The Biden administration is expected to announce plans on Thursday to ban Kaspersky Lab’s antivirus software from being sold in the United States, according to people familiar with the matter, as the company’s large U.S. clients include critical infrastructure providers and state and local governments.
The company’s close ties to the Russian government were found to pose significant risks, the people said, adding that the software’s privileged access to computer systems could allow it to steal sensitive information from U.S. computers, install malware or withhold critical updates.
The sweeping new rules, which use broad powers created by the Trump administration, combined with a separate measure to add the company to a trade-restricted list, could deal a blow to the company’s reputation and hurt its sales overseas, according to two other people familiar with the matter.
The plan to add the cybersecurity companies to the Entity List would effectively ban the companies’ U.S. suppliers from selling to the company, but the timing and details of the software sales ban have not previously been reported.
A Commerce Department spokesman declined to comment, and Kaspersky Lab and the Russian Embassy did not respond to requests for comment.
Kaspersky has previously said it is a privately run company with no ties to the Russian government.
The moves signal the administration is seeking to root out the risk of Russian cyberattacks posed by Kaspersky software and keep Moscow under pressure, as the war effort in Ukraine gains renewed momentum and the United States runs out of new sanctions it can impose on Russia.
It also shows the Biden administration is making use of strong new powers that allow it to ban or restrict transactions between U.S. companies and the internet, telecommunications and tech companies of “foreign adversaries” such as Russia and China.
The tool is largely untested.
Former President Donald Trump tried to use these laws to ban Americans from using the Chinese social media platforms TikTok and WeChat, but federal courts blocked those measures.
The new restrictions on the import and sale of Kaspersky Lab software, which also ban the downloading of software updates and the resale and licensing of its products, will take effect on September 29, 100 days after the announcement, to give companies time to find alternatives. Kaspersky Lab will be blocked from new business in the United States 30 days after the restrictions are announced.
The sale of white-label products that incorporate Kaspersky Lab into software sold under a different brand name will also be banned, and the Commerce Department will notify companies before the ban comes into effect, the sources said.
It is not clear how the Entity List inclusion would affect Kaspersky Lab, whose Russian operations are already subject to sweeping U.S. export controls over Ukraine, making it nearly impossible for U.S. products other than food and medical equipment to reach Russia.
Supply chains could be disrupted if the Commerce Department adds Kaspersky Lab’s foreign entities to a list of companies buying critical raw materials from the U.S. If it adds only Russian companies, the impact would be primarily reputational.
Kaspersky has long been a target of regulators: In 2017, the Department of Homeland Security banned the company’s flagship antivirus product from federal networks, alleging ties to Russian intelligence and noting that Russian law allows spies to coerce Kaspersky into cooperating and use Russian networks to eavesdrop on communications.
Pressure on the company’s U.S. operations has grown following Russia’s moves against Kiev. Reuters reported that the day after Russia invaded Ukraine in February 2022, the U.S. government privately warned some U.S. companies that Russia could manipulate software designed by Kaspersky to cause harm.
The war prompted the Commerce Department to step up its national security investigation into the software, leading to Thursday’s action, as first reported by Reuters.
The source said the delay in announcing the ban was due in part to “considerable back and forth” with Kaspersky Lab, which proposed a mitigation rather than a total ban.
But the agency concluded that because of the threats, particularly their ties to the Russian government, “there are virtually no mitigating measures that can be put in place to address these risks.”
Under the new rules, distributors and resellers who violate the restrictions will be fined by the Department of Commerce, and the Department of Justice can bring criminal charges if the prohibitions are violated willfully. Users of the software will not face legal penalties, but they will be strongly encouraged to stop using it.
Kaspersky, which has a holding company in Britain and is based in Massachusetts, said in a company profile that it generated revenue of $752 million from more than 220,000 corporate clients in about 200 countries in 2022. Its website lists Italian carmaker Piaggio, Volkswagen’s Spanish retail unit and the Qatar Olympic Committee as clients.
