Federal Ban of Kaspersky Sales Cites 'Unacceptable' Security Risk
Effective this fall, the United States government has ordered a ban on all sales of Kaspersky Lab software to businesses and private citizens due to concerns about cyber espionage.
The ban will take full effect this fall. In a "Final Determination" announced on Thursday, the Bureau of Industry and Security (BIS) within the U.S. Department of Commerce said, "Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use."
The move is the outcome of what the department called a "lengthy and thorough investigation," in which it found Kaspersky, an antivirus software provider with over 400 million users worldwide, posed an "unacceptable risk" to the United States, mostly owing to its ties to Russia. Though operated by a U.K.-based holding company under the name Kaspersky Lab, Kaspersky's eponymous parent company is headquartered in Moscow, making it subject to the jurisdiction of the Russian government.
That's a problem because U.S. intelligence agencies have long considered Russia a top threat to U.S. cybersecurity interests. In a FAQ accompanying the BIS announcement, the agency described Russia as "one of the greatest counterintelligence and cyberattack threats to the United States" that is "particularly focused on targeting critical infrastructure, including industrial control systems (ICS) in the United States and partner countries."
According to the BIS, Kaspersky has the potential to give Russia access to confidential or classified data on U.S. citizens, critical infrastructure or other matters of national importance. It also contends that Kaspersky software can be manipulated to install malware on, or prevent security patches from being delivered to, critical IT systems, opening vulnerabilities that Russia's state-sponsored attackers could then exploit.
It's not just first-party Kaspersky products in the hot seat; third-party solutions that have Kaspersky tools integrated also pose a threat, according to the BIS. Such products "create circumstances where the source code for the software is unknown," the agency said. "This increases the likelihood that Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive U.S. persons data."
Ban Timeline and Other Details
The ban affects Kaspersky's first-party cybersecurity and antivirus software, as well as those same Kaspersky products that have been integrated into third-party solutions. It does not apply to Kaspersky's consulting services, nor to products in the Kaspersky Threat Intelligence or Kaspersky Security Training portfolios.
Per the BIS info page, the ban will unfold over several months to give current Kaspersky customers time to uninstall the affected software and find alternatives.
Starting July 20, Kaspersky will be not be allowed to make new sales of the affected products.
Following that, on Sept. 29, Kaspersky will be made to stop issuing any more updates and security patches for affected products. The Kaspersky Security Network (KSN) will also be shut down for U.S. customers.
The ban extends to Kaspersky sales to U.S. customers located in other countries. Per the FAQ:
The Final Determination imposes a prohibition globally on Kaspersky providing specified products and services to any U.S. person, defined as a U.S. business or citizen, wherever located; any permanent resident alien, wherever located; or any entity organized under the laws of the United States or any jurisdiction within the United States, including such entity's foreign branches.
Those who continue to sell, resell, integrate or license affected Kaspersky products for U.S. customers after Sept. 29 face "civil and criminal penalties," per the FAQ.
Notably, existing Kaspersky users (individuals, as well as businesses) will not be punished for continuing to use the affected products after Sept. 29, though they face potential security risks by continuing to use unpatched software. Users of third-party products with Kaspersky integrations also won't be forced to replace them, though, again, the lack of new patches will make these products less secure.
"U.S. persons will not face enforcement actions by the Department for the continued use of Kaspersky products obtained prior to the issuance of the Final Determination," the FAQ said.
The ban also does not prohibit customers from communicating with Kaspersky after Sept. 29 to, for instance, negotiate termination clauses. Moreover, Kaspersky will not be required to destroy data from its U.S. customers.
'The First of Many'
In a statement Thursday, Kaspersky warned that the ban's primary impact will only be to help cybercriminals. It also accused the BIS of bending to political headwinds.
"Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky's products and services," the company said in a blog post, adding that it "intends to pursue all legally available options to preserve its current operations and relationships."
In making its decision to ban Kaspersky, the BIS revealed that it consulted "key foreign allies and partners," some of which have also imposed sanctions on the security company.
The United States itself has dogged Kaspersky for years. Since March 2022, Kaspersky has been included in the Federal Communications Commission (FCC)'s running list of products that pose significant national security risks. Further back, in 2017, the Department of Homeland Security (DHS) issued a ban on nearly all things Kaspersky for the entire U.S. federal government, citing "the risks presented by Kaspersky-branded products."
As with this week's Final Determination, that DHS ban exempted Kaspersky Threat Intelligence and Kaspersky Security Training products. Incidentally, the DHS ban also did not include third-party products integrated with Kaspersky, an omission that the BIS corrected in its Final Determination.
This Final Determination was the first issued by the BIS, though it likely won't be the last. "This action will be the first of many to ensure that the United States remains safe from foreign adversaries who seek to use their position within the ICTS supply chain to harm U.S. national security," the agency said.