The Biden administration will ban all sales of Kaspersky antivirus software in the US starting in July, according to reporting from Reuters and a filing from the US Department of Commerce (PDF).
The US believes that security software made by Moscow-based Kaspersky Lab represents a national security risk and that the Russian government could use Kaspersky’s software to install malware, block other security updates, and “collect and weaponize the personal information of Americans,” said US Commerce Secretary Gina Raimondo.
“When you think about national security, you may think about guns and tanks and missiles,” said Raimondo during a press briefing, as reported by Wired. “But the truth is, increasingly, it’s about technology, and it’s about dual-use technology, and it’s about data.”
US businesses and consumers will be blocked from buying new software from Kaspersky starting on or around July 24, 2024, 30 days after the restrictions are scheduled to be published in the federal register. Current users will still be able to download the software, resell it, and download new updates for 100 days, which Reuters says will give affected users and businesses time to find replacement software. Rebranded products that use Kaspersky’s software will also be affected.
Companies that continue to sell Kaspersky’s software in the US after the ban goes into effect could be subject to fines.
The ban follows a two-year national security probe of Kaspersky’s antivirus software by the Department of Commerce. It’s being implemented using authority that the government says it was given under a national defense authorization act signed during the Trump administration in 2018.
The ban is the culmination of long-running concern across multiple presidential administrations. Kaspersky’s software was banned from systems at US government agencies following allegations of the company’s links to Russian intelligence operations. A month after Russia began its invasion of Ukraine in early 2022, the US Federal Communications Commission went one step further, adding Kaspersky to a security threat list that included Chinese hardware makers Huawei and ZTE. Adding Kaspersky to that list didn’t ban consumer sales, but it did prevent Kaspersky from receiving funding from the FCC.
For its part, Kaspersky and its representatives have always denied the US government’s allegations. CEO Eugene Kaspersky called the 2017 reports “BS brewed on [a] political agenda,” and the company similarly accused the FCC in 2022 of making decisions “on political grounds” and “not based on any technical assessment of Kaspersky products.”
Update, 6/21/2024 at 5pm Eastern: Kaspersky shared the following statement with Ars, reiterating that it views the Department of Commerce’s moves as primarily political rather than motivated by fact and vowing to “pursue all legally available options” to protect its business. We’ve included the full text of the company’s statement below.
“Kaspersky is aware of the decision by the U.S. Department of Commerce to prohibit the usage of Kaspersky software in the United States. The decision does not affect the company’s ability to sell and promote cyber threat intelligence offerings and/or trainings in the U.S. Despite proposing a system in which the security of Kaspersky products could have been independently verified by a trusted 3rd party, Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services. Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies. The company intends to pursue all legally available options to preserve its current operations and relationships.
For over 26 years, Kaspersky has succeeded in its mission of building a safer future by protecting over a billion devices. Kaspersky provides industry-leading products and services to customers around the world to protect them from all types of cyber threats, and has repeatedly demonstrated its independence from any government. Additionally, Kaspersky has implemented significant transparency measures that are unmatched by any of its cybersecurity industry peers to demonstrate its enduring commitment to integrity and trustworthiness. The Department of Commerce’s decision unfairly ignores the evidence.
The primary impact of these measures will be the benefit they provide to cybercrime. International cooperation between cybersecurity experts is crucial in the fight against malware, and yet this will restrict those efforts. Furthermore, it takes away the freedom that consumers and organizations, large and small, should have to use the protection they want, in this case forcing them away from the best anti-malware technology in the industry, according to independent tests. This will cause a dramatic disruption for our customers, who will be forced to urgently replace technology they prefer and have relied upon for their protection for years.
Kaspersky remains committed to protecting the world from cyberthreats. The company’s business remains resilient and strong, marked by an 11-percent growth in sales bookings in 2023. We look forward to what the future holds, and will continue to defend ourselves against actions that seek to unfairly harm our reputation and commercial interests.”