The Biden administration will announce plans to bar the sale of antivirus software made by Russia’s Kaspersky Labs in the United States, a person familiar with the matter said, citing the firm’s large US customers including critical infrastructure providers and state and local governments.
The company’s close ties to the Russian government were found to pose a critical risk, the person said, adding that the software’s privileged access to a computer’s systems could allow it to steal sensitive information from American computers, install malware or withhold critical updates.
The sweeping new rule, using broad powers created by the Trump administration, will be coupled with another move to add the company to a trade restriction list, according to two other people familiar with the matter, dealing a blow to the firm’s reputation that could hammer its overseas sales.
The plan to add the cyber security company to the entity list, which effectively bars a company’s US suppliers from selling to it, and the timing and details of the software sales prohibition, have not been previously reported.
A spokesperson for the Commerce Department declined to comment, while Kaspersky Lab and the Russian Embassy did not respond to requests for comment.
Previously, Kaspersky has said that it is a privately managed company with no ties to the Russian government.
The moves show the administration is trying to stamp out any risks of Russian cyberattacks stemming from Kaspersky software and keep squeezing Moscow as its war effort in Ukraine has regained momentum and as the United States has run low on fresh sanctions it can impose on Russia.
It also shows the Biden administration is harnessing a powerful new authority that allows it to ban or restrict transactions between US firms and internet, telecom and tech companies from “foreign adversary” nations like Russia and China.
The tools are largely untested.
Former President Donald Trump used them to try to bar Americans from using Chinese social media platforms TikTok and WeChat, but federal courts halted the moves.
The new restrictions on inbound sales of Kaspersky software, which will also bar downloads of software updates, resales and licensing of the product, kick in on September 29, 100 days after publication, to give businesses time to find alternatives.
New US business for Kaspersky will be blocked 30 days after the restrictions are announced.
Sales of white-labelled products — that integrate Kaspersky into software sold under a different brand name — will also be barred, the source said, noting that the Commerce Department will notify the companies before taking enforcement action against them.
It is less clear what impact the entity listing will have on Kaspersky, whose Russian business is already subject to sweeping US export restrictions over Ukraine which make it almost impossible for any US-made items other than food or medical equipment to reach Russia.
If the Commerce Department adds foreign units of Kaspersky to the entity list that purchase significant inputs from the United States, the move could crimp its supply chain. If it only adds the Russian entity, the impact will be largely reputational.
Kaspersky has long been in regulators’ crosshairs. In 2017, the Department of Homeland Security banned its flagship antivirus product from federal networks, alleging ties to Russian intelligence and noting Russian law lets intelligence agencies compel assistance from Kaspersky and intercept communications using Russian networks.
Media reports at the time alleged Kaspersky Lab was involved in taking hacking tools from a National Security Agency employee that ended up in the hands of the Russian government. Kaspersky responded by saying it had stumbled upon the code but said no third parties saw it.
Pressure on the company’s US business grew after Moscow’s move against Kyiv; The US government privately warned some American companies the day after Russia invaded Ukraine in February 2022 that Moscow could manipulate software designed by Kaspersky to cause harm, Reuters reported.
The war also prompted the Commerce Department to ramp up the national security probe into the software, first reported by Reuters, that resulted in today’s action.
The delayed unveiling of the prohibition is due in part to a “significant back and forth” with Kaspersky, which proposed mitigating measures instead of an outright ban, the source said.
However, the agency concluded that the threats, especially the ties to the Russian government, meant “there really were no mitigating measures that could be implemented to address those risks.”
Under the new rules, sellers and resellers who violate the restrictions will face fines from the Commerce Department. If someone wilfully violates the prohibition, the Justice Department can bring a criminal case. Software users will not face legal penalties but will be strongly encouraged to stop using it.
Kaspersky, which has a UK holding company and operations in Massachusetts, said in a corporate profile that it generated revenue of US$752 million ($1.13 billion) in 2022 from more than 220,000 corporate clients in some 200 countries.