WASHINGTON, D.C. The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced a final determination on 6/20/2014 prohibiting Kaspersky Lab, Inc. the U.S. subsidiary of a Russian-based anti-virus software and cybersecurity solutions company, from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. This prohibition also applies to the subsidiaries and parent companies of Kaspersky Lab, Inc.
This action, the first of its kind, was issued by BIS’s Office of Information and Communications Technology and Services (OICTS). The decision follows a comprehensive investigation that found that Kaspersky’s continued activities in the U.S. pose a national security risk that cannot be addressed through mitigating measures.
In addition, three companies – AO Kaspersky Lab and OOO Kaspersky Group (Russia) and Kaspersky Labs Limited (UK) – have been placed on the Entity List because they co-operate with Russian military and intelligence services.
Important information for users
Users and companies using Kaspersky software should switch to other providers as soon as possible to minimise the risk of data exposure.
Existing Kaspersky products and services may continue to be used, but at your own risk.
To minimise disruption, Kaspersky may continue to conduct certain operations in the US, including the provision of updates, until 29 September 2024.
Voices from the government
Gina Raimondo, Secretary of Commerce: ‘The Biden-Harris Administration is determined to protect our national security and outperform our adversaries. Russia’s ability and willingness to use companies like Kaspersky to collect and misuse sensitive information is well known.’
Alejandro N. Mayorkas, Secretary of Homeland Security: ‘Today’s actions are critical to our national security and to protecting the privacy of many Americans.’
Alan Estevez, Under Secretary of Commerce for Industry and Security: ‘With this action, the American cyber ecosystem is safer than it was yesterday.’
Background
Kaspersky provides IT security solutions for consumers, small businesses, large corporations and governments. Today’s decision by the BIS prohibits all transactions that pose a risk to national security, such as the Russian government’s collection of valuable business information and sensitive data from U.S. persons for improper purposes.
Why this measure?
Russian government authority: Kaspersky is subject to Russian jurisdiction and must comply with information requests that may lead to the exploitation of sensitive information.
Access to customer data: Kaspersky has extensive access to customer data and could pass it on to Russia.
Risk of malware: Kaspersky could install malicious software or withhold important updates.
Third-party integration: The integration of Kaspersky software into third-party products increases the risk of it being unknowingly introduced into sensitive networks.
Previous measures
Back in 2017, the U.S. Department of Homeland Security issued a directive to remove Kaspersky products from federal agencies. The 2018 NDAA banned the use of Kaspersky by the federal government. In March 2022, the FCC added Kaspersky products to the list of threatening communications technology.
Working together for implementation
The Department of Commerce is working with DHS and DOJ to notify U.S. customers about the removal of the software and ensure a smooth transition.
More information and resources are available on the BIS website.
Stay safe and educate yourself on the steps you need to take to protect your data.
More information https://oicts.bis.gov/kaspersky/