On June 20, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a Final Determination prohibiting the sale of certain cybersecurity products, anti-virus software, and related services to U.S. persons by Kaspersky Lab, Inc. (“Kaspersky”), the U.S. subsidiary of Russian cybersecurity provider AO Kaspersky Lab.
This Final Determination represents the first such action by BIS under Executive Order 13873 (“Securing the Information and Communications Technology and Services Supply Chain”) and the ICTS implementing regulations issued on June 19, 2021.
In response to the Final Determination, Kaspersky announced that on July 20, 2024 it would gradually begin closing its U.S. operations because business in the U.S. was no longer viable following the ban.
While Kaspersky’s closing as a practical matter may accelerate the supply chain implications of Commerce’s ban and the need to find alternative suppliers, companies should be prepared to assess their exposure to other Russian ICTS products and services, in addition to those from China.
Background
Issued by President Trump on May 15, 2019, E.O. 13873 declared a national emergency with respect to threats posed by “foreign adversaries” to the ICTS supply chain of the United States. To address that threat, E.O. 13873 authorized the Commerce Department to prohibit or restrict any ICTS transaction that poses an unacceptable risk to the national security, critical infrastructure, or digital economy of the U.S. and which involves persons subject to the jurisdiction, direction, or control of “foreign adversaries”. To date, those “foreign adversaries” identified by Commerce are China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro Regime of Venezuela.
As noted above, Commerce’s Final Determination on Kaspersky is the first action taken under the ITCS authorities, though this was not the first action taken against Kaspersky by the U.S. government more broadly. In 2017, the Department of Homeland Security banned all federal agencies from using Kaspersky software. Then in 2021, the Department of Justice opened an investigation into Kaspersky and other Russian cybersecurity companies and ultimately referred their findings to the Commerce Department, likely culminating in this Final Determination.
Concurrent with its Final Determination, BIS added two Kaspersky entities in Russia and one in the United Kingdom to its Entity List, which imposes a license requirement on exports, reexports, and transfers (in-country) of all items “subject to the EAR” to these entities. The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) also designated 12 senior leaders and executives of AO Kaspersky Lab to its Specially Designated Nationals (“SDN”) List, which prohibits U.S. persons from transacting with or for the benefit of these individuals.
Identified Risks and Prohibited Transactions
The founder, owner, and CEO of Kaspersky’s Russian parent company, AO Kasperksy Lab, is a Russian national residing in Russia. Therefore, BIS concluded Kaspersky is subject to the jurisdiction or direction of the Russian government, which requires companies subject to its jurisdiction to cooperate with Russian intelligence and law enforcement efforts and government requests for assistance or information.
Because of these obligations, BIS determined that Kaspersky’s ITCS products and services posed a number of risks to U.S. national security and the security and safety of U.S. persons. In particular, BIS found that Kaspersky’s software can be exploited to access sensitive data on U.S. persons and to provide this data to Russian government actors. In addition, BIS found that Kaspersky’s software could be utilized to install malicious software on U.S. persons’ devices and networks. Although Kaspersky proposed several mitigation measures in response, BIS did not find these sufficient to address its concerns.
Based on these findings, BIS has prohibited the following transactions:
- As of July 20, 2024, Kaspersky is prohibited from entering into any new agreement with U.S. persons for ITCS transactions involving any cybersecurity product or service or anti-virus software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky, in addition to ICTS transactions involving the integration of software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky into third-party products or services. (See Appendix B for a specific list of covered products and services).
- As of September 29, 2024, Kaspersky is prohibited from (1) providing any anti-virus signature updates and codebase updates associated with the ICTS transactions identified above; and (2) operating the Kaspersky Security Network (KSN) in the U.S. or on any U.S. person’s information technology system.
- As of September 29, 2024, U.S. persons are prohibited from (1) reselling Kaspersky cybersecurity or anti-virus software; (2) integrating Kaspersky cybersecurity or anti-virus software into other products and services; and (3) licensing Kaspersky cybersecurity or anti-virus software for resale or integration into other products or services.
BIS has issued FAQs to assist those companies that may be impacted. These prohibitions do not apply to transactions involving Kaspersky Threat Intelligence products and services, Kaspersky Security Training products and services, or Kaspersky consulting or advisory services that are purely informational or educational in nature.
Implications for Companies
The Final Determination against Kaspersky is a likely indicator that increased enforcement under the ITCS authorities are on the horizon.
Just as Commerce’s Final Determination against Kaspersky followed a steady trickle of U.S. government actions, prior announcements may signal sectors or companies the U.S. government intends to target next. In particular, in February 2024 the Commerce Department issued an Advance Notice of Proposed Rulemaking (“ANPRM”) to investigate security concerns of connected vehicles in the U.S. that use Chinese technology.
Companies should carefully assess the ICTS products and services utilized in its business and supply chain, with an understanding that those items and services from the aforementioned “foreign adversary” countries, and Russia and China in particular, pose a significant risk of exposure to future Determinations and restrictions.
Husch Blackwell’s Export Controls and Economic Sanctions Team continues to closely monitor all international trade and export controls developments. Should you have any questions or concerns, please contact Cortney Morgan, Grant Leach, Emily Mikes, or Eric Dama of our Export Controls and Economic Sanctions Team.
Written with the assistance of Dakota Nichols, a summer associate in the Husch Blackwell LLP Austin, TX office.