Biden admin to ban sales of Kaspersky software over ties to Russia: report
The Biden administration on Thursday announced plans to bar the sale of antivirus software made by Russia’s Kaspersky Lab in the United States, citing the firm’s large US customers, including critical infrastructure providers and state and local governments.
Moscow’s influence over the company was found to pose a significant risk, Commerce Secretary Gina Raimondo said on a briefing call with reporters on Thursday. The software’s privileged access to a computer’s systems could allow it to steal sensitive information from American computers or install malware and withhold critical updates, enhancing the threat, a source added.
“Russia has shown it has the capacity and… the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action that we are taking today,” Raimondo said on the call.
Kaspersky Lab and the Russian Embassy did not respond to requests for comment. Previously, Kaspersky has said that it is a privately managed company with no ties to the Russian government.
The sweeping new rule, using broad powers created by the Trump administration, will be coupled with another move to add three units of the company to a trade restriction list, Raimondo said, dealing a blow to the firm’s reputation that could hammer its overseas sales.
The plan to add the cybersecurity company to the entity list, which effectively bars a company’s US suppliers from selling to it, and the timing and details of the software sales prohibition were first reported by Reuters.
The moves show the administration is trying to stamp out any risks of Russian cyberattacks stemming from Kaspersky software and keep squeezing Moscow as its war effort in Ukraine has regained momentum and as the United States has run low on fresh sanctions it can impose on Russia.
It also shows the Biden administration is harnessing a powerful new authority that allows it to ban or restrict transactions between US firms and internet, telecom and tech companies from “foreign adversary” nations like Russia and China.
The tools are largely untested.
Former President Donald Trump used them to try to bar Americans from using Chinese social media platforms TikTok and WeChat, but federal courts halted the moves.
The new restrictions on inbound sales of Kaspersky software, which will also bar downloads of software updates, resales and licensing of the product, kick in on Sept. 29, 100 days after publication, to give businesses time to find alternatives. New US business for Kaspersky will be blocked 30 days after the restrictions are announced.
Sales of white-labeled products — that integrate Kaspersky into software sold under a different brand name — will also be barred, the source said, noting that the Commerce Department will notify the companies before enforcing.
It is less clear what impact the entity listing will have on Kaspersky, whose Russian business is already subject to sweeping US export restrictions over Ukraine which make it almost impossible for any US-made items other than food or medical equipment to reach Russia.
If the Commerce Department adds foreign units of Kaspersky to the entity list that purchase significant inputs from the United States, the move could crimp its supply chain. If it only adds the Russian entity, the impact will be largely reputational.
Kaspersky has long been in regulators’ crosshairs. In 2017, the Department of Homeland Security banned its flagship antivirus product from federal networks, alleging ties to Russian intelligence and noting Russian law lets intelligence agencies compel assistance from Kaspersky and intercept communications using Russian networks.
Pressure on the company’s US business grew after Moscow’s move against Kyiv; The US government privately warned some American companies the day after Russia invaded Ukraine in February 2022 that Moscow could manipulate software designed by Kaspersky to cause harm, Reuters reported.
The war also prompted the Commerce Department to ramp up the national security probe into the software, first reported by Reuters, that resulted in Thursday’s action.
The delayed unveiling of the prohibition is due in part to a “significant back and forth” with Kaspersky, which proposed mitigating measures instead of an outright ban, the source said.
However, the agency concluded that the threats, especially the ties to the Russian government, meant “there really were no mitigating measures that could be implemented to address those risks.”
Under the new rules, sellers and resellers who violate the restrictions will face fines from the Commerce Department. If someone willfully violates the prohibition, the Justice Department can bring a criminal case. Software users will not face legal penalties but will be strongly encouraged to stop using it.
Kaspersky, which has a UK holding company and operations in Massachusetts, said in a corporate profile that it generated revenue of $752 million in 2022 from more than 220,000 corporate clients in some 200 countries. Its website lists Italian vehicle maker Piaggio, Volkswagen’s retail division in Spain and the Qatar Olympic Committee among its customers.