US bans Kaspersky Labs over national security concerns

The Biden administration has reached a decision to block all new sales of Kaspersky Labs’ products and services on US soil over allegations of the Moscow-based cybersecurity company’s strong ties to Russia’s nation-state cyber offensives.

According to a statement issued by the Department of Commerce’s Bureau of Industry and Security (BIS), Kaspersky will generally no longer be able to, among other activities, sell its software within the US or provide updates to software already in use.

“Today’s Final Determination (….is) the result of a lengthy and thorough investigation, which found that the company’s continued operations in the United States presented a national security risk — due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations—that could not be addressed through mitigation measures short of a total prohibition,” BIS said in the statement.

The prohibition, which applies to the company’s US subsidiary Kaspersky Labs, Inc., will also be enforced on its affiliates, subsidiaries, and parent companies, the statement added.

Bans on ICTS transactions

BIS reviewed Kaspersky’s cybersecurity and antivirus transactions under Executive Order 13873 and 15 C.F.R. Part 7. The Office of Information Communications Technology and Services (OICTS) within BIS found these transactions risky for the US and consequently banned them.

The risk factors considered in the review included threats posed by the Russian Federation (Russia), vulnerabilities that Kaspersky’s ICTS products create for US national security, and safety, and the consequences of Russia exploiting the vulnerabilities presented.

Concerns outlined in the Final Determination paint a mixed picture for Kaspersky-like commercial security products. “The administration’s move to ban Kaspersky Lab products in the United States underscores the stakes of security products gone bad, wherein the privileges that are supposed to be used to protect networks and systems are instead used to subvert security mechanisms, deploy malware, and steal data,” said Adam Maruyama, field chief technology officer, Garrison Technology.

Prohibited ICTS transactions in the US or with US persons, include transactions involving a cybersecurity product, antivirus software, and integration with a software designed developed, manufactured, or supplied, in whole or in part, by Kaspersky.

In a statement, Kaspersky said the decision does not affect the company’s ability to sell and promote cyber threat intelligence offerings and/or trainings in the US. “Despite proposing a system in which the security of Kaspersky products could have been independently verified by a trusted 3rd party, Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.” Furthermore, Kaspersky said it intends to pursue all legally available options to preserve its current operations and relationships.

Kaspersky’s global entities blacklisted

With the ban, the BIS has also added three foreign entities — AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (UK) — to the “Entity List” due to their collaboration with Russian military and intelligence agencies in furthering the Russian Government’s cyber intelligence goals.

The Entity List is a US government compilation of foreign individuals, companies, and organizations deemed a national security concern, subjecting them to export restrictions and licensing requirements for certain technologies and goods.

“Individuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage,” the administration added in the statement. “Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination.”

However, any individual or business that continues to use Kaspersky products and services assumes all the cybersecurity and associated risks of doing so, the statement added.

Long US-Kaspersky tussle

The ban doesn’t come as much of a surprise as both the US and Moscow-backed Kaspersky have been at loggerheads for years, each blaming the other for carrying out targeted spying operations.

In June 2023, the Russian Federal Security Agency FSB issued a number of alerts, warning citizens against a US intelligence campaign “Operation Triangulation” that allegedly used compromised iPhones in Russia for espionage.

The allegation was supported by Kaspersky research, which discovered that several dozen of its senior employees and upper management were being targeted as part of the operation. Kaspersky, however, had not attributed the attack to any specific state.

“Kaspersky has a history of problems with US, Canadian, and other allied governments — banning its use for US security probably is a wise choice in many cases, particularly in the categories of civilian critical infrastructure at state/local/municipal level whether that infrastructure is inherently governmental or privately owned and operated,” said Andrew Borene, executive director for Flashpoint.

While a response from Kaspersky or Moscow is awaited, the ban will surely put a huge dent in Kaspersky’s global operations. The cybersecurity company operates offices in 31 countries globally, catering to over 400 million users and 270,000 corporate clients across more than 200 countries.