Commerce Issues First-Ever Ban on Information and Communications Technology and Services Transactions Under EO 13873

The Department of Commerce’s Bureau of Industry and Security (BIS) published a 13-page Final Determination on June 24, 2024 concerning cybersecurity and antivirus software supplied by a US subsidiary of a Russia-based cybersecurity company. The Final Determination marks the first time BIS has prohibited information and communications technology and services transactions under Executive Order 13873.

The Final Determination is the culmination of BIS’s review of information and communications technology and services (ICTS) transactions involving Kaspersky Lab Inc. (together with its affiliates, subsidiaries, and parent companies, Kaspersky). The review conducted by BIS assessed (1) whether these transactions are covered ICTS transactions under 15 CFR § 7.103(b) and if so, (2) whether these transactions pose an undue or unacceptable risk to US national security or the safety and security of US persons, as outlined in Executive Order (EO) 13873, “Securing the Information and Communications Technology and Services Supply Chain,” and the implementing regulations contained in 15 CFR part 7.

The Final Determination was issued by BIS’s Office of Information and Communications Technology and Services (OICTS), which implements four EOs and related regulations under the International Emergency Economic Powers Act (IEEPA), including the following:

1. EO 13873 (issued on May 15, 2019), which grants the Secretary of Commerce (Secretary) broad authority to prohibit or impose mitigation measures on any ICTS transaction that poses undue or unacceptable risks to the United States
2. EO 13984, “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” (issued on January 19, 2021), which directed the Secretary to propose rules to address malicious cyber actors’ use of Infrastructure as a Service (IaaS) by proposing “know your customer” (KYC) requirements
3. EO 14034, “Protecting Americans’ Sensitive Data from Foreign Adversaries” (issued on June 11, 2021), which builds upon EO 13873 to address threats posed by connected software applications linked to foreign adversaries
4. EO 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (issued on October 30, 2023), which builds on EO 13984 and directs the Secretary to impose recordkeeping requirements on IaaS providers when transacting with foreign persons to train certain large AI models.

According to the Final Determination, Secretary Gina Raimondo found that the provision of cybersecurity and antivirus software in the US or to US persons by Kaspersky, including through third-party entities that integrate Kaspersky software into commercial hardware or software, poses undue and unacceptable risks to US national security and the security and safety of US persons, pursuant to the criteria set out in EO 13873(1)(a)(i) and 15 CFR part 7.

The decision is based on specific risks presented in the Initial Determination and subsequent responses and mitigation proposals from Kaspersky.

PROCEDURAL HISTORY

The BIS review was initiated based on a referral from the Department of Justice’s (DOJ’s) Foreign Investment Review Section (FIRS) on August 25, 2021, requesting that the Department of Commerce (Commerce) examine ICTS transactions involving Kaspersky’s cybersecurity and antivirus software. The timing of the referral is notable for two reasons:

1. The referral date indicates that it took BIS almost three years to conduct its review and issue the Final Determination.
2. The referral predated Russia’s conflict with Ukraine, highlighting that concerns about Kaspersky are longstanding and based on specific concerns about US ICTS security. Indeed, the concerns about Kaspersky date back to at least 2017, when the Department of Homeland Security (DHS) issued a memorandum and statement regarding the risks associated with Kaspersky and mandated the removal of all Kaspersky-branded products from US government information systems.

The Final Determination states that DOJ’s referral meets the four criteria under 15 CFR § 7.3(a)(1-4) due to the following:

1. Kaspersky is subject to Russian jurisdiction and offers cybersecurity and antivirus software products in the United States through Kaspersky Lab Inc., a Massachusetts corporation.
2. The transactions involve property interests held by foreign entities. AO Kaspersky Lab, a Russian company, holds intellectual property rights for Kaspersky’s software offered to US customers, often with an end-user license agreement. Kaspersky Lab Inc. is owned by Kaspersky Labs Limited, a UK corporation headquartered in Moscow. Additionally, Kaspersky Lab Switzerland GmbH sells product licenses to US end-users, and threat-related data from North American users is processed and stored on Swiss servers.
3. The transactions were initiated, pending, or completed on or after January 19, 2021, and Kaspersky continues to offer covered ICTS to US persons.
4. The transactions involve listed types of ICTS. Kaspersky’s software is integral to both consumer and enterprise computing services, processing sensitive personal data of US customers under 15 CFR § 7.3(a)(4)(iii). Kaspersky also supplies products to sectors designated as critical infrastructure by Presidential Policy Directive 21 under 15 CFR § 7.3(a)(4)(i). Commerce assesses that Kaspersky’s products meet the criteria in 15 CFR § 7.3(a)(4)(iv).

Following the referral, on May 25, 2022, Commerce issued an administrative subpoena to Kaspersky. Subsequent meetings were held with Kaspersky and its counsel on July 7, 2022, and September 1, 2022, to determine whether the covered ICTS transactions involving Kaspersky cybersecurity and antivirus software pose undue or unacceptable risks.

Based on a review of all documents and information, unclassified information provided by US government agencies, as well as information available from public sources (including commercial data sources), Commerce issued its Initial Determination on October 5, 2023. This determination was provided to Kaspersky and contained an explanation of why transactions involving Kaspersky cybersecurity and antivirus software meet the criteria of 15 CFR § 7.103(b). The Initial Determination further explained that these ICTS transactions pose undue and unacceptable risks, as contemplated by EO 13873 and 15 CFR part 7 and proposed prohibiting the transactions.

As required by the regulations, Kaspersky was given the opportunity to respond, which it did in a briefing on December 7, 2023, and a formal written response submitted on January 3, 2024, including proposed mitigation measures. Further information was requested and received by Commerce on January 9 and January 12, 2024. After further review, Commerce issued its Final Determination on June 22, 2024.

NATIONAL SECURITY DETERMINATIONS

With regard to whether the Kaspersky transactions pose an undue or unacceptable risk to the United States, the Final Determination states that the concerns surrounding Kaspersky stem from their potential strategic misuse. Commerce explained that Kaspersky is subject to the jurisdiction of Russia, which has the capability and intent to compromise US ICTS and exploit sensitive data.

Kaspersky’s critical operations, including software development, are based in Russia, and the company can be legally required to comply with Russian government requests, including those from the FSB, making the company vulnerable to exploitation.

Furthermore, the Final Determination stated that Kaspersky’s software provides access to sensitive data of US users and could reroute this data to Russian servers. The software operates at a core level of the operating system, allowing full access to device systems, which as a technical matter can be misused to inspect or redirect data.

The Kaspersky Security Network (KSN) could be used for targeted data collection, posing risks of espionage and data compromise. Kaspersky’s control over its software infrastructure allows for the potential installation of malicious tools or withholding critical updates, making US systems vulnerable. The company’s global virus scanning capabilities provide it with non-public information on vulnerabilities, which can be exploited by the Russian government.

While Kaspersky proposed several mitigation strategies, Commerce found them insufficient to address technical vulnerabilities or the potential for exploitation by the Russian government. Therefore, Commerce decided to prohibit the relevant transactions completely, based on its finding that Kaspersky’s operations are susceptible to Russian influence and potential misuse, and thereby pose significant threats to US national security and the safety of US persons.

In conjunction with the issuance of the Final Determination, the government took two other coordinated regulatory actions related to Kaspersky. First, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed financial sanctions by placing 12 individual officers and directors of Kaspersky on the Specially Designated Nationals (SDN) List, pursuant to Russia-related EO 14024. Second, BIS added three Kaspersky entities to the Entity List, thereby subjecting them to stringent export controls.

EFFECTIVE DATES, IMPACT, AND WHAT MAY COME NEXT

Unless Kaspersky challenges the Commerce action in court and obtains injunctive relief that holds the prohibition in abeyance, customers currently using Kaspersky products will need to identify alternative cybersecurity solutions in relatively short order.

Effective July 20, 2024, Kaspersky and its successors are prohibited from entering into new agreements involving ICTS transactions with US persons, including ICTS transactions involving (1) any cybersecurity product or service associated with Kaspersky, (2) any antivirus software associated with Kaspersky, and (3) the integration of Kaspersky software into third-party products or services, including "white-labeled" products or services.

Additionally, effective September 29, 2024, Kaspersky must cease providing antivirus signature updates and operating KSN for US persons. Customers should transition to compliant solutions to ensure continued protection and compliance with US regulations.

The Commerce action does not apply, however, to Kaspersky Threat Intelligence products and services, security training, or consulting services that are purely informational or educational in nature.

Violations of this Final Determination are subject to civil and criminal penalties as outlined in 15 CFR 7.200. Although Kaspersky products already purchased may continue to be used, Commerce has still recommended that customers voluntarily cease using them.

In addition, both Kaspersky customers and other parties will need to ensure that any other type of transaction with Kaspersky complies with the financial sanctions and export control restrictions that accompanied the Commerce action under EO 13873.

Although the action by Commerce under EO 13873 is significant and impactful, as noted above it comes almost three years after the DOJ referral, and over five years after the EO was issued. Frustration with Commerce’s pace in using its ICTS supply chain authorities may be reflected in the RESTRICT Act (S. 686), which was introduced in the 118^th Congress and in large part served to codify EO 13873 in statute. Although the bill garnered significant attention when it was introduced, it ultimately did not progress, and seems unlikely to be pursued before the end of this Congress.

Meanwhile, however, EO 13873 is being used in other ways as the predication for further regulatory regimes. As discussed in previous LawFlash, Commerce has proposed to regulate transactions involving foreign adversaries and their impact on the connected vehicle (CV) industry, and the Advance Notice of Proposed Rulemaking issued by Commerce in February of this year uses EO 13873 for a jurisdictional hook.

In addition, and also in February of this year, the president issued EO 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data By Countries of Concern,” and as discussed in our LawFlash on that EO, it was also based on the presidential declaration of an economic emergency contained in EO 13873.

Against this backdrop, it seems likely that despite the government’s somewhat slow pace in deploying EO 13873 to restrict ICTS transactions, the BIS Final Determination with respect to Kaspersky may be the tip of the iceberg, and other regulatory actions under the EO could soon follow.

For that reason, both US companies and companies from the six countries of concern identified in the ICTS regulations (Russia, China, Cuba, Iran, North Korea, and the current Venezuelan government) should consider whether any of their ICTS transactions might wind up subject to either prohibition or mitigation under EO 13873 and its various offshoots.

David Plotinsky was the initial drafter of EO 13873, and until January 2022, served as the acting chief of DOJ’s Foreign Investment Review Section, discussed in this LawFlash.