Commerce Secretary Gina Raimondo stated that Moscow’s control over the company posed a significant risk.
The Biden administration made a significant announcement on Thursday, outlining its intent to prohibit the sale of antivirus software produced by Russia’s Kaspersky Lab within the United States. This decision stems from concerns regarding the extensive use of Kaspersky software by critical infrastructure providers, state governments, and local municipalities across the country.
Commerce Secretary Gina Raimondo underscored the administration’s rationale during a briefing call with journalists, highlighting Moscow’s influence over Kaspersky as a substantial risk factor. According to sources familiar with the matter, the software’s deep access to computer systems could potentially facilitate the theft of sensitive data from American computers, enable the installation of malware, or withhold critical security updates, thereby exacerbating the cybersecurity threat.
During the call, Raimondo emphasized that recent events have demonstrated Russia’s capability and intent to exploit entities like Kaspersky for the purpose of collecting and weaponizing personal information belonging to Americans. This realization has driven the administration to take decisive action against the software provider.
Both Kaspersky Lab and the Russian Embassy refrained from commenting on the announcement. Previously, Kaspersky has maintained its status as a privately managed entity with no official ties to the Russian government.
The sweeping measures announced by the Biden administration leverage expansive powers established during the Trump era. These actions include placing three specific units of Kaspersky Lab on a trade restriction list, a move expected to tarnish the company’s global reputation and potentially impact its international sales.
The decision to add Kaspersky to the entity list, effectively barring U.S. suppliers from engaging in transactions with the company, aligns with broader efforts by the administration to mitigate risks associated with Russian cyber threats. This initiative comes amidst heightened tensions over Russia’s military operations in Ukraine and limitations faced by the U.S. in imposing further sanctions against Moscow.
Moreover, the administration’s use of newly authorized authorities underscores its commitment to preventing transactions between U.S. firms and technology companies from adversarial nations such as Russia and China. Democratic Senator Mark Warner, chair of the Senate Intelligence Committee, expressed strong support for these measures, emphasizing the illogicality of continuing to permit Russian software with extensive access to U.S. devices and networks.
Effective September 29, the new restrictions on Kaspersky software sales will prohibit not only direct sales but also downloads of software updates, resales, and licensing of the product. A 30-day grace period following the announcement will allow businesses time to transition to alternative solutions, after which new U.S. business with Kaspersky will be halted.
Furthermore, the Commerce Department plans to enforce restrictions on white-labeled products incorporating Kaspersky software under different brand names. Companies involved will receive notifications before enforcement actions are taken against them.
In addition to these measures, the Commerce Department will entity list two Russian-based units and one UK-based unit of Kaspersky, citing alleged cooperation with Russian military intelligence to advance Moscow’s cyber intelligence objectives. This action is expected to extend the existing export restrictions already in place against Kaspersky’s Russian operations due to the Ukraine conflict.
Kaspersky Lab has been under regulatory scrutiny for several years. In 2017, the U.S. Department of Homeland Security prohibited its flagship antivirus product from federal networks, citing concerns over ties to Russian intelligence and noting Russian laws that could compel the company to assist in intelligence activities or intercept communications.
Reports in the media have also raised questions about Kaspersky Lab’s involvement in acquiring hacking tools from a National Security Agency employee, which allegedly made its way to the Russian government. Kaspersky denied any wrongdoing, stating that it inadvertently came across the code and did not share it with third parties.
The pressure on Kaspersky’s U.S. operations intensified following Russia’s military actions in Ukraine. According to reports, the U.S. government privately cautioned American companies immediately after the invasion about potential risks associated with Kaspersky software, warning that Moscow could exploit it to cause harm.
These developments prompted the Commerce Department to initiate an intensified national security investigation into Kaspersky’s software, culminating in the measures announced on Thursday.
Under the new regulations, sellers and resellers found violating the restrictions will face fines administered by the Commerce Department. Willful violations could lead to criminal cases pursued by the Justice Department. While users of Kaspersky software will not face legal penalties, they are strongly encouraged to discontinue its use.
Kaspersky, which operates under a British holding company and has a presence in Massachusetts, reported generating revenue of $752 million in 2022 from over 220,000 corporate clients across approximately 200 countries. Its clientele includes prominent entities such as Italian vehicle maker Piaggio, Volkswagen’s Spanish retail division, and the Qatar Olympic Committee, as listed on its website.