by The Biden administration is preparing to take the unusual step of issuing an order that would bar US companies and citizens from using software made by a major Russian cyber security firm due to national security concerns, said five US officials familiar with the matter told CNN.
The move, which is being finalized and could happen as soon as this month, would use relatively new Commerce Department authorities based on executive orders signed by Presidents Joe Biden and Donald Trump to target Kaspersky Lab banned from providing certain products and services in the United States, sources said.
US government agencies are already banned from using Kaspersky Lab software but a move to ban private companies from using the software would be unprecedented. Nothing is final until it is announced, the sources warned, but the Commerce Department has made a “preliminary decision” to ban certain transactions between the Russian company and US people, the sources said.
It is the latest attempt by the US government to use its vast regulatory powers to prevent Americans from using common technology that US officials consider a national security risk. It comes as the Senate weighs a bill that would force Chinese-owned TikTok to find a new owner or face a US ban.
One goal of the order would be to mitigate any risk to critical US infrastructure, the sources familiar with the policy process told CNN. A draft of the initial decision to ban the distribution of certain Kaspersky software last year concerned people in the US but could be amended, according to a source who has seen the draft.
The sources declined to detail the full scope of any final order against Kaspersky products, but the firm’s anti-virus software is expected to be targeted.
A Kaspersky Lab spokesperson did not respond to questions about a possible ban or how much market share the company has in the US.
A spokesman for the Commerce Department declined to comment on any pending action regarding Kaspersky products.
US officials have alleged for years that the Russian government could force Kaspersky Lab to hand over data or use its anti-virus software to try to hack or spy on Americans – allegations that Kaspersky denies. Work hard.
Under US law, Kaspersky Lab can appeal the “initial decision” to ban the use of its products or reach an agreement with the government that alleviates US security concerns before any final Commerce ruling is announced .
Department of Commerce officials must carefully consider how practical any such regulation would be for the Department to enforce and for users to comply with. It would make little sense, for example, to force a small business somewhere in America to uninstall Kaspersky software if it was disruptive and the business had no impact on national security.
More than 400 million people and 240,000 companies worldwide use Kaspersky Lab software products, according to the company. It is not clear how many of those people and companies are in the US. But US officials believe the software’s risk to US infrastructure is high enough to justify the pending order.
A ‘new era’ in Commerce regulation
The Trump administration in 2017 forced US federal civilian agencies to purge Kaspersky Lab software products from their networks, and Congress subsequently codified the ban and applied it to US military networks. But the expected move from the Biden administration would go a step further by using Commerce Department authorities to prevent private companies from using Kaspersky Lab’s software.
The Commerce authorities are relatively new and are derived in part from a 2021 executive order signed by Biden in the name of protecting Americans’ personal data from “foreign intrusions” and a related order signed by Trump in 2019.
Both orders cite a “national emergency” related to security threats to America’s software supply chain and the Commerce secretary’s ability to review risky transactions under a 1977 law known as the International Emergency Economic Powers Act. Specifically, the secretary can prohibit or moderate transactions related to the information and communication technology supply chain, according to the updated law based on the two executive orders.
The Wall Street Journal reported last year that Commerce was using its authority to restrict the use of Kaspersky Lab’s software, but that no decision had been made to do so.
But after months of discussions on how to effectively use the Commerce Department’s regulatory powers against the use of Kaspersky Lab software, US officials are finally preparing to use the authorities, a US official familiar with the private discussions told CNN.
The pending action “signals a new era in which Commerce will be more willing to intervene in the name of protecting national security,” Henry Young, a former senior counsel at the Commerce Department, told CNN.
Companies “owned or controlled by a foreign adversary should take notice” if the Commerce secretary “demonstrates a willingness to prevent transactions that pose an unacceptable risk to US national security,” said Young, now director senior policy at the Business Software Alliance. , an industry lobby.
The Commerce Department aims to use its authorities in the most accurate way that addresses national security concerns without adversely affecting American businesses or consumers, a Commerce official told CNN. The officer discussed the Department’s general approach to regulating technology transactions and not any specific potential action.
“We will do what addresses the national security risk and no more,” the Commerce official said. “If that means: X, Y, Z critical infrastructure operators in high-risk sectors, you can’t use this software and that software provider can’t negotiate with you, we’ll do that. And if it needs to be wider, we will do that.”
A major cyber security player
Founded in Moscow in 1997, Kaspersky Lab has grown into one of the world’s most successful anti-virus software companies alongside American rivals such as McAfee and Symantec. Kaspersky Lab researchers, recognized as a top tier in the cyber security industry, are known for analyzing suspected hacking operations by various governments including Russia, the US and Israel, but also cybercrime threats affects everyday users.
Some of the speculation and suspicion from US officials about the Russian company has focused on Eugene Kaspersky, an energetic computer expert who co-founded Kaspersky Lab in Moscow in 1997.
Eugene Kaspersky studied cryptography at a KGB-sponsored university – something some US lawmakers like to cite when trying to tie the company to the Russian government. Kaspersky Lab has denied having “any unethical connections or affiliations with any government, including Russia.” Kaspersky worked as a software engineer at a Russian Defense Ministry institute after graduating, which is “the extent of his military experience,” the company says.
Kaspersky has lamented that its company is a victim of geopolitical tensions between the West and Russia – tensions that have grown more acute since the Kremlin’s full-scale invasion of Ukraine in 2022.
But despite the legal battles and years of heated rhetoric, Kaspersky Lab’s relationship with the US government has not always been rocky. A tip from the company to the US government eventually led to the arrest of a National Security Agency contractor named Harold Martin, who was convicted on charges related to the theft of classified information, Politico reported.
But another reported incident involving another NSA contractor did nothing to assuage US officials’ suspicions about the Russian software firm.
Hackers working for the Russian government in 2015 stole files on US cyber operations from various NSA contractors, the Wall Street Journal reported in 2017. Russian hackers appeared to target the contractor after identifying files using Kaspersky Lab software by the contractor, the Journal reported, citing people familiar with the incident.
Kaspersky Lab said in a statement at the time that “no information or evidence was provided to the company that substantiated this alleged incident, and as a result, we must assume that this is another example of a false accusation.”
CNN’s Zachary Cohen, Phil Mattingly and Evan Perez contributed reporting.
For more CNN news and newsletters create an account at CNN.com
