According to a Reuters report and a US Commerce Department filing (PDF), the Biden administration plans to completely ban the sale of Kaspersky Lab’s antivirus software in the US from July.
The United States believes security software made by Moscow-based Kaspersky Lab poses national security risks and that the Russian government could use it to install malware, block other security updates or “harvest and weaponize Americans’ personal information,” Commerce Secretary Gina Raimondo said.
“When you think about national security, you might think of guns and tanks and missiles,” Raimondo said at a press conference reported by Wired, “but increasingly, the truth is it’s about technology, dual-use technology and data.”
US businesses and consumers will be blocked from purchasing new Kaspersky software starting around July 24, 2024, 30 days after the restrictions are scheduled to be published in the Federal Register. Current users will be able to continue downloading, reselling, and downloading new updates for the software for 100 days, giving affected users and businesses time to find alternative software, according to Reuters. Rebranded products that use Kaspersky software will also be affected.
Companies that continue to sell Kaspersky software in the United States after the ban comes into effect could be subject to fines.
The ban follows a two-year investigation by the Commerce Department into Kaspersky Lab’s antivirus software for national security reasons, and the government says it is taking action under authority granted under the National Defense Authorization Act signed by the Trump administration in 2018.
The ban is the culmination of long-running concerns across several presidential administrations. Kaspersky software was banned from U.S. government agency systems following allegations that the company was involved in Russian intelligence activities. A month after Russia began its invasion of Ukraine in early 2022, the Federal Communications Commission went a step further, adding Kaspersky to a list of security threats that also includes Chinese hardware makers Huawei and ZTE. Adding Kaspersky to the list did not ban it from selling to consumers, but it no longer could receive funding from the FCC.
Meanwhile, Kaspersky and its representatives have always denied the U.S. government’s allegations, with CEO Eugene Kaspersky calling the 2017 reports “contrived nonsense.” [a] The company also accused the FCC in 2022 of making decisions for “political reasons” and “not based on a technical evaluation of Kaspersky Lab’s products.”
Update, June 21, 2024 at 5pm ET: Kaspersky issued the following statement to Ars, reiterating that the Commerce Department’s move is primarily political, not factual, and vowing to “pursue all legal options available” to protect its business. Read the company’s full statement below:
“Kaspersky Lab is aware of the US Department of Commerce’s decision to prohibit the use of Kaspersky Lab software in the United States. This decision does not affect the company’s ability to sell and promote its cyber threat intelligence products and training in the United States. Kaspersky Lab believes that the Department of Commerce made its decision based on the current geopolitical situation and theoretical concerns, rather than a comprehensive evaluation of the integrity of Kaspersky Lab’s products and services, despite the company’s proposed system where the security of Kaspersky Lab products would be independently verified by a trusted third party. Kaspersky Lab is not involved in any activities that threaten the national security of the United States, and in fact has made significant contributions in reporting and protecting against various threat actors targeting U.S. interests and allies. The company intends to pursue all legally available options to maintain its current business and relationships.
For more than 26 years, Kaspersky has been on a mission to build a safer future by protecting over a billion devices. Kaspersky provides industry-leading products and services to protect customers around the world from all types of cyber threats, and has repeatedly demonstrated its independence from governments. Additionally, Kaspersky has implemented significant transparency measures unmatched by any company in the cybersecurity industry to demonstrate its enduring commitment to honesty and trustworthiness. The Commerce Department’s decision unjustly ignores the evidence.
The primary impact of these measures is to benefit cybercrime. International cooperation between cybersecurity experts is essential in the fight against malware, and these measures will limit that effort. Furthermore, they will take away consumers and organizations (large and small)’s freedom to access the protection they want, in this case, away from the industry’s best anti-malware technology according to independent testing. This will cause significant disruption to our customers, forcing them to urgently replace their preferred technology that they have relied on for protection for years.
Kaspersky remains committed to protecting the world from cyber threats. Our business remains resilient and strong, and we expect revenue to grow 11 percent in 2023. We look forward to the future and will continue to defend ourselves against any actions that seek to unfairly damage our reputation and commercial interests.”
