CNN
—
The Biden administration is preparing to take the unusual step of issuing an order that would bar American companies and citizens from using the software of a major Russian cybersecurity firm over national security concerns, five US officials familiar with the matter told CNN.
The move, which is being finalized and could happen as early as this month, would use the Commerce Department’s relatively new powers based on executive orders signed by Presidents Joe Biden and Donald Trump to bar Kaspersky Lab from providing certain products and services in the US , sources said.
US government agencies are already banned from using Kaspersky Lab software, but the move to prevent private companies from using the software would be unprecedented. Nothing is final until it is announced, the sources cautioned, but the Commerce Department has made an “initial decision” to ban certain transactions between a Russian company and U.S. persons, the sources said.
It’s the latest attempt by the US government to use its vast regulatory powers to prevent Americans from using a popular technology that US officials see as a national security risk. It comes as the Senate considers a bill that would force Chinese-owned TikTok to find a new owner or face a US ban.
One goal of the order would be to mitigate any risk to critical U.S. infrastructure, sources familiar with the policy process told CNN. An initial draft of the decision to ban certain Kaspersky software that circulated last year concerned US persons, but could be amended, according to a source who has seen the draft.
The sources declined to detail the full scope of the final order against Kaspersky products, but the focus is expected to be on the company’s antivirus software.
A Kaspersky Lab spokesman did not respond to questions about the potential ban or what the company’s market share is in the US.
A Commerce Department spokesman declined to comment on any potential ongoing action related to Kaspersky products.
U.S. officials have claimed for years that the Russian government could force Kaspersky Lab to hand over data or use its antivirus software to try to hack or surveil Americans — allegations that Kaspersky Lab vehemently denies.
Under US law, Kaspersky Lab can appeal an “initial decision” to ban the use of its products or reach an agreement with the government that mitigates US security concerns before Commerce issues a final decision.
Commerce Department officials must carefully consider how practical such a regulation would be for the department to implement and how well users would need to comply. It wouldn’t make sense, for example, to force a small company somewhere in America to uninstall the Kaspersky software if it was disruptive and the business has no national security impact.
More than 400 million people and 240,000 companies worldwide use Kaspersky Lab’s software products, according to the company. It is not clear how many of these people and companies are in the US. But US officials believe the risk the software poses to US infrastructure is high enough to justify a pending order.
In 2017, the Trump administration forced US federal civilian agencies to purge Kaspersky Lab software products from their networks, and Congress later codified the ban and applied it to US military networks. But the expected move by the Biden administration would go a step further by using the Commerce Department’s authority to prevent private companies from using Kaspersky Lab’s software.
The trade bodies are relatively new and stemmed in part from a 2021 executive order signed by Biden to protect Americans’ personal information from “foreign adversaries” and a related executive order signed by Trump in 2019.
Both orders cite a “national emergency” related to security threats to the US software supply chain and the Commerce Secretary’s ability to review risky transactions under a 1977 law known as the International Emergency Economic Powers Act. Specifically, the Secretary may prohibit or mitigate the risk of transactions involving the information and communications technology supply chain, as updated by two executive orders.
The Wall Street Journal reported last year that Commerce was weighing using its powers to restrict the use of Kaspersky Lab software, but that no decision had been made to do so.
But after months of considering how to effectively use the Commerce Department’s regulatory powers against the use of Kaspersky Lab software, U.S. officials are finally preparing to use the authority, a U.S. official familiar with the private conversations told CNN.
The pending action “signals a new era in which commerce will be more willing to intervene in the name of protecting national security,” Henry Young, a former senior adviser at the Commerce Department, told CNN.
Companies “owned or controlled by a foreign adversary should pay attention” if the Commerce Secretary shows “a willingness to prohibit transactions that pose an unacceptable risk to US national security,” said Young, who is now senior policy director at the Business Software Alliance. , industrial lobby.
The Commerce Department aims to use its authority in the most precise way that addresses national security issues without negatively impacting American businesses or consumers, a commerce official told CNN. The official discussed the department’s general approach to regulating technology transactions rather than any specific potential action.
“We will do what is relevant to the national security risk and nothing more,” the Commerce official said. “If that includes saying: X, Y, Z critical infrastructure operators in high-risk sectors, you can’t use this software and that software provider can’t do business with you, then we will do that. And if it needs to be wider, we will do it.”
Founded in Moscow in 1997, Kaspersky Lab has grown to become one of the world’s most successful antivirus software companies alongside American rivals such as McAfee and Symantec. Kaspersky Lab’s researchers, recognized as the top in the cybersecurity industry, are known for analyzing hacking operations suspected of being carried out by various governments including Russia, the US and Israel, as well as cybercrime threats that affect everyday users.
Some of the speculation and suspicion among US officials about the Russian company has centered on Eugene Kaspersky, a charismatic computer expert who co-founded Kaspersky Lab in Moscow in 1997.
Eugene Kaspersky studied cryptography at a KGB-sponsored university — a fact that some US lawmakers like to mention when trying to link the company to the Russian government. Kaspersky Lab has denied “any unethical ties or association with any government, including Russia.” After graduation, Kaspersky served as a software engineer at a Russian Defense Ministry institute, which is “the extent of his military experience,” the company said.
Kaspersky lamented that his company is a victim of geopolitical tensions between the West and Russia — tensions that have only become more acute since the Kremlin’s all-out invasion of Ukraine in 2022.
But despite legal battles and years of heated rhetoric, Kaspersky Lab’s relationship with the US government has not always been acrimonious. The company’s tip to the US government eventually led to the arrest in 2016 of a National Security Agency associate named Harold Martin, who was convicted on charges related to the theft of classified information, Politico reported.
But a second reported incident involving another NSA contractor did nothing to ease U.S. officials’ suspicions about the Russian software company.
Hackers working for the Russian government stole files on US cyber operations from another NSA contractor in 2015, the Wall Street Journal reported in 2017. Russian hackers appear to have targeted the contractor after identifying the files through the contractor’s use of Kaspersky Lab software , the Journal reported, citing people familiar with the incident.
Kaspersky Lab said in a statement at the time that the company “has not received any information or evidence to support this alleged incident, and as a result, we must assume that this is another example of a false accusation.”
CNN’s Zachary Cohen, Phil Mattingly and Evan Perez contributed reporting.