What You Need to Know
- Key takeaway #1Starting July 20, 2024, Kaspersky is prohibited from entering into any new agreement with U.S. persons, which includes U.S. citizens or residents located outside the United States, for its cybersecurity/anti-virus software, and will not be able to provide any software or updates after September 29, 2024. Additionally, exports (of items subject to the EAR) to Kaspersky affiliates are now prohibited and dealings with certain leaders of Kaspersky are prohibited for all U.S. persons.
- Key takeaway #2While this is the U.S. Department of Commerce’s first use of the Information and Communications Technology and Services (ICTS) regulations to impose a prohibition on an entity from supplying its software to U.S. persons, this determination serves as a blueprint as to how Commerce might use this authority again.
- Key takeaway #3U.S. companies with exposure to Russian or Chinese entities in their ICTS supply chain may be most affected by future similar Commerce actions.
Overview
On June 20, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced a Final Determination, pursuant to the Securing the Information and Communications Technology and Services Supply Chain (ICTS) regulations, prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of a Russia-based anti-virus software and cybersecurity company, from providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons (wherever located) because it poses undue and unacceptable risk to U.S. national security. The prohibition also applies to Kaspersky Lab, Inc.’s affiliates, subsidiaries and parent companies (collectively Kaspersky). This is the first time that BIS’s Office of Information and Communications Technology and Services (OICTS) has issued a determination pursuant to the ICTS regulations.
Simultaneously, (i) BIS added three Kaspersky entities to the Entity List (prohibiting any person, U.S. or otherwise, from exporting, reexporting, and transferring to those entities any item subject to the U.S. Export Administration Regulations (EAR)); and (ii) the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 12 individuals at AO Kaspersky Lab.
Background
In May 2019, the White House issued Executive Order 13873 that gave Commerce the authority to take action regarding certain ICTS transactions. Commerce subsequently issued an Interim Final Rule on January 19, 2021, which became effective on March 22, 2021.
The ICTS regulations authorize BIS to formally review, stop, and/or amend any “transactions” (a broadly defined term to include actions as basic as software updates) where the ICTS item or service is designed, developed, manufactured, or supplied, by persons “owned by, controlled by, or subject to the jurisdiction or direction of” a foreign adversary, (i.e., the Chinese, Russian, Cuban, Iranian, North Korea, and Venezuelan governments). Specifically, the transaction must
- Involve a U.S. person or an item subject to the jurisdiction of the United States;
- Have a foreign country or national that retains an interest in the ICTS item or service;
- Have occurred on or after January 19, 2021; and
- Involve a specified ICTS item or service.
Once the criteria are satisfied, BIS then determines whether there is a national security risk. Unlike U.S. export controls or sanctions which have general prohibitions on identified parties or items, the authority is developed to be a mechanism for review of transactions on a case-by-case analysis, but an entire corporate structure could functionally be blacklisted from supplying software to the United States or to U.S. persons. Until now, the only public information regarding BIS’ use of the ICTS regulations was related to subpoenas to collect additional information from targeted entities.
This is not the first time the U.S. government has acted against Kaspersky. In 2017, the U.S. Department of Homeland Security issued a Binding Operational Directive that ordered all Kaspersky-branded products be removed from all Federal Government information systems, which subsequently was codified and expanded in the Fiscal Year 2018 National Defense Authorization Act, implemented into the Federal Acquisition Regulation (FAR), which prohibits contractors and subcontractors from furnishing agencies with any hardware, software, or services developed or provided, in whole or in part, by Kaspersky or a related entity or from using Kaspersky products in the development of data or contract deliverables (see FAR 52.204-23). Moreover, on March 25, 2022, the Federal Communications Commission (FCC) placed Kaspersky on its Covered List finding that Kaspersky posed an unacceptable risk to national security and the security and safety of U.S. persons.
The ICTS authority allows the Commerce Department to address the commercial threat presented by Kaspersky.
What Happened?
On August 25, 2021, the Department of Justice (DOJ) requested BIS review ICTS transactions involving Kaspersky’s provision of cybersecurity and anti-virus software to U.S. persons. Following an investigation, BIS issued the Final Determination, which found that Kaspersky’s continued operations in the United States presented a national security risk.
Executive Order 13873 Criteria Identified
BIS determined that Kaspersky is subject to the jurisdiction of the Russian Federation, and that the transactions met the required criteria in Executive Order 13873. Specifically, BIS found that:
- U.S. Persons: Kaspersky sells software through Kaspersky Lab, Inc., a Massachusetts corporation;
- Foreign Person Interest: A foreign person held an interest in three instances: AO Kaspersky Lab, a Russian company, holds the IP rights to the software products; Kaspersky Lab, Inc. is owned by a UK entity headquartered in Moscow, Russia; and Kaspersky’s Swiss entity sells to U.S. end users online.
- Within Timeline: The transactions were initiated, pending, or completed on or after January 19, 2021.
- ICTS Items Involved: The transactions involved one or more listed types of ICTS including (a) software integral to consumer/enterprise computing services that retain sensitive personal data of U.S. customers; (b) products supplied to customers in critical infrastructure sectors; and (c) Kaspersky sold more than one million units of anti-virus and cybersecurity products in a 12-month period.
Risk to National Security
BIS determined that Kaspersky poses an undue or unacceptable risk to national security for the following reasons:.
- Subject to the Jurisdiction of Russia: Kaspersky (as a Russian entity) must comply with any Russian government request for assistance or information that could lead to the exploitation of access to sensitive information present on electronic devices using Kaspersky’s anti-virus software. Additionally, Russian law compels companies subject to Russian jurisdiction to cooperate with Russian intelligence and law enforcement efforts, including requests from the Russian Federal Security Service (FSB).
- Potential for Software Exploitation: Kaspersky software can be exploited to identify sensitive U.S. person data and transfer that data to Russian government actors by providing knowledge of cyber backdoors and vulnerabilities to allow access, collecting sensitive U.S. person data, and white-labeling software that would lead to persons unknowingly introducing Kaspersky-software to networks containing highly sensitive U.S. data.
- Cybersecurity Breaches: The use of Kaspersky cybersecurity and anti-virus software allows for Kaspersky (and Russia more generally) to have the capability and opportunity to install malicious software and strategically withhold critical malware signature updates for U.S. persons.
What the Final Determination Means
Starting July 20, 2024, Kaspersky may not enter into new agreements with U.S. persons (including U.S. persons located outside the United States) involving cybersecurity or anti-virus products or services, or white labeling those products.
Starting September 29, 2024:
- Kaspersky is prohibited from (i) providing any anti-virus signature updates and codebase updates associated with the products and services listed above; and (ii) operating the Kaspersky Security Network (KSN) in the United States or on any U.S. person’s information technology system.
- Any reselling, integrating, or licensing of Kaspersky cybersecurity or anti-virus software, is prohibited in the United States or by U.S. persons.
There are some exemptions related to Kaspersky Security Training products and services, or Kaspersky consulting or advisory services (including SOC Consulting, Security Consulting, Ask the Analyst, and Incident Response) that are purely informational or educational in nature.
The penalty for violations is $307,922, or twice the amount of the transaction, per violation. In its press release, Commerce noted that individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination, but will assume all the cybersecurity and associated risks of doing so.
Additional U.S. Government Actions
On the same day, BIS designated AO Kaspersky Lab, OOO Kaspersky Group of Russia, and Kaspersky Labs Limited (United Kingdom) to the Entity List, making it prohibited for any person (U.S. or otherwise) to export, reexport, or transfer any item subject to the EAR to these persons.
Additionally, on the following day, OFAC designated 12 individuals in senior roles at AO Kaspersky Lab on the List of Specially Designated Nationals and Blocked Persons (SDN List). U.S. persons are prohibited from dealing with such persons, as well as any entity they own 50% or more.
Next Steps
- BIS published a series of FAQs providing guidance on how companies can uninstall Kaspersky software and how to find alternative providers prior to the upcoming deadlines.
- The U.S. government also noted it is coordinating with allies, indicating the possibility of future controls on Kaspersky in other countries.
- Now that BIS has issued its first prohibition associated with the ICTS authority, watch for any future prohibitions associated with Russia or Chinese providers.