This week, the U.S. Department of Commerce announced a prohibition on Kaspersky Lab Inc., the American arm of Russian antivirus software developer Kaspersky, and its affiliated companies from selling their products in the United States. Kaspersky Banned by US Government.

The Biden administration’s new initiative to remove Kaspersky Lab’s antivirus software from U.S. tech infrastructure has been nearly a decade in the making.

Why it Matters:

Taking a measured approach to the ban — the most severe action yet against a foreign cybersecurity company — may help the U.S. government avoid the implementation challenges it has encountered in similar cases, according to experts.

The Big Picture:

The U.S. government is still struggling to eliminate Chinese telecommunications company Huawei’s equipment from American networks, nearly five years after initiating those actions. Additionally, lawmakers only recently passed legislation this year to force China-based ByteDance to divest its ownership in TikTok or face a ban, following about four years of regulatory deliberations. This law is currently being contested in court.

Threat Level:

Each of these companies is subject to laws in their home countries that could compel them to share U.S. customer data transmitted through their products.

• China: A law requires companies to assist the government in intelligence work.
• Russia: Recent expansions in Russian law allow for tighter surveillance of online communications and internet traffic, noted Andrew Borene, a former official at the Office of the Director of National Intelligence and current executive director of global security at Flashpoint.

However, the U.S. government has not declassified specific instances of Russia or China forcing these companies to share information about Western customers.

Context:

Kaspersky’s antivirus product has been under scrutiny longer than both Huawei and TikTok, yet it took three administrations to implement a sales ban.

• It took a long time for officials to fully grasp the security risks associated with Kaspersky, Borene said.
• Russia’s more overt hostility towards Western governments has only recently escalated, according to James Lewis, a former diplomat and director of the Center for Strategic and International Studies’ strategic technologies program.
• Kaspersky made significant efforts to improve its image in Washington, including becoming an approved government vendor, joining prominent trade groups, and sponsoring high-profile conferences.

Statements:

“Kaspersky has done good research, they have a good product, but there was a concern that they had a sweet spot for the Russian government,” Lewis told Axios.

Historical Context:

Kaspersky first drew attention in Washington back in 2015 when the National Security Agency received a tip that the company may have collected information about U.S. hacking tools and shared it with the Kremlin. In 2017, Israeli government hackers found evidence that Kaspersky might have obtained the NSA hacking tools via an agency employee using the antivirus software on his home computer.

In response, Kaspersky asserted it “does not have inappropriate ties to any government” and that it has been “caught in the middle of a geopolitical fight.”

Effective July 20, the Bureau of Industry and Security of the Department of Commerce will enforce this ban, which also prevents the company from issuing new security updates to its existing customers starting September 29.

Kaspersky users are really left no choice but to find an alternative antivirus solution. Kaspersky Banned by US Government doesn’t just mean the government can no longer use the software.

Kaspersky Banned by US Government

The decision stems from national security concerns. Following an extensive investigation, the Commerce Department determined that Kaspersky’s operations in the U.S. pose a risk to national security due to the Russian government’s offensive cyber capabilities and its potential influence over Kaspersky’s activities. The Department concluded that mitigation measures would not adequately address these risks.

These accusations ultimately led to the U.S. government banning Kaspersky’s software on its networks, although it stopped short of halting new sales until last week.

The Intrigue:

The Department of Commerce recently acquired new authorities that facilitated the ban on Kaspersky’s antivirus sales, officials disclosed during a briefing.

Between the Lines:

Despite these concerns, U.S. critical infrastructure organizations continued to use Kaspersky’s antivirus and other cybersecurity products.

• A senior Commerce official mentioned that Kaspersky had a “significant number of U.S. customers,” including critical infrastructure organizations and state and local governments.

State of Play:

Experts note that unless Kaspersky completely restructured its organizational setup, changed leadership, or left Russia entirely, it had limited options to counter the impending ban.

• Kaspersky denied any wrongdoing in a statement last week and announced its intention to pursue legal action against the new Commerce restrictions.

What’s Next:

Homeland Security Secretary Alejandro Mayorkas told Axios that his department is equipped to help critical infrastructure organizations comply with Commerce’s implementation deadlines.

• “I don’t think it’s a new muscle that we have to develop,” Mayorkas said. “This one is going to be a little bit more complicated — Kaspersky does have a footprint, and it’s a matter of unwinding that.”

The Commerce Department advises current users of Kaspersky software to transition to alternative vendors to mitigate potential cybersecurity vulnerabilities. While users who continue to utilize Kaspersky products will not face legal repercussions, they are advised to assume full responsibility for any associated cybersecurity risks.

Secretary of Commerce Gina Raimondo emphasized the Department’s commitment to safeguarding U.S. national security and its citizens, stating, “Russia has repeatedly demonstrated its ability and intention to exploit Russian entities such as Kaspersky Lab to gather and weaponize sensitive U.S. information.” She underscored that this action, utilizing the Department’s ICTS authorities for the first time, underscores Commerce’s role in supporting national defense and sends a clear message to adversaries.

Efforts to restrict or prohibit Kaspersky’s operations in the U.S. date back to 2017, when the Trump administration initially barred its software from use by most U.S. government agencies. Subsequently, in the same year, the Department of Homeland Security instructed federal agencies to discontinue the use of Kaspersky software.

Despite legal challenges by Kaspersky, including appeals in court, these measures culminated in a permanent ban on the company’s products for government use in 2019. The comprehensive ban on Kaspersky from operating in the U.S. in 2024 coincides with heightened geopolitical tensions, particularly amidst Russia’s ongoing conflict in Ukraine.

Responding to the ban, a Kaspersky spokesperson expressed disappointment, stating that the Department of Commerce’s decision seemed influenced by current geopolitical dynamics rather than an objective assessment of the company’s products and services. The company intends to explore all available legal avenues to protect its current operations and partnerships.

Kaspersky Banned by US Government