By Alexandra Alper
WASHINGTON (Reuters) – The Biden administration will announce plans on Thursday to ban sales of antivirus software from Russia’s Kaspersky Labs in the United States, a person familiar with the matter said, citing the company’s major U.S. customers , including critical infrastructure providers and state-owned enterprises. and local governments.
The company’s close ties to the Russian government appeared to pose a critical risk, the person said, adding that the software’s privileged access to a computer’s systems could allow it to steal sensitive information from U.S. computers, malware install or withhold critical updates.
The sweeping new rule, which uses broad powers created by the Trump administration, will be accompanied by another move to add the company to a list of trade restrictions. its foreign sales.
The plan to add the cybersecurity company to the Entity List, which effectively bars a company’s U.S. suppliers from selling to the company, and the timing and details of the ban on software sales, have not previously been reported.
A Commerce Ministry spokesperson declined to comment, while Kaspersky Lab and the Russian Embassy did not respond to requests for comment. Kaspersky has previously said it is a privately run company with no ties to the Russian government.
These steps demonstrate the administration’s efforts to eliminate all risks of Russian cyberattacks stemming from Kaspersky software and continues to pressure Moscow as the war effort in Ukraine regains momentum and the United States is running out of new sanctions to deal with. can impose on Russia.
It also shows the Biden administration using a powerful new authority that allows it to ban or restrict transactions between U.S. companies and internet, telecom and technology companies from “foreign adversaries” like Russia and China.
The tools are largely untested.
Former President Donald Trump used them to try to stop Americans from using Chinese social media platforms TikTok and WeChat, but federal courts halted the moves.
The new restrictions on inbound sales of Kaspersky software, which will also ban downloads of software updates, resale and licensing of the product, will take effect on September 29, 100 days after publication, to give companies time to find alternatives. New US operations for Kaspersky will be blocked 30 days after the restrictions are announced.
Sales of white-label products – which integrate Kaspersky into software sold under a different brand name – will also be excluded, the source said, noting that the Commerce Department will notify the companies before taking enforcement action against them are taken.
It is less clear what impact the entity’s listing will have on Kaspersky, whose Russian operations are already subject to sweeping U.S. export restrictions on Ukraine, making it virtually impossible for U.S. products other than food or medical equipment to reach Russia.
If the Commerce Department adds foreign Kaspersky units to the list of entities that buy key raw materials from the United States, the move could shrink the supply chain. If only the Russian entity is added, the impact will largely be on reputation.
Kaspersky has been in the crosshairs of regulators for some time now. In 2017, the Department of Homeland Security banned its flagship antivirus product from federal networks, citing ties to Russian intelligence and noting that Russian law allows intelligence agencies to coerce Kaspersky’s assistance and intercept communications over Russian networks.
It was claimed in the media at the time that Kaspersky Lab was involved in stealing hacking tools from a National Security Agency employee, which ended up in the hands of the Russian government. Kaspersky responded by saying it had come across the code, but said no third party had seen it.
Pressure on the company’s American operations grew after Moscow’s action against Kiev; The US government warned a number of American companies the day after Russia invaded Ukraine in February 2022 that Moscow could manipulate software designed by Kaspersky to cause damage, Reuters reported.
The war also prompted the Commerce Department to step up its national security investigation into the software, first reported by Reuters, which resulted in Thursday’s action.
The delayed unveiling of the ban is partly due to a “significant back and forth” conversation with Kaspersky, which suggested mitigation measures rather than an outright ban, the source said.
However, the agency concluded that the threats, especially links to the Russian government, meant that “no mitigation measures could in fact be taken to address these risks.”
Under the new rules, sellers and resellers who violate the restrictions will face fines from the Commerce Department. If someone deliberately violates the ban, the Ministry of Justice can initiate criminal proceedings. Software users will not face legal penalties, but will be strongly encouraged to stop using them.
Kaspersky, which has a British holding company and operations in Massachusetts, said in a company profile that it generated revenue of $752 million in 2022 from more than 220,000 business customers in about 200 countries. The website lists Italian carmaker Piaggio, Volkswagen’s retail division in Spain and the Qatar Olympic Committee among its clients.
(Reporting by Alexandra Alper; additional reporting by Christopher Bing, Raphael Satter and Karen Freifeld; Editing by Chris Sanders and Lisa Shumaker)
