Federal Ban of Kaspersky Sales Cites 'Unacceptable' Security Risk

Effective this fall, the United States government has ordered a ban on all sales of Kaspersky Lab software to businesses and private citizens due to concerns about cyber espionage.

The ban will take full effect this fall. In a "Final Determination" announced on Thursday, the Bureau of Industry and Security (BIS) within the U.S. Department of Commerce said, "Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use."

The move is the outcome of what the department called a "lengthy and thorough investigation," in which it found Kaspersky, an antivirus software provider with over 400 million users worldwide, posed an "unacceptable risk" to the United States, mostly owing to its ties to Russia. Though operated by a U.K.-based holding company under the name Kaspersky Lab, Kaspersky's eponymous parent company is headquartered in Moscow, making it subject to the jurisdiction of the Russian government.

That's a problem because U.S. intelligence agencies have long considered Russia a top threat to U.S. cybersecurity interests. In a FAQ accompanying the BIS announcement, the agency described Russia as "one of the greatest counterintelligence and cyberattack threats to the United States" that is "particularly focused on targeting critical infrastructure, including industrial control systems (ICS) in the United States and partner countries."

According to the BIS, Kaspersky has the potential to give Russia access to confidential or classified data on U.S. citizens, critical infrastructure or other matters of national importance. It also contends that Kaspersky software can be manipulated to install malware on, or prevent security patches from being delivered to, critical IT systems, opening vulnerabilities that Russia's state-sponsored attackers could then exploit.

It's not just first-party Kaspersky products in the hot seat; third-party solutions that have Kaspersky tools integrated also pose a threat, according to the BIS. Such products "create circumstances where the source code for the software is unknown," the agency said. "This increases the likelihood that Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive U.S. persons data."

Ban Timeline and Other Details

The ban affects Kaspersky's first-party cybersecurity and antivirus software, as well as those same Kaspersky products that have been integrated into third-party solutions. It does not apply to Kaspersky's consulting services, nor to products in the Kaspersky Threat Intelligence or Kaspersky Security Training portfolios.

Per the BIS info page, the ban will unfold over several months to give current Kaspersky customers time to uninstall the affected software and find alternatives.

Starting July 20, Kaspersky will be not be allowed to make new sales of the affected products.

Following that, on Sept. 29, Kaspersky will be made to stop issuing any more updates and security patches for affected products. The Kaspersky Security Network (KSN) will also be shut down for U.S. customers.

The ban extends to Kaspersky sales to U.S. customers located in other countries. Per the FAQ:

The Final Determination imposes a prohibition globally on Kaspersky providing specified products and services to any U.S. person, defined as a U.S. business or citizen, wherever located; any permanent resident alien, wherever located; or any entity organized under the laws of the United States or any jurisdiction within the United States, including such entity's foreign branches.

Those who continue to sell, resell, integrate or license affected Kaspersky products for U.S. customers after Sept. 29 face "civil and criminal penalties," per the FAQ.

Notably, existing Kaspersky users (individuals, as well as businesses) will not be punished for continuing to use the affected products after Sept. 29, though they face potential security risks by continuing to use unpatched software. Users of third-party products with Kaspersky integrations also won't be forced to replace them, though, again, the lack of new patches will make these products less secure.

"U.S. persons will not face enforcement actions by the Department for the continued use of Kaspersky products obtained prior to the issuance of the Final Determination," the FAQ said.

The ban also does not prohibit customers from communicating with Kaspersky after Sept. 29 to, for instance, negotiate termination clauses. Moreover, Kaspersky will not be required to destroy data from its U.S. customers.

'The First of Many'

In a statement Thursday, Kaspersky warned that the ban's primary impact will only be to help cybercriminals. It also accused the BIS of bending to political headwinds.

"Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky's products and services," the company said in a blog post, adding that it "intends to pursue all legally available options to preserve its current operations and relationships."

In making its decision to ban Kaspersky, the BIS revealed that it consulted "key foreign allies and partners," some of which have also imposed sanctions on the security company.

The United States itself has dogged Kaspersky for years. Since March 2022, Kaspersky has been included in the Federal Communications Commission (FCC)'s running list of products that pose significant national security risks. Further back, in 2017, the Department of Homeland Security (DHS) issued a ban on nearly all things Kaspersky for the entire U.S. federal government, citing "the risks presented by Kaspersky-branded products."

As with this week's Final Determination, that DHS ban exempted Kaspersky Threat Intelligence and Kaspersky Security Training products. Incidentally, the DHS ban also did not include third-party products integrated with Kaspersky, an omission that the BIS corrected in its Final Determination.

This Final Determination was the first issued by the BIS, though it likely won't be the last. "This action will be the first of many to ensure that the United States remains safe from foreign adversaries who seek to use their position within the ICTS supply chain to harm U.S. national security," the agency said.

Featured

  • black graduation cap with a glowing blue AI brain circuit symbol on top

    Report: AI Is a Must for Modern Learners

    A new report from VitalSource identifies a growing demand among learners for AI tools, declaring that "AI isn't just a nice-to-have; it's a must."

  • young man in a denim jacket scans his phone at a card reader outside a modern glass building

    Colleges Roll Out Mobile Credential Technology

    Allegion US has announced a partnership with Florida Institute of Technology (FIT) and Denison College, in conjunction with Transact + CBORD, to install mobile credential technologies campuswide. Implementing Mobile Student ID into Apple Wallet and Google Wallet will allow students access to campus facilities, amenities, and residence halls using just their phones.

  • cybersecurity analyst in a modern operations center monitors multiple digital screens showing padlock icons, graphs, and a global map with security markers

    Louisiana State University Doubles Down on Larger Student-Run SOC

    In an effort to provide students with increased access to real-world cybersecurity experience, Louisiana State University has expanded its relationship with cybersecurity solutions provider TekStream to launch TigerSOC, a new student-run security operations center.

  • laptop with AI symbol on screen

    Google Launches Lightweight Gemma 3n, Expanding Edge AI Efforts

    Google DeepMind has officially launched Gemma 3n, the latest version of its lightweight generative AI model designed specifically for mobile and edge devices — a move that reinforces the company's emphasis on on-device computing.