Feds Ban Kaspersky Sales, Citing 'Unacceptable' Security Risk

Effective this fall, the United States government is banning all sales of Kaspersky Lab software to businesses and private citizens due to concerns about cyber espionage.

The ban will take full effect this fall. In a "Final Determination" announced on Thursday, the Bureau of Industry and Security (BIS) within the U.S. Department of Commerce said, "Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use."

The move is the outcome of what the department called a "lengthy and thorough investigation," in which it found Kaspersky, an antivirus software provider with over 400 million users worldwide, posed an "unacceptable risk" to the United States, mostly owing to its ties to Russia. Though operated by a U.K.-based holding company under the name Kaspersky Lab, Kaspersky's eponymous parent company is headquartered in Moscow, making it subject to the jurisdiction of the Russian government.

That's a problem because U.S. intelligence agencies have long considered Russia a top threat to U.S. cybersecurity interests. In a FAQ accompanying the BIS announcement, the agency described Russia as "one of the greatest counterintelligence and cyberattack threats to the United States" that is "particularly focused on targeting critical infrastructure, including industrial control systems (ICS) in the United States and partner countries."

According to the BIS, Kaspersky has the potential to give Russia access to confidential or classified data on U.S. citizens, critical infrastructure or other matters of national importance. It also contends that Kaspersky software can be manipulated to install malware on, or prevent security patches from being delivered to, critical IT systems, opening vulnerabilities that Russia's state-sponsored attackers could then exploit.

It's not just first-party Kaspersky products in the hot seat; third-party solutions that have Kaspersky tools integrated also pose a threat, according to the BIS. Such products "create circumstances where the source code for the software is unknown," the agency said. "This increases the likelihood that Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive U.S. persons data."

Ban Timeline and Other Details

The ban affects Kaspersky's first-party cybersecurity and antivirus software, as well as those same Kaspersky products that have been integrated into third-party solutions. It does not apply to Kaspersky's consulting services, nor to products in the Kaspersky Threat Intelligence or Kaspersky Security Training portfolios.

Per the BIS info page, the ban will unfold over several months to give current Kaspersky customers time to uninstall the affected software and find alternatives.

Starting July 20, Kaspersky will be not be allowed to make new sales of the affected products.

Following that, on Sept. 29, Kaspersky will be made to stop issuing any more updates and security patches for affected products. The Kaspersky Security Network (KSN) will also be shut down for U.S. customers.

The ban extends to Kaspersky sales to U.S. customers located in other countries. Per the FAQ:

The Final Determination imposes a prohibition globally on Kaspersky providing specified products and services to any U.S. person, defined as a U.S. business or citizen, wherever located; any permanent resident alien, wherever located; or any entity organized under the laws of the United States or any jurisdiction within the United States, including such entity's foreign branches.

Those who continue to sell, resell, integrate or license affected Kaspersky products for U.S. customers after Sept. 29 face "civil and criminal penalties," per the FAQ.

Notably, existing Kaspersky users (individuals, as well as businesses) will not be punished for continuing to use the affected products after Sept. 29, though they face potential security risks by continuing to use unpatched software. Users of third-party products with Kaspersky integrations also won't be forced to replace them, though, again, the lack of new patches will make these products less secure.

"U.S. persons will not face enforcement actions by the Department for the continued use of Kaspersky products obtained prior to the issuance of the Final Determination," the FAQ said.

The ban also does not prohibit customers from communicating with Kaspersky after Sept. 29 to, for instance, negotiate termination clauses. Moreover, Kaspersky will not be required to destroy data from its U.S. customers.

'The First of Many'

In a statement Thursday, Kaspersky warned that the ban's primary impact will only be to help cybercriminals. It also accused the BIS of bending to political headwinds.

"Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky's products and services," the company said in a blog post, adding that it "intends to pursue all legally available options to preserve its current operations and relationships."

In making its decision to ban Kaspersky, the BIS revealed that it consulted "key foreign allies and partners," some of which have also imposed sanctions on the security company.

The United States itself has dogged Kaspersky for years. Since March 2022, Kaspersky has been included in the Federal Communications Commission (FCC)'s running list of products that pose significant national security risks. Further back, in 2017, the Department of Homeland Security (DHS) issued a ban on nearly all things Kaspersky for the entire U.S. federal government, citing "the risks presented by Kaspersky-branded products."

As with this week's Final Determination, that DHS ban exempted Kaspersky Threat Intelligence and Kaspersky Security Training products. Incidentally, the DHS ban also did not include third-party products integrated with Kaspersky, an omission that the BIS corrected in its Final Determination.

This Final Determination was the first issued by the BIS, though it likely won't be the last. "This action will be the first of many to ensure that the United States remains safe from foreign adversaries who seek to use their position within the ICTS supply chain to harm U.S. national security," the agency said.

For more information, read the BIS announcement here.

Featured

  • blue AI cloud connected to circuit lines, a server stack, and a shield with a padlock icon

    Report: AI Security Controls Lag Behind Adoption of AI Cloud Services

    According to a recent report from cybersecurity firm Wiz, nearly nine out of 10 organizations are already using AI services in the cloud — but fewer than one in seven have implemented AI-specific security controls.

  • stacks of glowing digital documents with circuit patterns and data streams

    Mistral AI Intros Advanced AI-Powered OCR

    French AI startup Mistral AI has announced Mistral OCR, an advanced optical character recognition (OCR) API designed to convert printed and scanned documents into digital files with "unprecedented accuracy."

  • robot waving

    Copilot Updates Aim to Personalize AI

    Microsoft has introduced a range of updates to its Copilot platform, marking a new phase in its effort to deliver what it calls a "true AI companion" that adapts to individual users' needs, preferences and routines.

  • teenager interacts with a chatbot on a computer screen

    Character.AI Rolls Out New Parental Insights Feature Amid Safety Concerns

    Chatbot platform Character.AI has introduced a new Parental Insights feature aimed at giving parents a window into their children's activity on the platform. The feature allows users under 18 to share a weekly report of their chatbot interactions directly with a parent's e-mail address.