The Biden administration has banned sales of Kaspersky antivirus products and services in the US, citing national security risks due to the company’s ties to the Russian state.
Upon announcing the decision, the US Commerce Department “strongly encouraged” individuals and enterprises using Kaspersky software “to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage”. To help ease this switch and reduce disruption, Kaspersky will be allowed to continue providing anti-virus signature and codebase updates until the end of September.
Complete prohibition “only means of mitigation”
Headquartered in Moscow, the company claims to have over 400 million users worldwide, servicing 270,000 corporate clients across more than 200 countries. Exact figures for the number of US users are unavailable. Kaspersky’s proximity to Russian intelligence have long been a cause of concern for US regulators, with its antivirus software banned for use on federal IT infrastructure since 2017.
In addition to the sales ban, the Department of Commerce’s Bureau of Industry and Security (BIS) added three business units – the Russia-based AO Kaspersky Lab and OOO Kaspersky Group, and the UK-headquartered Kaspersky Labs Limited – to its “Entity List”, a compilation of foreign individuals, companies, and organisations deemed a national security concern. All were cited for working in support of Russian military and intelligence cyber objectives. The BIS said complete prohibition was the only means of mitigating the national security risk such ties caused.
“Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponise sensitive US information, and we will continue to use every tool at our disposal to safeguard US national security and the American people,” said Secretary of Commerce Gina Raimondo. “Today’s action, our first use of the Commerce Department’s ICTS authorities, demonstrates Commerce’s role in support of our national defence and shows our adversaries we will not hesitate to act when they use their technology poses a risk to United States and its citizens.”
Kaspersky claims to be a victim of geopolitical climate
Kaspersky, unsurprisingly, denied the allegations, saying it intended “to pursue all legally available options to preserve its current operations and relationships” and that the decision was motivated by the current geopolitical climate and hypothesis, rather than being grounded in substantiated fact.
“[The company] has repeatedly demonstrated its independence from any government,” read its statement responding to the announcement. “Additionally, Kaspersky has implemented significant transparency measures that are unmatched by any of its cybersecurity industry peers to demonstrate its enduring commitment to integrity and trustworthiness. The Department of Commerce’s decision unfairly ignores the evidence.”
The company’s most recent financial results, published earlier this month, reported an 11% growth in net-sales in 2023, with global revenues of $721mln. Chief business development officer Andrey Efremov called it “a breakthrough year”.
At the time of Russia’s invasion of Ukraine, the UK’s National Cyber Security Centre (NCSC) warned individuals using Kaspersky antivirus software that they “may need to move to a new AV product if Kaspersky itself becomes subject to sanctions”.
At the time of writing the NCSC was yet to comment on the decision of the Biden administration – and it remains to be seen whether the UK and other European governments decide, or come under pressure, to follow the US’s lead. In the wake of the invasion of Ukraine, the German government told businesses to stop using Kaspersky, and the Italian government removed its system from public sector organisations. Kaspersky claimed both decisions were politically motivated.