Federal Ban of Kaspersky Sales Cites 'Unacceptable' Security Risk

• By Gladys Rama
• 06/24/24

Effective this fall, the United States government has ordered a ban on all sales of Kaspersky Lab software to businesses and private citizens due to concerns about cyber espionage.

The ban will take full effect this fall. In a "Final Determination" announced on Thursday, the Bureau of Industry and Security (BIS) within the U.S. Department of Commerce said, "Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use."

The move is the outcome of what the department called a "lengthy and thorough investigation," in which it found Kaspersky, an antivirus software provider with over 400 million users worldwide, posed an "unacceptable risk" to the United States, mostly owing to its ties to Russia. Though operated by a U.K.-based holding company under the name Kaspersky Lab, Kaspersky's eponymous parent company is headquartered in Moscow, making it subject to the jurisdiction of the Russian government.

That's a problem because U.S. intelligence agencies have long considered Russia a top threat to U.S. cybersecurity interests. In a FAQ accompanying the BIS announcement, the agency described Russia as "one of the greatest counterintelligence and cyberattack threats to the United States" that is "particularly focused on targeting critical infrastructure, including industrial control systems (ICS) in the United States and partner countries."

According to the BIS, Kaspersky has the potential to give Russia access to confidential or classified data on U.S. citizens, critical infrastructure or other matters of national importance. It also contends that Kaspersky software can be manipulated to install malware on, or prevent security patches from being delivered to, critical IT systems, opening vulnerabilities that Russia's state-sponsored attackers could then exploit.

It's not just first-party Kaspersky products in the hot seat; third-party solutions that have Kaspersky tools integrated also pose a threat, according to the BIS. Such products "create circumstances where the source code for the software is unknown," the agency said. "This increases the likelihood that Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive U.S. persons data."

Ban Timeline and Other Details

The ban affects Kaspersky's first-party cybersecurity and antivirus software, as well as those same Kaspersky products that have been integrated into third-party solutions. It does not apply to Kaspersky's consulting services, nor to products in the Kaspersky Threat Intelligence or Kaspersky Security Training portfolios.

Per the BIS info page, the ban will unfold over several months to give current Kaspersky customers time to uninstall the affected software and find alternatives.

Starting July 20, Kaspersky will be not be allowed to make new sales of the affected products.

Following that, on Sept. 29, Kaspersky will be made to stop issuing any more updates and security patches for affected products. The Kaspersky Security Network (KSN) will also be shut down for U.S. customers.

The ban extends to Kaspersky sales to U.S. customers located in other countries. Per the FAQ:

The Final Determination imposes a prohibition globally on Kaspersky providing specified products and services to any U.S. person, defined as a U.S. business or citizen, wherever located; any permanent resident alien, wherever located; or any entity organized under the laws of the United States or any jurisdiction within the United States, including such entity's foreign branches.