The software’s privileged access to a computer’s systems could allow it to steal sensitive information from American computers or install malware and withhold critical updates, enhancing the threat, a source said, noting that Kaspersky’s customers include critical infrastructure providers and state and local governments.
“Russia has shown it has the capacity and … the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action that we are taking today,” Raimondo said on a briefing call with reporters.
Kaspersky said it believed the U.S. decision was based on “the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.”
In an emailed statement, Kaspersky added that its activities did not threaten U.S. national security and that it will pursue legal options to preserve its operations.
The Russian Embassy did not respond to requests for comment. Previously, Kaspersky has said that it is a privately managed company with no ties to the Russian government. The sweeping new rule, using broad powers created by the administration of former President Donald Trump, will be coupled with another move to add three units of the company to a trade restriction list, Raimondo said, dealing a blow to Kaspersky’s reputation that could hammer its overseas sales. The plan to add the cybersecurity company to the entity list, which effectively bars a company’s U.S. suppliers from selling to it, and the timing and details of the software sales prohibition were first reported by Reuters.
The moves show the Biden administration is trying to stamp out any risks of Russian cyberattacks stemming from Kaspersky software and keep squeezing Moscow as its war effort in Ukraine has regained momentum and the United States has run low on fresh sanctions it can impose on Russia.
It also shows the administration is harnessing a powerful new authority that allows it to ban or restrict transactions between U.S. firms and internet, telecom and tech companies from “foreign adversary” nations like Russia and China.
“We would never give an adversarial nation the keys to our networks or devices, so it’s crazy to think that we would continue to allow Russian software with the deepest possible device access to be sold to Americans,” said Democratic Senator Mark Warner, chair of the Senate Intelligence Committee.
The new restrictions on inbound sales of Kaspersky software, which will also bar downloads of software updates, resales and licensing of the product, kick in on Sept. 29, 100 days after publication, to give businesses time to find alternatives. New U.S. business for Kaspersky will be blocked 30 days after the restrictions are announced.
Sales of white-labeled products – that integrate Kaspersky into software sold under a different brand name – will also be barred, the source said, adding that the Commerce Department will notify companies before taking enforcement action against them.
The Commerce Department will also entity list two Russian and one UK-based unit of Kaspersky for allegedly cooperating with Russian military intelligence to support Moscow’s cyber intelligence goals.
Kaspersky’s Russian business is already subject to sweeping U.S. export restrictions over Moscow’s invasion of Ukraine. But its UK-based unit will now be effectively barred from receiving goods from American suppliers.
GROWING PRESSURE
Kaspersky has long been in regulators’ crosshairs. In 2017, the Department of Homeland Security banned its flagship antivirus product from federal networks, alleging ties to Russian intelligence and noting Russian law lets intelligence agencies compel assistance from Kaspersky and intercept communications using Russian networks.
Media reports at the time alleged Kaspersky Lab was involved in taking hacking tools from a National Security Agency employee that ended up in the hands of the Russian government. Kaspersky responded by saying it had stumbled upon the code but said no third parties saw it.
Pressure on the company’s U.S. business grew after Moscow’s move against Kyiv. The U.S. government privately warned some American companies the day after Russia invaded Ukraine in February 2022 that Moscow could manipulate software designed by Kaspersky to cause harm, Reuters reported.
The war also prompted the Commerce Department to ramp up a national security probe into the software, first reported by Reuters, that resulted in Thursday’s action.
Under the new rules, sellers and resellers that violate the restrictions will face fines from the Commerce Department, the source added. If someone willfully violates the prohibition, the Justice Department can bring a criminal case. Software users will not face legal penalties but will be strongly encouraged to stop using it.
Kaspersky, which has a British holding company and operations in Massachusetts, said in a corporate profile that it generated revenue of $752 million in 2022 from more than 220,000 corporate clients in some 200 countries. Its website lists Italian vehicle maker Piaggio, Volkswagen’s retail division in Spain and the Qatar Olympic Committee among its customers.