The US government has banned cybersecurity provider Kaspersky from selling its products in the country because of the company’s alleged links to the Russian regime.
On June 20, 2024, the US Department of Commerce’s Bureau of Industry and Security (BIS) issued a Final Determination prohibiting Kaspersky Lab, Inc., the US subsidiary of the Russian cybersecurity firm, from providing any products or services in the US.
Kaspersky Lab, Inc., its affiliates, subsidiaries and resellers, will no longer be able to sell Kaspersky’s software within the US or provide updates to software already in use.
The BIS has set a deadline of September 29, 2024, giving US consumers and businesses time to switch to alternative cybersecurity solutions.
Commerce Secretary Gina Raimondo said the company was under Moscow’s influence, which poses a significant risk to US infrastructure and services.
She added that the US must act against Russia’s "capacity and intent to collect and weaponize the personal information of Americans.”
Sellers and resellers who violate the restrictions will face fines from the Commerce Department.
The US Department of Commerce will also list two Russian and one UK-based unit of Kaspersky for allegedly cooperating with Russian military intelligence.
Kaspersky Subject to Russian Law
This decision is the first Final Determination issued by BIS’s Office of Information and Communications Technology and Services (OICTS), whose mission is to investigate whether certain information and communications technology or services transactions in the US pose a national security risk.
It is the result of a thorough investigation which determined that Kaspersky “poses an undue or unacceptable risk to national security” for the following reasons:
- Jurisdiction, control, or direction of the Russian government: Kaspersky is subject to the jurisdiction of the Russian government and must comply with requests for information that could lead to the exploitation of access to sensitive information present on electronic devices using Kaspersky’s antivirus software.
- Access to sensitive US customer information through administrative privileges: Kaspersky has broad access to, and administrative privileges over, customer information through the provision of cybersecurity and antivirus software. Kaspersky employees could potentially transfer US customer data to Russia, where it would be accessible to the Russian government under Russian law.
- Capability or opportunity to install malicious software and withhold critical updates: Kaspersky has the ability to use its products to install malicious software on US customers’ computers or to selectively deny updates.
- Third-party integration of Kaspersky products: Kaspersky software is integrated into third-party products and services through resale of its software, integration of its cybersecurity or anti-virus software into other products and services, or licensing of Kaspersky cybersecurity or anti-virus software for the purposes of resale or integration into other products or services. Third-party transactions such as these create circumstances where the source code for the software is unknown. This increases the likelihood that Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive US persons data.
Kaspersky’s US Customers Include CNI Businesses
Kaspersky has been under intense scrutiny by the US government for several years.
In September 2017, the US Department of Homeland Security (DHS) issued a directive requiring all federal agencies to stop using the cybersecurity company’s products.
This measure was signed into law in December 2017.
In 2022, the US Federal Communications Commission (FCC) added the firm to the ‘List of Communications Equipment and Services that Pose a Threat to National Security.’
While the multinational firm is headquartered in Moscow, it has eight regional units – including one in Woburn, Massachusetts – as well as offices in 31 countries around the world.
According to the Commerce Department, the company serves over 400 million users and 270,000 corporate clients in more than 200 countries.
Although neither party has shared the number of US customers Kaspersky serves, a Commerce Department official told the press agency Reuters that it was a “significant number” and included businesses in critical national infrastructure.
Kaspersky Will Fight the US Ban
Andrew Borene, executive director of New York-based cybersecurity company Flashpoint, described the ban as “a wise choice” because the software is used in local administrations.
“Kaspersky has a history of problems with US, Canadian and other allied governments. This decision is a logical reflection of the tectonic shifts that are dividing economies along the lines of power competition between allies and the Russia/China/Iran/North Korea digital domain; these divides obviously extend into private sector actors as well,” he added.
Kaspersky said it intended to pursue "all legally available options" to fight the ban and denied engaging in any activity that threatened US security.
On June 21, the Russian government described the ban as “unfair competition.”