US To Ban Kaspersky Sales As Cybersecurity Vendor Denies Threat Accusations

Starting midnight July 20, Kaspersky is barred “from entering into any new agreement with U.S. persons involving one or more” information and communications technology and services deals.

The United States has taken steps to ban domestic sales and integration of products by Russia-based cybersecurity vendor Kaspersky, citing “undue and unacceptable risks to U.S. national security and to the security and safety of U.S. persons” and threatening hundreds of thousands of dollars in fines against violators.

Starting midnight July 20, Kaspersky is barred “from entering into any new agreement with U.S. persons involving one or more” information and communications technology and services (ICTS) deals, according to an order signed by U.S. Secretary of Commerce Gina M. Raimondo and published to the Federal Register’s website.

At midnight Sept. 29, Kaspersky is barred from “providing any anti-virus signature updates and codebase updates” and operating the Kaspersky Security Network (KSN) in the U.S. or on any American’s IT system.

[RELATED: Kaspersky Customers ‘Scared’ By Threats Of US Sanctions: Partners]

Kaspersky Ban

CRN has reached out to Kaspersky for comment.

In a statement published Thursday, Kaspersky said that it was “aware of the decision” and that while sales of its products are banned, users can continue to use them. It “intends to pursue all legally available options to preserve its current operations and relationships.”

“The decision does not affect the company’s ability to sell and promote cyber threat intelligence offerings and/or trainings in the U.S.,” according to the statement. “Despite proposing a system in which the security of Kaspersky products could have been independently verified by a trusted 3rd party, Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.”

The vendor denied engaging “in activities which threaten U.S. national security,” according to the statement. The vendor “has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies” and “has repeatedly demonstrated its independence from any government,” according to Kaspersky.

“Kaspersky has implemented significant transparency measures that are unmatched by any of its cybersecurity industry peers to demonstrate its enduring commitment to integrity and trustworthiness,” according to the statement. “The Department of Commerce’s decision unfairly ignores the evidence. … We look forward to what the future holds, and will continue to defend ourselves against actions that seek to unfairly harm our reputation and commercial interests.”

All of Kaspersky’s overall sales come through indirect channel and alliance relationships, accordingto CRN’s 2024 Channel Chiefs.

The U.S. order is the first of its kind under rules outlined in a 2019 executive order by then-President Donald Trump regarding ICTS sales.

The department denied in an online post that the order is due to economic competition, saying “this prohibition was made to protect the national security of the United States.”

Sales Limits Started In 2017

The order specifies that the ban applies to “resale of Kaspersky cybersecurity or anti-virus software, integration of Kaspersky cybersecurity or anti-virus software into other products and services, or licensing of Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services” in the U.S. “or by U.S.persons.”

Not part of the ban are Kaspersky Threat Intelligence, Kaspersky Security Training and Kaspersky consulting or advisory services “purely informational or educational in nature,” according to the order.

The order also said that it doesn’t judge “whether Kaspersky’s products are effective at identifying viruses and other malware, but whether they can be used strategically to cause harm to the United States.”

This is not the first step the U.S. has taken in restricting domestic sales of products by Kaspersky, founded in 1997.

In 2017, the U.S. Department of Homeland Security ordered the removal of Kaspersky-branded products from federal government information systems.

The following year, Congress passed a law specifically banning use of Kaspersky products by federal departments, agencies and organizations.

In 2022, the Federal Communications Commission (FCC) added Kaspersky to a list of entities that pose “an unacceptable risk to national security and the security and safety of U.S. persons.”

Despite all the actions taken by the federal government, Kaspersky reported growth in its channel partner program to CRN as part of the 2024 Channel Chiefs, including operating “at 105 percent performance overall, over accomplishing our FY 2023 target” and creating “exciting bundles for our MSP program incorporating bundled maintenance service agreements.”

On Thursday, Kaspersky also reported financial results for 2023. The vendor said it made global non-audited combined revenue of $721 million, down 4 percent year over year, blaming the drop on foreign exchange rates, according to an online post.

“In response to the non-market factors that affected the company’s business in 2022, Kaspersky revamped its operations and enhanced its resilience to geopolitical risks,” according to the post. “As a result, Kaspersky was able to maintain steady and robust business results, returning to positive dynamics in B2C (business-to-consumer) sales and further expanding B2B sales with the launch of new comprehensive security solutions.”

Kaspersky saw 11 percent growth in net sales bookings and 24 percent year-on-year sales of the business-to-business (B2B) product portfolio, according to the post.

B2C sales fell 8 percent year over year in 2023. Endpoint B2B sales grew 17 percent year over year and non-endpoint products and services sales grew 44 percent year over year, according to the Kaspersky post.

Penalties Could Include Prison

The maximum civil penalty for violating the ban is “not to exceed the greater of $250,000, subject to inflationary adjustment, or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed,” according to the U.S. Code of Federal Regulations.

The CFR adds that “the Secretary may impose a civil penalty of not more than the maximum statutory penalty amount, which, when adjusted for inflation, is $307,922, or twice the amount of the transaction that is the basis of the violation, per violation on any person who violates any final determination, direction, or mitigation agreement issued pursuant to this part under” the International Emergency Economic Powers Act (IEEPA).

People who “willfully” commit, attempt to commit, conspire to commit, or aid and abet in violating the Kaspersky order face criminal penalties, which include a maximum fine of $1 million, “imprisoned for not more than 20 years” or both.

The U.S. will ban Kaspersky sales because of three risks, according to the order:

The order also said that “integration of Kaspersky software into third-party hardware or software, or any ‘white labeling’ of Kaspersky software, further exacerbates these risks as the user would be less likely to know the true source of the code, increasing the likelihood Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive U.S. data.”

Although Kaspersky denied that data it retrieves isn’t attributable to specific individuals, its end-user license agreement includes a capability for locating lost devices, implying that users can be identified, according to the order.

The department has the ability to make this ban against Kaspersky due in part to Kaspersky having an entity in Massachusetts and because a Swiss Kaspersky entity sells product licenses to Americans through the Kaspersky website, according to the order. The Swiss Kaspersky entity also processes and stores “threat-related data received from users of Kaspersky products in North America” – following ban criteria that “the transactions involve property in which any foreign country or national has an interest.”

The order details some efforts by the U.S. government and Kaspersky to fix the risks, including Kasperspky offering “technical and operational mitigation measures.” But Kaspersky’s offers did “not sufficiently address the identified risk,” according to the order.

“At a general level, the safeguards identified would not address a fundamental aspect of the risk—namely, that Kaspersky does not have to affirmatively inject malware through its own code,” according to the order. “Instead, through its persistent access to devices, Kaspersky can provide information about the devices on which its software operates, to enable malicious cyber actors—whether in the Russian government or aligned therewith—to gain access to those devices and manipulate settings on the device.”

e

The vendor’s global virus scanning operation also “puts it at the forefront for identifying new vulnerabilities in existing software, providing it with significant non-public information for ways to exploit certain versions of software, as well as a list of devices that run that software,” according to the order.

“This capability, if leveraged by the Russian government, greatly enhances its ability to conduct cyber espionage and to steal sensitive data,” according to the order.