Commerce Issues First-Ever ICTS “Final Determination” Banning Kaspersky Cybersecurity Products
Commerce Issues First-Ever ICTS “Final Determination” Banning Kaspersky Cybersecurity Products
On June 24, 2024, the Commerce Department published a Final Determination under its Information and Communications Technology and Services (ICTS) authorities. The determination prohibits the Russian-controlled cybersecurity and anti-virus software company Kaspersky Lab, Inc., and its affiliates and parent companies (“Kaspersky”), from entering into new transactions with U.S. persons, beginning July 20, 2024.
This is the first Final Determination under the ICTS authorities set forth in the 2019 Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” and its implementing regulations, published on January 19, 2021 (15 C.F.R. Part 7).
After receiving a referral from the Department of Justice in 2021, Commerce launched an initial review of Kaspersky’s sales in the U.S. market in 2022. Commerce determined that Kaspersky engages in covered transactions in the United States, which triggered extensive discussions and engagement with Kaspersky. After an interagency process, Commerce found that Kaspersky’s anti-virus software sold to U.S. persons poses an undue and unacceptable risk to U.S. national security and the safety and security of U.S. persons, and prohibited most transactions by Kaspersky involving U.S. persons.
While the Department of Homeland Security had required that all Kaspersky products be removed from federal government information systems in 2017,[1] followed by the decision of the Federal Communications Commission to place Kaspersky on its Covered List for entities posing unacceptable national security threats in 2022,[2] the Commerce Department in June 2024 exercised a regulatory tool never seen before: the ability to ban a technology company from operating in the U.S. commercial market.
Kaspersky is prohibited from entering into any new agreements with U.S. persons (including U.S. citizens and residents outside the United States) involving Kaspersky’s cybersecurity products or services, its antivirus software, or “white-labeled” third-party products or services that integrate Kaspersky software. These prohibitions are effective July 20, 2024. Kaspersky is further prohibited from providing updates to existing products and services beginning September 29, 2024. While the prohibition does not require that U.S. persons uninstall Kaspersky products, Commerce has indicated that “the prohibition against Kaspersky and its affiliates will impact the effectiveness of these products over time,” and Commerce has recommended that these products be replaced.[3]
The ICTS review process is case-by-case, where the subject is a specific entity and ICTS item(s), rather than a class of ICTS, and where the scope of transactions covered for that specific entity can be comprehensive. Contrary to some expectations when the ICTS regulations were first published, the prohibitions are not targeted to a specific Kaspersky transaction (or transactions) with a specific U.S. counterparty (e.g., like CFIUS), but instead include a comprehensive ban of an entire company’s sales in the United States, prohibiting virtually any transaction by Kaspersky involving Kaspersky’s products or services.
Commerce has clarified that civil and criminal penalties do not apply to U.S. persons or businesses that may continue to use Kaspersky products after the cut-off date, but instead serve to “prohibit Kaspersky from providing those products and services to U.S. persons.”[4] Commerce has indicated that individuals or entities that actively assist Kaspersky in conducting prohibited transactions after the effective dates may be prosecuted under the ICTS regulations.[5]
Commerce’s determination confirms that its focus is removing risks to key U.S. supply chains posed by the domestic acquisition or use of products and services from entities connected to foreign adversaries. In this regard, the ICTS authorities plug a perceived regulatory gap related to inbound technology transfers into the U.S. market.[6] Importantly, this Final Determination “imposes a prohibition globally on Kaspersky providing specified products and services to any U.S. person, defined as a U.S. business or citizen, wherever located,” which means that U.S. businesses with international as well as domestic operations, and U.S. citizens in international businesses, cannot engage in covered transactions with Kaspersky.[7]
Commerce has provided a detailed, step-by-step account of the process and the criteria that led to its Final Determination. This is both a blueprint for future ICTS enforcement and a warning to U.S. companies of what to consider and expect if their supply chain relationships have exposure to Russian or Chinese entities. For example, consumers or users of certain telecommunications products and services from companies like Huawei, ZTE, Hikvision, Hytera, Dahua, and others that have been banned in the federal government’s supply chain may consider whether ICTS actions may be forthcoming.
Commerce indicated at the time that ICTS regulations were published that Commerce would provide a process for voluntary licensing or pre-clearance of transactions, similar to a CFIUS-like “safe harbor.” No such process has been forthcoming. It is entirely possible that entities for which Commerce has initiated an ICTS review will not be aware that they are under review until they receive an ICTS administrative subpoena (as appears to be the case with Kaspersky) or an initial determination from Commerce that the transaction(s) should be prohibited.
As we noted when the ICTS rule was first published in 2021, the U.S. government’s expanded and growing regulatory toolkit ensures that almost any ICTS-related activity in the United States is potentially subject to regulatory review. Commerce’s FAQs noted that “this action will be the first of many” targeting foreign adversary entities in the U.S. supply chain.[8]
Pursuant to Commerce’s ICTS authorities, the Secretary of Commerce may issue a determination to prohibit a transaction involving any ICTS technology or service designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction of foreign adversaries that the Secretary determines poses undue or unacceptable risks, as identified in Executive Order 13873. The ICTS regulations prescribe a process for Commerce to review transactions and make such determinations.[9]
Let’s review the key findings of the process:
Initiation of Review
The review process can be initiated by the Department of Commerce or by a referral from another agency.
In this case, Commerce began its review following a referral from the Department of Justice dated August 25, 2021.
Determination of Covered Transaction
Commerce must determine if the transaction is a “covered transaction” as per 15 C.F.R. § 7.3 and assess national security risks under § 7.103.
The transactions in question were deemed “covered transactions” by Commerce.
Risk Assessment Process
Commerce conducted a risk assessment of Kaspersky’s cybersecurity and anti-virus software.
An administrative subpoena was issued to Kaspersky on May 25, 2022, to gather necessary information.
The assessment included reviewing documents from Kaspersky, unclassified information from other agencies, and public sources.
Consultation and Initial Determination
Upon identifying undue or unacceptable risks, Commerce consulted with nine federal agencies as required.
The Initial Determination highlighted three primary risks associated with Kaspersky:
Post-consultation, Commerce issued the Initial Determination recommending prohibition of certain ICTS transactions involving Kaspersky’s software and informed Kaspersky on October 5, 2023.
Response from Kaspersky
Kaspersky was allowed to contest the determination and propose mitigation measures under 15 C.F.R. § 7.107.
Kaspersky submitted a written response and proposed mitigation measures on January 3, 2024, challenging the Initial Determination.
The proposed mitigation measures involved changes to the company’s operations and staffing in the U.S. Parts of Kaspersky’s specific mitigation proposals are redacted from the Final Determination for confidentiality reasons, which complicates the evaluation of their technical effectiveness, monitorability, and adequacy in addressing the identified ICTS risks. Nonetheless, it is evident that these measures did not alleviate concerns regarding the unacceptable national security risks posed by Kaspersky, based on the three identified risk areas.
Final Determination Process
Prior to issuing the Final Determination, Commerce must achieve consensus among all nine federal agencies to proceed with prohibiting the ICTS transaction.
Following This Process, Commerce Made the Following Final Determination Regarding ICTS Technologies and Services Supplied by Kaspersky:
Effective July 20,2024, Kaspersky is prohibited from entering into any new agreement with U.S. persons involving any of the ICTS classified transactions. The prohibitions include:
Effective September 29, 2024, further restrictions include the following:
As the key first step in Commerce’s review of an ICTS transaction, Commerce determines whether the transaction at issue is a “covered transaction” under the criteria set forth in E.O. 13873 and 15 C.F.R. § 7.3(a)(1–4). Following the DOJ’s referral in this case, Commerce established that Kaspersky’s software sold within the U.S. constituted a “covered transaction,”[10] because it met the definition’s elements under 15 C.F.R. § 7.3(a) as follows:
After assessing that Kaspersky’s ICTS transactions are covered transactions, Commerce initiated a review of whether Kaspersky’s U.S. offerings posed an undue or unacceptable risk to national security. Commerce issued an administrative subpoena to Kaspersky, reviewed Kaspersky’s documents and information submitted in response, met with Kaspersky during the 2022–2024 period, and assessed Kaspersky’s proposed mitigation measures.[11]
Commerce noted in its Final Determination that the threat did not stem from whether Kaspersky products are effective in their commercial function. Rather, Commerce’s found that Kaspersky’s products can be used strategically to cause harm to the United States, presenting a risk that outweighs Kaspersky’s contributions to the cybersecurity of individual customers.[12]
The Department pointed out that Kaspersky is significantly influenced by Russian control, noting that AO Kaspersky Lab, which holds intellectual property rights over the cybersecurity software, is an entity incorporated under the laws of Russia, and the company’s CEO, a Russian national residing in Russia, further subjects Kaspersky to Russian government jurisdiction. Under Russian law, companies like Kaspersky are mandated to cooperate with Russian intelligence.
Furthermore, the Commerce Department highlighted the inherent risks associated with the nature and position of Kaspersky’s products in ICTS systems. Installed across U.S. IT infrastructure, Kaspersky’s security software allows Kaspersky “persistent access to devices.” The software also “operates at the kernel level, providing company employees the capability to acquire unhindered access to all systems on the device.”
Despite Kaspersky’s counterarguments, Commerce found that significant concerns remained with the covered transactions, specifically the potential for Kaspersky employees to access sensitive U.S. data and the flexibility by which Kaspersky’s data privacy policies can be altered by company leadership on an at-will basis.[13] Commerce was not persuaded by Kaspersky’s arguments that individual-level data is held on servers outside of Russia; Commerce also concluded that Kaspersky’s proposed mitigation measure of restructuring U.S. operations would do little to prevent remote access by Russian personnel. Commerce ultimately confirmed its initial finding in its Final Determination, which received unanimous approval from the nine agencies under the second interagency consultation, as required by the ICTS regulations.[14]
Commerce’s ICTS review process operates under the purview of its Office of Information and Communications Technology and Services (OICTS), an office within the Bureau of Industry and Security tasked with the implementation of Executive Orders concerning information technology, cybersecurity, and artificial intelligence. Although launched in 2021, the office has only been recently fully staffed, with its first Executive Director appointed in January 2024.
In response to identified national security risks, OICTS can employ a few regulatory tools: it can engage in rulemaking pursuant to Executive Orders in order to regulate entire classes of transactions, as seen in new proposed rules on Infrastructure-as-a-Service providers and the training of large AI models used abroad and new prohibitions on connected vehicles that utilize key parts made in foreign adversary jurisdictions. The office can also engage in case-by-case determinations involving individual companies; the Kaspersky order is OICTS’s first individual-level determination. The Final Determination regarding Kaspersky suggests that OICTS is now prepared to leverage its growing regulatory powers to issue and enforce significant actions, under the ICTS review process, against companies in the ICTS supply chain with substantial connections to foreign adversaries.[15]
Commerce’s ICTS enforcement authority requires a nexus to foreign adversary countries identified in the regulations, and OICTS has indicated that—when it comes to companies on the office’s radar—there must be a clear link to an adversarial country listed on 15 C.F.R. § 7.4(a), like Russia or China.[16] Second, the office analyzes and assesses the level of U.S. market penetration of the articles or services that come from an foreign adversary, in order to evaluate “the risk of sabotage to or subversion of the design integrity, manufacturing, production, distribution, installation, operation or maintenance of ICTS in the United States.”[17] Kaspersky, as a major antivirus software provider in the United States with substantial ties to Russia, comfortably fits OICTS’s criteria.
The decision to ban Kaspersky’s operations in the U.S. market is a significant development in the ICTS field. Regulators equipped with authorities under 15 C.F.R. part 7 can assess commercial products in the ICTS sector being offered to U.S. consumers and their nexus with foreign adversaries. Companies in the ICTS field may consider:
In this detailed determination, Commerce lays the foundation for future determinations involving software and information technology companies with significant supply-chain contacts in foreign adversary countries. The determination signals that companies operating in the ICTS supply chain, owned fully or in part by entities or persons in designated adversary countries like Russia or China, will likely face greater scrutiny. U.S. companies and ICTS acquirors and users whose supply-chain relationships have exposure to Russian or Chinese entities should consider the impacts of these developments on their commercial strategy.
Paired with broad rulemaking authority in sectors of-interest and this most recent company-specific determination, OICTS is gearing up to be a potent regulatory body. Its rapid increase in staffing and funding only confirms this.[18] Companies operating across the ICTS supply chain should review their contacts with suppliers from foreign adversary jurisdictions and stay abreast of relevant decisions in the field. The MoFo National Security team stands ready to help you assess your risks and answer any compliance questions.
[1] Binding Operational Directive 17-01: Removal of Kaspersky-branded Products, 82 F.R. 43782-84 (September 19, 2017).
[2] Federal Communications Commission, “FCC Expands List of Equipment and Devices that Pose Security Threat.” (March 25, 2022) (https://www.fcc.gov/document/fcc-expands-list-equipment-and-services-pose-security-threat).
[3] Office of Information and Communications Technology and Services, “Kaspersky Frequently Asked Questions” .
[4] Id.
[5] See id.; see also “Penalties” under the ICTS Supply Chain regulations, 15 C.F.R. § 7.200.
[6] Treasury recently announced its proposed rule to control outbound investment. See Proposed Rule, “Provisions Pertaining to U.S. Investments in Certain National Security Technologies and Products in Countries of Concern,” 89 FR 55846-55881 (July 5, 2024).
[7] Office of Information and Communications Technology and Services, “Kaspersky Frequently Asked Questions.”
[8] Id.
[9] See 15 C.F.R. § 7.103 (“Initial Review of ICTS Transactions”) and 15 C.F.R. § 7.3 (“Scope of Covered ICTS Transactions”). See also Client Alert, “Biden Administration Carries Forward Trump Era Executive Order Scrutinizing Imports and Sales of Certain Communications Technology and Services” (April 1, 2021).
[10] Id. at 52434–35.
[11] Id. at 52434–36.
[12] Final Determination, 89 F.R. at 52435. Commerce also addressed the question, “Doesn’t this action actually increase the risk of exploitation by other malicious foreign actors?” head-on in its FAQs, posted alongside the Final Determination (stating that this prohibition strengthens the broader cybersecurity ecosystem by removing Russian government access to U.S. customers’ computers and data). See Office of Information and Communications Technology and Services, “Kaspersky Frequently Asked Questions.”
[13] Final Determination, 89 F.R. at 52436.
[14] See 15 CFR § 7.108 (“Second Interagency Consultation”).
[15] Geoff Irving, Acting Technology Director at OICTS, “Understanding the ICTS Program” Conference Session, Bureau of Industry and Security Update Conference on Export Controls and Policy (March 27, 2024).
[16] Q&A Section, “Understanding the ICTS Program” Conference Session, Bureau of Industry and Security Update Conference on Export Controls and Policy (March 27, 2024). See also Final Determination, 89 F.R. at 52434.
[17] Q&A Section, “Understanding the ICTS Program” Conference Session.
[18] Elizabeth Cannon, OICTS Director, “Understanding the ICTS Program” Conference Session, Bureau of Industry and Security Update Conference on Export Controls and Policy (March 27, 2024).