US bans Kaspersky antivirus software due to national security risks
The US Department of Commerce has announced an upcoming US-wide ban of cybersecurity and antivirus software by Kaspersky, as its “ability to gather valuable US business information, including intellectual property, and to gather US persons’ sensitive data for malicious use by the Russian Government pose an undue or unacceptable national security risk.”
Details on the US Kaspersky ban
Starting on July 20, 2024, Kaspersky is prohibited from entering into any new agreement with US persons involving its cybersecurity and antivirus products and services.
Starting on September 29, 2024, Kaspersky and/or entities appointed by it must stop providing antivirus signatures and codebase updates, and must stop operating the Kaspersky Security Network (KSN) in the US or on US persons’ IT systems. They are also prohibited from reselling, licensing and integrating software designed, developed, manufactured, or supplied by Kaspersky into third-party products or services.
“This Final Determination does not apply to transactions involving Kaspersky Threat Intelligence products and services, Kaspersky Security Training products and services, or Kaspersky consulting or advisory services (including SOC Consulting, Security Consulting, Ask the Analyst, and Incident Response) that are purely informational or educational in nature,” the US DoC’s Bureau of Industry and Security (BIS) noted.
“In addition to this action, [we have] added three entities—AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom)—to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives.”
Individuals and businesses that use Kaspersky software are encouraged to transition to other vendors.
More information can be found here, and frequently asked questions have been answered here.
The ban was not unexpected
In 2017, the US Department of Homeland Security ordered federal agencies to remove Kaspersky-branded products from federal information systems. In 2022, the US Federal Communications Commission placed Kaspersky’s products and services on a list of equipment and services that pose a threat to national security.
Several European countries and the EU Parliament have previously moved to discourage or prevent the use of Kaspersky’s software on government systems and networks.
“Kaspersky is subject to the jurisdiction of the Russian Government and must comply with requests for information that could lead to the exploitation of access to sensitive information present on electronic devices using Kaspersky’s anti-virus software,” the BSI explained the reasoning behind the prohibition.
They also said that the software has access to and administrative privileges over customer information that could be potentially be transferred to Russia, and the company has the ability to (mis)use its products to install malicious software on U.S. customers’ computers or deny updates, “leaving US persons and critical infrastructure vulnerable to malware and exploitation.”
In a statement released by Kaspersky, the company said that it believes that the DoC made its decision “based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services, and that it “intends to pursue all legally available options to preserve its current operations and relationships.”
Andrew Borene, Executive Director for Flashpoint, said that this decision “is a logical reflection of the tectonic shifts that are dividing economies along the lines of power competition between allies and the Russia/China/Iran/North Korea digital domain,” and that these divides extend into private sector actors as well.
“Kaspersky has a history of problems with US, Canadian and other allied governments — banning its use for US security probably is a wise choice in many cases, particularly in the categories of civilian critical infrastructure at state/local/municipal level whether that infrastructure is inherently governmental or privately owned and operated,” he added.
UPDATE (June 22, 2024, 11:10 a.m. ET):
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced economic sanctions against 12 executives and senior leaders at AO Kaspersky Lab.