The Biden Administration issued a first of its kind ban on all sales of Kaspersky antivirus software in the US. The authority for the ban comes from the Commerce Department's online-security rules, known as Information and Communications Technology and Services (ICTS) regulations. The rules are meant to protect users from cyberthreats from products and services based in potentially hostile countries.
Authority also stems from Executive Order 13873 (issued in 2019 by then-President Trump) and its implementing regulation at 15 C.F.R. Part 7. This order allows the Department of Commerce to investigate whether software poses "an undue or unacceptable risk of sabotage to or subversion of ICTS in the United States" or "an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the digital economy of the United States." If such a finding is made, the Department is authorized to take measures, including banning the software.
The ban is the first of its kind and the first Final Determination issued by BIS's Office of Information and Communications Technology and Services (OICTS). While a total ban on a software application may be a new tactic, it is just the latest addition to a complex web of laws and regulations addressing US cybersecurity.
In addition to banning the sale of Kaspersky's antivirus software, the Department also added Kaspersky to its Entity List, "for their cooperation with Russian military and intelligence authorities in support of the Russian government's cyber intelligence objectives." This subjects Kaspersky to additional export restrictions and licensing requirements.
Cybersecurity threats are on the rise, and organizations that use and maintain computer systems (read: all of them) must make cybersecurity a priority by implementing technologies and policies to protect their data. As this recent development highlights, these same organizations must also keep up with the ever changing and increasing legal obligations governing privacy and data security.
"When you think about national security, you may think about guns and tanks and missiles," said Raimondo during a press briefing, as reported by Wired. "But the truth is, increasingly, it's about technology, and it's about dual-use technology, and it's about data."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.