The Russian cybersecurity software firm Kaspersky’s days of operating in the United States are now officially numbered.
The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers.
“When you think about national security, you may think about guns and tanks and missiles,” Commerce secretary Gina Raimondo told reporters during a briefing Thursday. “But the truth is, increasingly, it's about technology, and it's about dual-use technology, and it's about data.”
The US conducted an “extremely thorough” investigation of Kaspersky and explored “every option” to mitigate its risks, Raimondo said, but officials settled on a full ban “given the Russian government's continued offensive cyber capabilities and capacity to influence Kasersky’s operations.”
The Kaspersky ban represents the latest rift in relations between the US and Russia as the latter country remains locked in a brutal war with Ukraine and takes other steps to threaten Western democracies, including testing a nuclear-powered anti-satellite weapon and forming a strategic alliance with North Korea. But the ban could also immediately complicate business operations for American companies using Kaspersky software, which will lose up-to-date antivirus definitions critical for blocking malware in only three months.
The Biden administration knows roughly how many customers Kaspersky has in the US, but government lawyers have determined that this information is proprietary business data and cannot be published, according to a Commerce Department official, who briefed reporters on the condition of anonymity to discuss a sensitive matter. The official did say the “significant number” of US customers includes state and local governments and organizations that supply critical infrastructure such as telecommunications, power, and health care.
Raimondo had a message for Kaspersky’s US customers on Thursday: “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”
Commerce will work with the departments of Homeland Security and Justice to “get this message out” and “ensure a smooth transition,” including through a website explaining the ban, Raimondo said. “We certainly don't want to disrupt the business or families of any Americans.”
DHS’s Cybersecurity and Infrastructure Security Agency will contact critical infrastructure organizations that use Kaspersky to brief them on the alleged national security risks and “help them identify alternatives,” the Commerce Department official said.
Kaspersky has consistently denied being a national security risk or an agent of the Kremlin. In a statement to WIRED, the company accused the government of having “made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.”
“Kaspersky does not engage in activities which threaten US national security,” the company said, adding that it “intends to pursue all legally available options to preserve its current operations and relationships.”
A new lawsuit from Kaspersky could set up a high-stakes legal test of Commerce’s national security authorities.
The order to kick Kaspersky out of the US relies on powers that former president Donald Trump gave the Commerce Department in 2019. Trump issued an executive order that May authorizing the commerce secretary to bar US transactions of IT products and services supplied by “persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” if the transactions posed “an unacceptable risk” to national security.
Kaspersky has been in the crosshairs of US intelligence officials for decades due to its presence in Russia and reports of its possible collusion with Moscow. In 2017, the Trump administration banned federal agencies from using Kaspersky products, a decision upheld by a federal appeals court a year later.
The official order banning US transactions with Kaspersky’s three corporate entities cites “their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives,” according to the Commerce Department official.
Asked why the government was only acting now to ban Kaspersky from selling its services in the US, the official said Commerce only received funding last year for a dedicated program devoted to these kinds of cases.
The official declined to say whether the US had specific intelligence proving that Moscow had directed Kaspersky’s actions.
“We fully believe that … the Russian government is either now using Kaspersky or certainly would be willing to use Kaspersky,” the official said, adding that the Commerce Department’s Trump-era authority “allows us to act proactively, even in the absence of concrete examples” of collusion.
The Commerce Department will work with law enforcement to monitor Kaspersky’s business actions after September 29 for signs that it continues to provide software updates in the US, the department official said.
“We need to get more vigilant and more sophisticated every day,” Raimondo told reporters, “because our adversaries are getting more sophisticated.”
Updated 8:27 pm ET, June 20, 2024: Added statement from Kaspersky.