Biden Bans Kaspersky for Good: How It Started and What It Means for Cybersecurity Companies in US
21 June 2024 at 04:16
The Department of Commerce's Bureau of Industry and Security (BIS) has announced a Final Determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of the Russian cybersecurity firm, from providing any products or services in the United States. This historic decision of the US banning Kaspersky marks the first Final Determination by the Office of Information and Communications Technology and Services (OICTS).
The BIS has set a deadline of September 29, 2024, giving U.S. consumers and businesses time to switch to alternative cybersecurity solutions. Kaspersky will no longer be able to sell its software within the United States or provide updates to software already in use. The prohibition also applies to Kaspersky Lab, Inc.’s affiliates, subsidiaries, and parent companies (together with Kaspersky Lab, Inc., “Kaspersky”
The US banning Kaspersky incident highlights rising concerns over national security risks linked to foreign technology companies, especially those from adversarial states. Further, it reflects years of scrutiny and represents a significant escalation in U.S. efforts to safeguard its cyber infrastructure.
“This action is the first of its kind and is the first Final Determination issued by BIS’s Office of Information and Communications Technology and Services (OICTS), whose mission is to investigate whether certain information and communications technology or services transactions in the United States pose an undue or unacceptable national security risk,” reads the official BIS announcement.
Additionally, BIS has added three entities—AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom)—to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives.
This article delves into the timeline and context of U.S. actions against Kaspersky, highlighting the shift from the Trump administration to the Biden administration.
US vs Kaspersky: A Timeline of Cybersecurity Actions
2017
September- The Trump Administration’s heightened scrutiny of Kaspersky began. The Department of Homeland Security (DHS) issued a Binding Operational Directive (BOD 17-01) that mandated removing and discontinuing Kaspersky products from all federal information systems. This directive followed mounting evidence suggesting that the Russian government could use Kaspersky’s products to infiltrate U.S. networks. December- The National Defense Authorization Act (NDAA) for Fiscal Year 2018 cemented these concerns into law by prohibiting the use of Kaspersky software across all federal agencies. This legislative action reflected a bipartisan consensus on the potential risks posed by the Russian firm.2022
March- The Federal Communications Commission (FCC) added Kaspersky to its “List of Communications Equipment and Services that Pose a Threat to National Security.” This action was part of a broader effort to secure the nation’s communications networks from foreign influence and control.2024
June - Today’s Final Determination by the BIS represents the culmination of a thorough investigation by the Office of Information and Communications Technology and Services (OICTS). This office, established to assess whether certain information and communications technology (ICT) transactions pose unacceptable national security risks, has found Kaspersky’s operations in the U.S. untenable.US Banning Kaspersky: The Context and Implications of BIS’s Final Determination
The BIS’s decision comes after a comprehensive investigation revealed that Kaspersky’s operations in the United States posed an undue or unacceptable national security risk. The key concerns highlighted include:- Jurisdiction and Control by the Russian Government: Kaspersky is subject to Russian laws requiring cooperation with intelligence agencies. This legal framework gives the Russian government potential access to data managed by Kaspersky’s software. Therefore, Kaspersky is subject to Russian laws, requiring it to comply with requests for information that could compromise U.S. national security.
- Access to Sensitive Information: Kaspersky’s software has extensive administrative privileges over customer systems, creating opportunities for data exploitation.
- Potential for Malicious Activities: Kaspersky could theoretically introduce malware or withhold crucial security updates, compromising U.S. cybersecurity.
- Third-Party Integrations: Integrating Kaspersky products into third-party services further complicates the risk, as the source code might be obscured, increasing vulnerability in critical U.S. systems.