Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On June 20, 2024, Commerce’s Bureau of Industry and Security issued a Final Determination prohibiting Kaspersky Lab, Inc. from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. This action followed an investigation which found that transactions involving Kaspersky’s products and services pose an unacceptable risk to U.S. national security, as outlined in Executive Order 13873. The full ban will take effect this fall and is part of a broader effort to limit information and communication technology transactions between U.S. persons and countries designated as “foreign adversaries,” including Russia and China. Companies should assess the impact of the Information and Communications Technology and Services (ICTS) regulations on their global supply chains as the U.S. government is expected to apply greater scrutiny to ICTS transactions involving China, Russia, and other foreign adversary countries.
On June 20, 2024, the Commerce Department’s Bureau of Industry and Security (BIS) issued a Final Determination in Case No. ICTS-2021-002, prohibiting Russian cybersecurity firm Kaspersky Lab, Inc. together with its affiliates, subsidiaries, and parent companies (collectively, Kaspersky) from entering into transactions to provide its cybersecurity and antivirus software to U.S. customers. Following what it termed a “lengthy and thorough investigation,” BIS found that Kaspersky posed an “unacceptable risk” to U.S. national security interests and ordered the company to cease engaging in a wide variety of transactions in the United States or with U.S. persons. Specifically:
Effective July 20, 2024 Kaspersky will be prohibited from entering into new agreements with U.S. persons for transactions involving any cybersecurity product or service or antivirus software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky as well as the integration of software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky into third-party products or services; and
Effective September 29, 2024 the prohibition will extend to cover additional transactions, including:
The provision of any anti-virus signature updates and codebase updates associated with the transactions described above;
The operation of Kaspersky Security Network (KSN) in the United States or on any U.S. person’s information technology system; and
The resale, licensing, and integration into other products or services of Kaspersky cybersecurity or antivirus software in the United States or by U.S. persons.
Individuals and businesses using Kaspersky software should consider consulting Appendix B of the Final Determination to review a non-exhaustive list of the products and services covered. Informational and education services including threat intelligence, training, and consulting services, for example, will not be affected.
BIS’ Final Determination was made pursuant to the Commerce Department’s authority under Executive Order (EO) 13873, “Securing the Information and Communications Technology and Services Supply Chain.” The EO declared that the unrestricted deployment and use of foreign adversary Information and Communications Technology and Services (ICTS) in U.S. supply chains is a national emergency, empowering the Commerce Department to prohibit certain transactions involving ICTS that pose an “unacceptable risk” to U.S. national security interests. The EO also gives the Commerce Department authority to reduce and, where possible, negate identified ICTS risks without any actual evidence of completed malicious acts.
The Commerce Department first issued its ICTS rules in 2021, but the Final Determination against Kaspersky marks the first Final Determination issued by BIS’ Office of Information and Communications Technology and Services (OICTS). The rules’ key purpose is to protect U.S. national security and critical infrastructure by allowing Commerce to restrict the domestic use of certain goods and technology that could be used for nefarious purposes. OICTS is permitted to review, limit, or completely prohibit certain ICTS transactions involving U.S. persons or property subject to U.S. jurisdiction if it determines that the ICTS is designed, manufactured, developed, or supplied by persons owned, controlled, or subject to the jurisdiction of a “foreign adversary.” Currently, the list of countries designated as “foreign adversaries” includes China (including Hong Kong), Russia, Cuba, Iran, North Korea, and the Maduro regime in Venezuela. This list, however, is not static and may be altered at the discretion of the Secretary of Commerce.
While the Commerce Department is only empowered to limit or prohibit ICTS transactions that occurred on or after January 19, 2021, it may monitor ongoing activities such as transmissions, software updates, and managed services. As a result, even if two or more entities entered into an underlying contract before January 19, 2021, BIS has the authority to review subsequent software update installations as new, separate ICTS “transactions.”
The Kaspersky Final Determination is part of a broader, relatively recent ramp up in ICTS enforcement efforts. Initially, there was much speculation as to how the Biden Administration would employ this new ICTS authority. In January of this year, Commerce announced the appointment of its first ever Executive Director of OICTS. Additionally, in February, Commerce announced an investigation targeted at transactions involving so-called “connected vehicles.” As its capabilities continue to expand, it appears almost certain that the Commerce will proceed to target additional industries and classes of ICTS transactions involving foreign adversaries.
More specifically, it appears likely that, moving forward, a greater number of Chinese entities engaging in ICTS transactions involving the United States may become targets of BIS investigations. As early as March of 2021, the Commerce Department issued subpoenas to several Chinese companies seeking information about their ICTS operations in the United States. Three months later, the White House issued Executive Order 14034, explicitly referencing Chinese firms in its directive to Executive branch agencies to investigate ICTS-related national security risks.
BIS found that Kaspersky’s software design, development, and supply are conducted in Russia; that the legal entity which holds the rights to Kaspersky’s IP is organized under Russian law; and that Kaspersky’s CEO is a Russian national who resides in Russia. Significantly, the Final Determination emphasizes that Kaspersky must, as a result of these ties, comply with Russian government requests for assistance or information—including requests to cooperate with the Russian Federal Security Service (FSB)—thereby creating a risk of Russian government access to sensitive U.S. information.
Notably, Kaspersky itself proposed two mitigation measures to address these concerns, both of which generally proposed changes to the company’s U.S. operations and staffing. BIS was unconvinced, however, that the proposed measures were sufficient to address its key concern: the Russian government’s ability to compel Kaspersky to provide it access to U.S. customer systems and information. All mitigation measures proposed by Kaspersky, provided in Appendix A of the Final Determination, were redacted as business confidential information. It will therefore be difficult for future subjects of a BIS investigation to determine what types of proposed measures would be technically effective, monitorable, and sufficient to address the identified ICTS risks—three criteria that the Department considers in order to determine whether proposed mitigation measures would be effective alternatives to limits or bans on the transaction(s) in question.
BIS assessed that the very nature of Kaspersky’s work—providing its customers with anti-virus and cybersecurity software—necessarily gave it access to sensitive U.S. person data. The Final Determination raised concerns that company engineers have “intimate knowledge” of backdoors and vulnerabilities present on U.S. person devices, knowledge which could, in turn, be misused to inspect data transited through devices that use Kaspersky software. Moreover, BIS assessed that the KSN function built into the software may further facilitate the targeted collection of sensitive data such as user account names, IP addresses, and information about the computer’s hardware. BIS determined that exploiting Kaspersky’s access to U.S. user data would therefore allow the Russian government to conduct espionage, compromise networks, or even gather U.S. business information, including intellectual property.
Again, Kaspersky proposed several mitigation measures to address this risk, but BIS determined that none of the proposed measures adequately addressed the source code vulnerabilities present in the anti-virus and cybersecurity software design process.
The Final Determination stressed that the company’s software may provide the Russian government with an opportunity to install malicious software on the devices of U.S. persons, or to strategically withhold critical malware updates to U.S. users. BIS determined that the Russian government, whether directly or through Kaspersky employees under its direction, could thereby leave U.S. users vulnerable to pernicious cyber-attacks.
In its written responses to BIS, Kaspersky stressed that the company implemented multiple safeguards to prevent malicious code from being introduced into a given user’s device and, again, proposed implementing new, additional mitigation measures. Remaining unconvinced, BIS emphasized that Kaspersky’s virus scanning operation places it at the “forefront for identifying new vulnerabilities in existing software, providing it with significant non-public information for ways to exploit” systems that utilize that software. The proposed and existing mitigation efforts were therefore insufficient to address BIS’ concern regarding the introduction of malicious code to Kaspersky-provided software.
In addition to its Final Determination, BIS added three entities—AO Kaspersky Lab (Russia), OOO Kaspersky Group (Russia), and Kaspersky Labs, Ltd. (United Kingdom)—to its Entity List for their “cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives.” BIS’ Entity List compiles foreign individuals, companies, and organizations deemed to pose a risk to U.S. national security or foreign policy interests, and subjects them to certain licensing requirements and other obligations for the export, reexport, or transfer of specified goods and technologies.
On the heels of BIS’ Final Determination, the Treasury Department’s Office of Foreign Assets Control (OFAC) reported that it was sanctioning 12 individuals holding key leadership positions at AO Kaspersky Lab in response to “continued cybersecurity risks.” OFAC, however, stopped short of designating AO Kaspersky Lab itself, or its parent or subsidiary companies.
Companies assessing the impact of enhanced ICTS regulation should consider their global supply chain and the degree to which it touches ICTS associated with a “foreign adversary.” If so, it could risk becoming the target of future BIS enforcement actions.
Please contact any of the listed Hogan Lovells lawyers if you would like help in assessing the impact of ICTS enforcement on your company or if you have questions about how enhanced ICTS enforcement could affect your business.
Authored by Ajay Kuntamukkala and Tyra J. Walker.
Summer associate Elizabeth Spaeth contributed to this report.