On June 20, 2024, the U.S. Department of Commerce issued an announcement prohibiting Russia-based cybersecurity and antivirus software company Kaspersky Lab, Inc. and its affiliates from providing antivirus software and cybersecurity products or services in the U.S. or to U.S. customers. The ban covers not only Kaspersky Lab itself but also its subsidiaries, parent companies, and affiliated entities. This marks the first such action taken by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce and the first final ruling issued by the Office of Information and Communications Technology and Services (OICTS).

Background and Details of the Ban

Under U.S. Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain, and its implementing regulations (15 C.F.R. Part 7), the Department of Commerce is authorized to investigate and address whether certain transactions involving information and communications technology or services pose undue or unacceptable risks to national security. Specifically, these risks include:

1. The risk of undue or unacceptable disruption or subversion to U.S. information and communications technology (ICTS);
2. The risk of catastrophic effects on the security or resilience of U.S. critical infrastructure or the digital economy;
3. Other unacceptable risks to U.S. national security or the safety of U.S. citizens.

Following its investigation, the Department of Commerce determined that Kasperskys operations posed the above risks and thus decided to impose the ban. Under the ban, Kaspersky will no longer be able to sell its software in the U.S. or provide updates for existing software from the date of the announcement. However, to minimize disruption to U.S. consumers and businesses, the Department of Commerce has allowed Kaspersky to continue certain operations in the U.S., including providing antivirus signature updates and codebase updates, until 12:00 PM on September 29, 2024.

Kaspersky Entities Added to Export Control Entity List

In addition to prohibiting Kaspersky from providing services to U.S. customers, the BIS has also added three of Kasperskys affiliated entities to the export control Entity List. These entities include:

1. AO Kaspersky Lab, Russia
2. OOO Kaspersky Group, Russia
3. Kaspersky Labs Limited, UK

BIS noted that these entities were added to the Entity List due to their collaboration with Russian military intelligence agencies. This means these companies will face stricter export controls, limiting their access to U.S. technology and products.

Kasperskys Global Impact

Kaspersky is a multinational company with offices in 31 countries and regions, providing cybersecurity and antivirus products and services to over 400 million users and 270,000 corporate clients worldwide. The impact of this ban and the Entity List designation extends beyond the U.S. market and may trigger ripple effects on Kasperskys operations in other countries.

In the future, U.S. regulatory measures in the information and communications technology sector may further intensify, and other countries may follow suit with similar actions. For businesses and users, maintaining operational continuity and technological innovation while ensuring security and compliance will become a critical challenge.