On June 20, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final decision prohibiting Kaspersky Lab Ltd. (“Kaspersky”), the U.S. subsidiary of Russian cybersecurity provider AO Kaspersky Lab, from selling certain cybersecurity products, antivirus software, and related services to U.S. individuals.
This final determination is the first such action taken by BIS pursuant to Executive Order No. 13873 (“Securing the Information and Communications Technology and Services Supply Chain”) issued on June 19, 2021, and the ICTS implementing regulations.
In response to the final ruling, Kaspersky announced that it would gradually shut down its US operations on July 20, 2024, as it would no longer be viable to conduct business in the United States after the ban was implemented.
While Kaspersky’s closure may, on practical matters, accelerate the impact of the Commerce Department’s ban on the supply chain and the need to find alternative suppliers, companies should be prepared to assess their exposure to other Russian ICTS products and services in addition to Chinese products and services.
background
On May 15, 2019, President Trump issued Executive Order 13873, declaring a national emergency in response to threats posed by “foreign adversaries” to the U.S. information and communications technology supply chain. To address this threat, Executive Order 13873 authorizes the U.S. Department of Commerce to prohibit or restrict any information and communications technology transactions that pose an unacceptable risk to U.S. national security, critical infrastructure, or the digital economy and involve persons subject to the jurisdiction, command, or control of a “foreign adversary.” To date, the “foreign adversaries” identified by the U.S. Department of Commerce include China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro regime in Venezuela.
As mentioned above, the Commerce Department’s final determination against Kaspersky is the first action taken by ITCS authorities, but it is not the first time the U.S. government has taken broader action against Kaspersky. In 2017, the Department of Homeland Security banned all federal agencies from using Kaspersky software. Then in 2021, the Department of Justice launched an investigation into Kaspersky and other Russian cybersecurity companies, and ultimately submitted its findings to the Commerce Department, which may eventually make a final determination.
At the same time as the final determination was made, the U.S. Department of Commerce’s Bureau of Industry and Security added two Kaspersky entities in Russia and one in the United Kingdom to the Entity List, requiring a license to export, re-export, and (in-country) transfer all items “subject to the EAR” to these entities. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) also added 12 senior leaders and executives of AO Kaspersky Lab to the Specially Designated Nationals (SDN) List, prohibiting U.S. citizens from transacting with or for the benefit of these people.
The founder, owner, and CEO of Kaspersky’s Russian parent company, AO Kasperksy Lab, is a Russian national residing in Russia. As a result, BIS concluded that Kaspersky is subject to the jurisdiction or direction of the Russian government, which requires companies subject to its jurisdiction to cooperate with Russian intelligence and law enforcement efforts and government requests for assistance or information.
As a result of these obligations, BIS determined that Kaspersky’s ITCS products and services pose numerous risks to U.S. national security and the safety of U.S. citizens. Specifically, BIS found that Kaspersky’s software could be exploited to access sensitive data of U.S. citizens and provide that data to Russian government personnel. Additionally, BIS found that Kaspersky’s software could be used to install malware on U.S. citizens’ devices and networks. Although Kaspersky proposed several mitigation measures, BIS determined that these measures were insufficient to address its concerns.
Based on these findings, BIS prohibited the following transactions:
- Effective July 20, 2024, Kaspersky is prohibited from entering into any new agreements with U.S. persons for ITCS transactions involving any cybersecurity product or service or antivirus software designed, developed, manufactured, or supplied in whole or in part by Kaspersky, as well as for ICTS transactions involving the integration of software designed, developed, manufactured, or supplied in whole or in part by Kaspersky into third-party products or services. (See Appendix B for a specific list of covered products and services).
- Effective September 29, 2024, Kaspersky is prohibited from (1) providing any anti-virus signature updates and code base updates related to the above-mentioned ICTS transactions; and (2) operating Kaspersky Security Network (KSN) on the information technology systems of the United States or any U.S. person.
- Effective September 29, 2024, U.S. persons are prohibited from (1) resell Kaspersky cybersecurity or anti-virus software; (2) integrate Kaspersky cybersecurity or anti-virus software into other products and services; and (3) authorize Kaspersky cybersecurity or anti-virus software for resale or integration into other products or services.
BIS has published FAQs to help companies that may be affected. These prohibitions do not apply to transactions involving Kaspersky threat intelligence products and services, Kaspersky security training products and services, or Kaspersky consulting or advisory services, which are for informational or educational purposes only.
The final ruling against Kaspersky is likely to herald an increase in enforcement efforts by ITCS authorities.
Just as the Commerce Department’s final ruling against Kaspersky came after a steady series of actions by the U.S. government, previous announcements may foreshadow which industries or companies the U.S. government intends to target next. In particular, in February 2024, the Commerce Department issued an advance notice of proposed rulemaking (“ANPRM”) to investigate the security of U.S. connected cars using Chinese technology.
Companies should carefully evaluate the ICTS products and services used in their operations and supply chains, and be aware that products and services from the “foreign adversary” countries listed above, particularly Russia and China, pose significant risks to future rulings and restrictions.
Husch Blackwell’s Export Controls and Economic Sanctions team continues to closely monitor all international trade and export control developments. If you have any questions or concerns, please contact Cortney Morgan, Grant Leach, Emily Mikes or Eric Dama of our Export Controls and Economic Sanctions team.
This article was written with assistance from Dakota Nichols, a summer intern at Husch Blackwell LLP in Austin, Texas.
Leave a Reply Cancel reply
You must be logged in to post a comment.