Commerce Department: Final Determination of Russia-Backed Cybersecurity, Antivirus Software

The U.S. Department of Commerce's Office of Information and Communications Technology and Services (OICTS) within the Bureau of Industry and Security (BIS) issued a Final Determination on June 20, 2024, pursuant to Executive Order (E.O.) 13873, "Securing the Information and Communications Technology and Services Supply Chain." The Final Determination bans Russian-backed cybersecurity firm Kaspersky Lab Inc. and its affiliates, subsidiaries and parent companies (collectively, Kaspersky) from, directly or indirectly, providing antivirus software and cybersecurity products or services in the United States or to U.S. persons. Violations of the Final Determination can result in civil and criminal penalties.

This Final Determination is the first of its kind issued pursuant to the E.O. and showcases the U.S. government's heightened scrutiny of supply chain security and over transactions involving sensitive technologies from "foreign adversaries," which is defined to include China, Cuba, Iran, North Korea, Russia and the Maduro Regime (Venezuela). See 15 C.F.R. 7.4(a)(5).

Background

On May 15, 2019, President Donald Trump signed into effect E.O. 13873, authorizing the Commerce Department to review certain transactions involving information and communications technology or services (ICTS) designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a "foreign adversary" that pose an undue or acceptable risk to the United States or U.S. persons.

E.O. 13873, as implemented in 15 C.F.R. Part 7, allows the Commerce Department to prohibit any person from acquiring, importing, transferring, installing, dealing in or using ICTS from a person owned by, controlled by or subject to the jurisdiction or direction of "foreign adversaries" where the Commerce Department determines the transaction 1) poses an undue risk of sabotage to or subversion of ICTS in the U.S., 2) poses an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the digital economy of the U.S. or 3) poses an unacceptable risk to the national security of the U.S. or the security and safety of U.S. persons.

Prior to this action against Kaspersky, the Commerce Department had not taken any action pursuant to this authority.

BIS Action Against Kaspersky

What is Kaspersky?

Kaspersky Lab Inc. is a U.S. subsidiary of a Russia-backed antivirus software and cybersecurity company. Key aspects of its business (software design, development and supply) are conducted in Russia. Additionally, Eugene Kaspersky – the company's founder, majority owner and current CEO – is a Russian national who resides in Russia. From this information, the Commerce Department determined that Kaspersky is subject to the jurisdiction and direction of the Russian government, a "foreign adversary" per 15 C.F.R. 7.4(a)(5).

BIS Investigation and Review

On Aug. 25, 2021, the U.S. Department of Justice (DOJ) referred Kaspersky's ICTS transactions involving the provision of cybersecurity and antivirus software and related services to persons subject to U.S. jurisdiction to the Commerce Department. Following its review of all relevant documents, the Commerce Department issued an Initial Determination on Oct. 5, 2023, that was challenged by Kaspersky in its official written response. The Commerce Department ultimately rejected Kaspersky's challenge, including proposed mitigation measures, and announced the present Final Determination.

BIS found five key risks that Kaspersky's ICTS offerings pose to U.S. national security and to the safety and security of U.S. persons:

• Russia is a foreign adversary that continues to threaten the U.S.
• Kaspersky is subject to the jurisdiction, control or direction of the Russian government.
• Kaspersky software provides the Russian government access to sensitive U.S. customer information.
• Kaspersky software allows for the capability and opportunity to install malicious software and withhold critical updates.
• The manipulation of Kaspersky software, including in U.S. critical infrastructure, can cause significant risks of data theft, espionage and system malfunction.

It can also risk U.S. economic security and public health, resulting in injuries or loss of life.

Prohibitions on Kaspersky ICTS Software

According to the Final Determination, there are three sets of ICTS transactions that are restricted:

• ICTS transactions involving any cybersecurity product or service designed, developed, manufactured or supplied, in whole or in part, by Kaspersky, to include those products and services listed in Appendix B to the Final Determination.
• ICTS transactions involving any antivirus software designed, developed, manufactured or supplied, in whole or in part, by Kaspersky to include those products and services listed in Appendix B.
• ICTS transactions involving the integration of software designed, developed, manufactured or supplied, in whole or in part, by Kaspersky into third-party products or services (e.g., "white-labeled" products or services).

Effective 12 a.m. EDT on July 20, 2024, Kaspersky is prohibited from entering into any new agreements with U.S. persons involving any one or more covered ICTS transactions identified above.

Additionally, effective 12 a.m. EDT on Sept. 29, 2024, the Final Determination prohibits Kaspersky and any of its successors or assignees from providing antivirus signature updates and codebase updates associated with the ICTS transactions identified above, as well as operating the Kaspersky Security Network within the U.S. or on any U.S. person's information technology system. Furthermore and also effective at 12 a.m. EDT on Sept. 29, 2024, the Final Determination prohibits the resale of Kaspersky cybersecurity or antivirus software, integration of Kaspersky cybersecurity or antivirus software into other products and services, along with licensing of Kaspersky cybersecurity or antivirus software for purposes of resale or integration into other products or services.

Associated Actions Against Kaspersky by BIS and OFAC

Additions to the Entity List

Concurrently with the issuance of its Final Determination, BIS has also issued a Final Rule amending the Export Administration Regulations (EAR) by adding three new entries to the Entity List. The Entity List identifies entities believed to be involved in activities contrary to the national security or foreign policy interests of the U.S. and imposes additional licensing requirements for the export, reexport and transfer (in-country) of items subject to the EAR to listed entities.

The Final Rule, effective immediately, announced the addition of AO Kaspersky Lab and OOO Kaspersky Group in Russia, as well as Kaspersky Labs Limited in the United Kingdom, to the Entity List. According to the Final Rule, the reason for the addition of these entities is due to their cooperation with Russian military and intelligence authorities in support of the Russian government's cyber intelligence objectives.

OFAC Sanctions

On June 21, 2024 – the day following the issuance of the Final Determination – the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) designated 12 individuals in executive and senior leadership roles at AO Kaspersky Lab (Russia) onto its Specially Designated Nationals and Blocked Persons List (SDN List) for operating in the technology sector of the Russian Federation economy.

As a result of the designation, U.S. persons are prohibited from engaging in transactions involving designated individuals or their property, including any entities that are owned, directly or indirectly, 50 percent or more by one or more designated individuals.

Implications

To provide time for Kaspersky's software customers to transition to alternative cybersecurity and antivirus software services, BIS is allowing Kaspersky to continue providing services to U.S. persons until Sept. 29, 2024. Until that date, Kaspersky is permitted to provide antivirus software updates and codebase updates to current U.S. subscribers and users of its cybersecurity and antivirus products and services. However, effective July 20, 2024, Kaspersky will be prohibited from entering into any new agreements with U.S. persons involving covered products.

Organizations and individuals looking to remove Kaspersky software from their internal systems and personal devices may review the Cybersecurity and Infrastructure Security Agency's (CISA) Software Removal Guide and Software Removal Guide for Personal Devices, respectively.

Additionally, companies that sell hardware or software containing embedded antivirus and cybersecurity software should ensure their products do not contain any Kaspersky software prohibited by the Final Determination. Companies should be aware that integrating or licensing Kaspersky cybersecurity or antivirus software into other products and services will be prohibited starting on Sept. 29, 2024. Note that any violation of the Final Determination may subject the violator to civil – and even criminal – penalties under the authority of the International Emergency Economic Powers Act (IEEPA), the same authority that applies to penalties under most economic sanctions programs.

Moreover, considering the potential exposure of sensitive data to malign actors and the potential lack of cybersecurity coverage, companies are encouraged to transition to alternative suppliers, since individuals or businesses that continue to use Kaspersky products would assume the risks of doing so.

Finally, U.S. persons should avoid engaging in any transactions involving the 12 designated individuals from Kaspersky leadership, and exporters dealing with items subject to the EAR should be aware of the addition of the three key Kaspersky entities to the Entity List and ensure they are not exporting covered items in cases where any of the entities are a party to the transaction.

Conclusion

This Final Determination issued by the Commerce Department reflects the broader trend of increased enforcement of cross-border transactions involving U.S. persons and foreign adversaries. This new enforcement mechanism – carried out through BIS and OICTS, along with associated actions carried out by BIS and OFAC – reflects the Biden Administration's "whole of government" approach to combatting adversarial countries and protecting U.S. national security, with particular focus on data privacy of U.S. persons and U.S. critical infrastructure. Therefore, it is reasonable to expect additional measures and determinations of this nature to be issued in the near future.

For more information on the implications of this Final Determination or assistance with complying with U.S. export control regulations, please contact the authors or another member of Holland & Knight's International Trade Group.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.