The Department of Commerce's ("Commerce") Bureau of Industry and Security ("BIS") has prohibited a broad range of transactions involving Kaspersky Security Network ("Kaspersky") anti-virus and cybersecurity software, citing vulnerabilities they create for U.S. national security.
This marks the first use of the Information and Communication Technology and Services authorities (Executive Order 13873 and its associated regulations) ("ICTS authorities") to restrict a specific party's products or services. It highlights a risk that companies should consider in assessing global operations.
BIS implemented the prohibition on Kaspersky products and services via a June 24, 2024, final determination. BIS concluded that the risk to U.S. national security from Kaspersky products and services could not be mitigated by measures short of prohibiting transactions in the United States or with U.S. persons. BIS clarified that this prohibition also applies to any updates to existing products or services.
The final determination explains that the risks identified are in large part due to Kaspersky being subject to the jurisdiction, control, or direction of the Russian Federation. BIS noted that this provided Kaspersky and the Russian Federation the ability to "install malicious software on U.S. customers' computers or to selectively deny updates, leaving users and critical infrastructure vulnerable to malware and exploitation."
The ICTS prohibition is effective July 20, 2024, and U.S. persons have until September 29, 2024, to wind down existing agreements with Kaspersky. Commerce noted that it was working with other agencies to develop guidance regarding how to remove the affected products.
The U.S. government also added three Kaspersky affiliates to the Entity List and 12 Kaspersky executive officers to the Treasury Department's Specially Designated Nationals sanctions list. These maneuvers follow a 2017 Trump Administration action that banned Kaspersky from federal government information systems.
While Commerce has broken new ground by using the ICTS authorities to effectively bar use of a company's products and services, this is unlikely to be the last use of these authorities. Even companies with no connection to Kaspersky or its products should consider this new regulatory risk to supply arrangements that involve Chinese, Russian, or other "foreign adversary" companies or products.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.