would potentially bar new Chinese cars and trucks from the U.S. market and potentially mandate a change to existing vehicles to maintain their functionality. The proposed restrictions could restrict driverless car testing, as well as impact U.S. and international car makers that use Chinese-made components or software, highlighting the multinational and interconnected nature of component and software supply chains.

As with Kaspersky, the proposal does not equate to an overnight change, with restrictions coming into effect from 2027 if adopted. It is nonetheless another significant example of the wider impact and supply chain disruption that the withdrawal of software can have on a market or industry.

Cybersecurity and Sudden Change

Any vendor pushing out a complete software change to a different vendor’s solution establishes a change without the opportunity to test and assess, increasing risks including IT downtime as well as a heightened risk of cybersecurity ineffectiveness. In an environment where reliance on a given vendor is the basis for how part or all of the IT estate is built and operated, a sudden change can be problematic across the organization. If the replacement solution isn’t fully compatible with the environment it is being deployed into (hardware, operating system, other applications and services in use, monitoring and other tools) it can become a disruptive element, increasing IT workloads.

There’s also a training consideration. While a vendor exiting a market might see handing off users to a chosen alternative as the responsible thing to do (putting continuity of service first), it doesn’t necessarily account for whether the cybersecurity and IT personnel at a given customer organization have the experience or resources in place to support and maintain the new solution when it is deployed.

The Implications of an Imposed Change

According to a study from 2012 by The Hackett Group, “It costs roughly $700-$1,400 in internal costs (i.e., labor, outsourcing, technology and related overhead) to source a supplier, set it up in internal systems, transact with it and manage the relationship on an ongoing basis”. This is just one example of cost associated with a vendor change, planned or otherwise. Consider the following factors when a vendor, product or service change occurs outside of a planned migration from one iteration to another:

Direct Costs

  • Implementation Costs (e.g. testing, rolling back or updating the systems not caught by the auto update)
  • Training Costs (e.g. time, materials, test systems, trainers)
  • Support Costs (e.g. increased number of calls and tickets from users surprised by the sudden change in software or features)

Indirect Costs

  • Downtime (e.g. production, equipment and users impacted by failed updates or incompatibility with other applications)
  • Error Correction (e.g. fixing work output mistakes and/or IT errors caused by the sudden rollout of a new application)

Long-Term Costs

  • Impact on Policies and Processes (e.g. the cost and time associated with updating internal documentation and processes)
  • Impact on Future License and Support Costs (e.g. potential for increased costs once legacy agreements expire)
  • Cost of Replacing with a Preferred Option (e.g. removing the solution that has been pushed out in favor of one that is part of the longer-term software strategy)

A software provider’s exit from a market is not that unusual an occurrence, it has happened before for a variety of reasons outside of legislative ones. Nonetheless, there’s no question that Kaspersky is one of the most high-profile examples in recent history of this occurring. It is an event that is likely to be seen again elsewhere because of legislation, sanctions and other government-mandated directions on technology sale and use. It is therefore something that cybersecurity professionals need to be mindful of and prepared to respond to, sometimes on short notice.

Related Items

  • The CGRC certification is a proven way to demonstrate your knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within your organization
  • Security Operations Skill-Builders support you with understanding the fundamentals of threat detection and incident response, including security orchestration, automation and response
  • From security requirements to risk assessments and threat modeling, Security Engineering Certificates learn the essential concepts necessary to protect sensitive data and critical infrastructure