The Biden administration is poised to announce a significant policy shift on Thursday, aiming to prohibit the sale of Kaspersky Lab’s antivirus software within the United States. The decision is driven by concerns regarding the firm’s substantial customer base, which includes critical infrastructure providers and various state and local governments, according to an individual familiar with the matter.
The close relationship between Kaspersky Lab and the Russian government has been identified as a substantial security risk. The individual highlighted that the software’s deep access to computer systems creates vulnerabilities that could potentially allow for the exfiltration of sensitive information, the installation of malicious software, or the withholding of essential updates. Given these risks, this move seeks to fortify American cybersecurity infrastructure against potential threats.
To enact this prohibition, the administration will leverage sweeping powers granted during the Trump administration, which will be complemented by another strategic initiative. Specifically, Kaspersky will be added to the trade restriction list, further tarnishing its global reputation and significantly impacting its international sales. These measures come in response to escalating cyber threats and geopolitical tensions, particularly following Russia’s ongoing conflicts, including the heightened war efforts in Ukraine.
Additionally, the impending prohibition has not been officially reported prior to this announcement. It will place Kaspersky on the entity list, effectively preventing U.S. suppliers from engaging in business transactions with the firm. Neither the Commerce Department nor Kaspersky Lab, nor the Russian Embassy have issued comments regarding the impending restrictions. Kaspersky has previously maintained that it operates as a private company with no affiliations to the Russian government.
This robust stance by the Biden administration demonstrates a concerted effort to mitigate any risk of Russian cyberattacks via software manufactured by Kaspersky Lab. The administration is also seen capitalizing on these untested authorities, designed to restrict transactions between U.S. firms and telecom, internet, and tech companies from nations deemed “foreign adversaries,” like Russia and China. Historical context shows these tools have previously been utilized by former President Trump to attempt restrictions on Chinese platforms TikTok and WeChat, although these moves faced judicial hurdles.
The anticipated regulations will become effective on September 29, allowing a 100-day period for businesses to transition to alternative software solutions. Additionally, new U.S. business engagements with Kaspersky will be blocked starting 30 days post-announcement. Sales of white-labeled products incorporating Kaspersky software will also be prohibited, ensuring comprehensive enforcement of the restriction.
The potential impact on Kaspersky’s operations, particularly regarding its supply chain, hinges on whether its foreign units or only its Russian entity are added to the entity list. Current U.S. export restrictions on Russia, unless for food or medical purposes, already severely limit the influx of American goods, exacerbating the ramifications for Kaspersky.
Historically, Kaspersky has faced scrutiny, such as when the Department of Homeland Security banned its primary antivirus product from federal networks in 2017. This decision was grounded in concerns over the company’s alleged connections to Russian intelligence and the potential compelled cooperation under Russian law.
As tensions heightened following Russia’s invasion of Ukraine, the U.S. government escalated its warnings regarding potential manipulations of Kaspersky’s software, reflecting an ongoing security probe that culminated in this legislative action. The delay in the announcement stemmed partly from extensive negotiations with Kaspersky, which proposed alternative risk mitigation strategies. However, the administration ultimately determined that no feasible measures could fully mitigate the perceived threats linked to the Russian government.
The new rules will impose penalties on sellers and resellers who violate these restrictions, including potential fines and criminal charges for willful violations. While end-users of the software will face no legal penalties, they are strongly encouraged to discontinue usage.
Kaspersky’s UK holding company and Massachusetts operations reported $752 million in revenue for 2022, serving over 220,000 corporate clients across roughly 200 countries. Its clientele includes high-profile organizations such as Piaggio, Volkswagen’s retail division in Spain, and the Qatar Olympic Committee, according to its corporate profile.
