On Thursday, June 20, 2024, the Department of Commerce Bureau of Industry and Security (“BIS”) issued the first-ever ban of foreign information and communications technology or services (“ICTS”) under Executive Order (“E.O.”) 13873.[1] BIS issued a Final Determination prohibiting transactions in the United States or with U.S. persons involving Kaspersky Labs, Inc. and its affiliates, subsidiaries, and parent companies (collectively, “Kaspersky”), due to the company’s ties to Russia and concerns about security on devices running Kaspersky software.[2] The Final Determination is effective immediately regarding new transactions involving Kaspersky.[3] BIS also added three Kaspersky entities to the Entity List on the same day.[4]
E.O. 13873, signed by President Trump in May 2019, authorizes the Secretary of Commerce to issue a Final Determination to prohibit all “transactions”[5] by any person, or with respect to any property, subject to the jurisdiction of the United States, in identified ICTS where (i) the transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and (ii) the transaction:
(A) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
(B) poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or
(C) otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.[6]
In January 2021, BIS implemented E.O. 13873 by promulgating the regulations located at 15 C.F.R. Pt. 7, which identify covered ICTS, provide a list of foreign adversaries relevant to E.O. 13873,[7] and establish a procedure for BIS to review ICTS transactions for national security concerns.
The Final Determination states that Kaspersky is subject to the jurisdiction and control of the Russian government, and consequently, must comply with requests for information from the Russian government that may compromise security on devices running Kaspersky software. BIS also noted the broad access Kaspersky has to U.S. customer data through its provision of cybersecurity and antivirus software and that it could install malicious software or withhold critical updates. BIS found that the integration and resale of Kaspersky products has also led to Kaspersky software being unwittingly installed on devices without users’ knowledge. Accordingly, BIS found that Kaspersky products pose an undue or unacceptable risk to U.S. national security.
The day after the BIS action, on June 21, 2024, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) designated 12 individuals in executive and senior leadership roles at Kaspersky to the Specially Designated Nationals and Blocked Persons List (“SDN List”) under E.O. 14024 for operating in the technology sector of the Russian economy.[8] In the press release accompanying the designations, OFAC stated that these actions were taken to protect the “integrity of the cyber domain and to protect our citizens against malicious cyber threats.”[9] Collectively, these actions underscore the escalating efforts of OFAC and BIS to address to cyber threats and an unrelenting focus on Russia by imposing restrictions on U.S. businesses.
Click here to download this article.
[1] Commerce Department Prohibits Russian Kaspersky Software for U.S. Customers, BIS (June 20, 2024), https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-us-customers; Kaspersky Final Determination, BIS Office of Information and Communication Technology and Services (June 20, 2024), https://oicts.bis.gov/kaspersky/.
[2] Investigations; Determinations, Modifications, and Rulings, etc.: Kaspersky Lab, Inc., Federal Register (June 24, 2024), https://www.federalregister.gov/public-inspection/2024-13532/investigations-determinations-modifications-and-rulings-etc-kaspersky-lab-inc.
[3] The Final Determination authorizes a wind-down period for continuing support of current products through September 29, 2024, after which Kaspersky may no longer provide anti-virus[antivirus] signature updates, codebase updates, or operate the Kaspersky Security Network in the United States. Also on September 29, Kaspersky products may longer be resold, integrated into other products or services, or licensed for resale or integration purposes in the United States or to U.S. persons.
[4] AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom). Additions to the Entity List, Bureau of Industry and Security, https://www.federalregister.gov/documents/2024/06/24/2024-13695/additions-to-the-entity-list.
[5] A transaction is “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service.” E.O. 13873 Sec. 1(a).
[6] E.O. 13873 Sec. 1(a).
[7] (1) The People’s Republic of China, including the Hong Kong Special Administrative Region (China); (2) Republic of Cuba (Cuba); (3) Islamic Republic of Iran (Iran); (4) Democratic People’s Republic of Korea (North Korea); (5) Russian Federation (Russia); and (6) Venezuelan politician Nicolás Maduro (Maduro Regime). 15 C.F.R. 7.4(a).
[8] Treasury Sanctions Kaspersky Lab Leadership in Response to Continued Cybersecurity Risks, OFAC (June 21, 2024), https://home.treasury.gov/news/press-releases/jy2420.
[9] Id.
