Commerce Department Issues Unprecedented National Security-driven Determination Prohibiting Russia-Based Kaspersky from Supplying Anti-Virus Software and Cybersecurity Products and Services to U.S. Customers

In a first of its kind action, the Commerce Department has prohibited Russia-based Kaspersky from supplying anti-virus software and cybersecurity products and services in the United States or to any U.S. persons worldwide due to national security concerns. Under authority first promulgated in 2019, the Commerce Department’s Bureau of Industry and Security (“BIS”) announced a Final Determination that Kaspersky anti-virus and cybersecurity products posed unacceptable risks to U.S. national security and the security and safety of U.S. persons due to “the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations.” In tandem with the Final Determination, the Commerce Department also added Kaspersky entities in Russia and the United Kingdom to the Entity List and the Treasury Department sanctioned 12 Russian senior executives at Kaspersky (but not Eugene Kaspersky, the company’s founder, majority owners, and chief executive officer).

Kaspersky has since announced that it would comply with the Final Determination, and cease sales and updates as required. Kaspersky also said it would begin to gradually wind down its U.S. operations.

BIS’s action against Kaspersky is notable as the first use of the U.S. Government’s power to prohibit entities associated with U.S. foreign adversaries from engaging information and communications technology or services (“ICTS”) transactions with U.S. persons. It will not be the last. We expect the U.S. Government to now use this new tool in the national security toolbox with increased frequency to address perceived national security risks, in particular from Russian and Chinese ICTS companies with significant U.S. customers.

Background

In 2019, President Trump issued Executive Order 13873 (Securing the Information and Communications Technology Services Supply Chain) authorizing the Commerce Department to investigate and prohibit transactions on a case-by-case basis that: (1) involve ICTS designed, developed, or manufactured by persons owned, controlled, or subject to the jurisdiction of a foreign adversary, and that (2)(a) pose an undue or unacceptable risk of sabotage to or subversion of ICTS in the United States; (2) pose an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the digital economy of the United States; or (3) otherwise pose an unacceptable risk to the national security of the United States or the security and safety of U.S. persons. Under the applicable ICTS rules, “foreign adversaries” are defined as: China, Cuba, Iran, North Korea, Russia, and Venezuela.

Kaspersky is a Russian IT company focused on security solutions with millions of customers around the world. Kaspersky’s offerings including anti-virus software and other cybersecurity tools to defend against malware and other cyber threats. 

Kaspersky has been a concern to the U.S. Government for some time because of its Russia connections. BIS’s ICTS action follows prior U.S. Government actions to prevent the use of Kaspersky products, including the Department of Homeland Security’s 2017 directive requiring federal agencies to remove Kaspersky-branded products from federal information systems, a 2018 law prohibiting U.S. Government-wide use of Kaspersky products, and the Federal Communications Commission’s 2022 addition of Kaspersky to its “List of Communications Equipment and Services that Pose a Threat to National Security.” 

Kaspersky Final Determination

Under EO 13873’s authority (implemented through 15 C.F.R. Part 791), BIS began an investigation of Kaspersky in 2021, in which Kaspersky cooperated with the U.S. Government. Ultimately, BIS concluded that: (1) Kaspersky is subject to the jurisdiction, direction, or control of the Russian government, an adversary of the United States; (2) Kaspersky’s anti-virus and cybersecurity software can be exploited to identify sensitive U.S. person data that could be made available to Russian government actors; and (3) such software, developed and supplied from Russia, allows for the capability and opportunity to install malicious software and strategically withhold critical malware signature updates.

Based on these conclusions, BIS’s Final Determination prohibited ICTS transactions in the United States or with any U.S. persons worldwide (individuals and foreign branches of U.S.-organized entities) involving Kaspersky cybersecurity products or services, and anti-virus software designed, developed, manufactured, or supplied by Kaspersky Lab Inc. and its affiliates, subsidiaries, and parents, including 81 solutions set forth in the Final Determination. (Kaspersky Threat Intelligence and Kaspersky Security Training products and services, and Kaspersky consulting or advisory services that are purely informational or educational in nature are not prohibited.) BIS’s determination was the first use of EO 13873 authority to prohibit an ICTS transaction.

As a result of the Final Determination, Kaspersky is currently prohibited from entering new agreements with U.S. persons related to the prohibited anti-virus and cybersecurity products and solutions. Further, as of September 29, 2024, Kaspersky will be prohibited from providing updates to its software products. The resale of Kaspersky cybersecurity or anti-virus software, integration of Kaspersky cybersecurity or anti-virus software into other products and services, and licensing of Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services, will also be prohibited in the United States or by U.S. persons.

Implications

For companies and individuals that use Kaspersky anti-virus and cybersecurity products, in addition to considerations relating to the national security risks identified by BIS, the immediate need is to transition from Kaspersky products to other cybersecurity solutions. While U.S. persons will not be subject to enforcement or liability if they continue to use Kaspersky products obtained prior to the issuance of the Final Determination. Such products will not be updated as of September 29, 2024, and continued use could create cybersecurity vulnerabilities.

Companies and individuals that use ICTS products from Russian and Chinese vendors should also consider the benefits and risks of continued use of such products—both from a national security, in particular, cybersecurity, risk perspective, as well as commercial risk. Now that BIS has opened the door to using its ICTS authority, we expect other companies to be investigated and their ICTS products banned from the U.S. market, which could cause disruptions to users who need to transition to alternate vendors. Any such action would be part of the U.S. Government’s broader effort to protect the ICTS supply chain and address the national security risks of foreign access to U.S. data. See our prior alerts: Biden Administration Takes New Steps to Address National Security Risks of Foreign Access to U.S. Data and U.S. Government Imposes National Security-Driven Procurement Restrictions on Federal Government Contractors that Will Impact Their Supply Chain.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. David J. Ribner, an O’Melveny partner licensed to practice law in the District of Columbia and New York; Greta L. Nightingale, an O’Melveny partner licensed to practice law in the District of Columbia; and Shruti Kannan, an O’Melveny associate licensed to practice law in the District of Columbia and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2024 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.