Jun 262024

U.S. Commerce Department Issues First-of-Its-Kind Determination Banning Certain Software Products and Services

Jen Fernandez, James Mendenhall and Heather Hedges
, ,

On June 20, 2024, the U.S. Department of Commerce (Commerce) Office of Information and Communications Technology and Services (OICTS) published a first-of-its-kind Final Determination against Kaspersky Lab, Inc., prohibiting the provision of its antivirus software and cybersecurity products in the United States or to U.S. persons. This Final Determination provides new insights into OICTS review of information and communications technology and services (ICTS) transactions and the prohibitions or restrictions that may result. The full text of the Final Determination is available here. OICTS also provides additional guidance on the new prohibition here.

I. Background

Executive Order (EO) 13873 of May 15, 2019, on “Securing the Information and Communication Technology and Services Supply Chain” declared a national emergency with respect to the threat posed by foreign adversary control of ICTS in the United States, such as those that underpin the digital economy, support critical infrastructure, and store and process vast amounts of sensitive data.The EO authorized Commerce to review certain ICTS transactions involving foreign entities and to take action against those that (1) involve ICTS designed, developed, manufactured, or supplied by entities controlled, owned, or based in certain “foreign adversary” nations and (2) pose certain undue or unacceptable national security risks to the United States.

In January 2021, Commerce issued an interim final rule implementing EO 13873 and established the regulatory framework for identifying, assessing, and addressing ICTS transactions (the ICTS Regulations)2  (see Sidley’s coverage here). The ICTS Regulations identified China, Cuba, Hong Kong, Iran, North Korea, Russia, and the Maduro Regime in Venezuela as “foreign adversaries”3  and authorized Commerce to investigate and issue determinations prohibiting ICTS transactions.

II. Final Determination Against Kaspersky and Related Actions

The OICTS Final Determination issued June 20, 2024, prohibits Kaspersky Lab, Inc. and its affiliates, subsidiaries, and parent companies (collectively, Kaspersky) from directly or indirectly providing antivirus software and cybersecurity products or services in the United States or to U.S. persons. Kaspersky has been subject to a number of national-security-related restrictions, beginning in 2017, when the Department of Homeland Security banned the use of its products on federal civilian and military networks. In March 2022, the Federal Communications Commission identified Kaspersky products and services on its List of Communications Equipment and Services that Pose a Threat to National Security. The Final Determination indicates that OICTS began its investigation shortly thereafter, pursuant to a request from the Department of Justice (DOJ).

The Final Determination, prohibits the following transactions involving Kaspersky4:

As of July 20, 2024, new agreements with U.S. persons to engage in ICTS transactions involving any cybersecurity product or service or antivirus software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky as well as the integration of software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky into third-party products or services.

As of September 29, 2024, additional transactions including

  • the provision of antivirus signature updates or codebase updates associated with the above-mentioned ICTS transactions
  • the operation of the Kaspersky Security Network (a cloud-based infrastructure for identifying cyberthreats) in the United States or on any U.S. person’s IT system
  • the resale, integration, or licensing (for purposes of resale or integration) of Kaspersky cybersecurity or antivirus software

In parallel to OICTS’s publication of the Final Determination, Commerce’s Bureau of Industry and Security added several Kaspersky entities to its Entity List, and the Department of Treasury Office of Foreign Assets Control sanctioned 12 executives and senior leaders of Kaspersky Lab, Inc.

III. Key Takeaways

Until now, Commerce has provided limited information on the review process set out under the ICTS Regulations. This first-of-its-kind Final Determination offers a look into the process that OICTS will follow, the penalties that can result from a determination that ICTS transactions pose undue or unacceptable national security risks, and what we should expect from OICTS. Key takeaways:

1. The Final Determination provides new insight into OICTS’s transaction review process.

The Final Determination detailed the process that OICTS followed from the time it received the DOJ’s referral to investigate Kaspersky to its issuance of the Final Determination. The process adhered closely to the framework set out in the ICTS Regulations. OICTS gathered information regarding Kaspersky and made a preliminary assessment according to the relevant criteria. Following interagency consultation, OICTS issued a nonpublic Initial Determination, which was provided to Kaspersky. The Initial Determination explained the reasons why transactions involving Kaspersky were found to pose undue and unacceptable risks and why OICTS recommended a prohibition against certain transactions involving Kaspersky, based on information collected from Kaspersky pursuant to an administrative subpoena; unclassified information provided by other agencies; and other public information. OICTS provided Kaspersky with an opportunity to respond in writing to the Initial Determination and propose mitigation terms.

2. An ICTS provider’s exposure to control by a foreign adversary country and unrestricted access to sensitive information may create undue or unacceptable national security risks.

The Final Determination identified three specific aspects of Kaspersky’s cybersecurity and antivirus software that pose undue or unacceptable risks to U.S. national security:

  • Kaspersky is subject to the jurisdiction, control, or direction of Russia, a foreign adversary.

Kaspersky is required to comply with Russian government requests for assistance or information, including by cooperating with Russian intelligence and law enforcement efforts. OICTS found that this could allow the Russian government to exploit access to sensitive information or install malware on devices that use Kaspersky software in the United States.

  • Kaspersky’s software can be exploited to identify sensitive U.S. person data and make it available to Russian government actors.

OICTS found that Kaspersky could exploit devices that use its software based on its knowledge of vulnerabilities and backdoors in software installed on such devices. In addition, because Kaspersky software requires full access to all systems on the host device, Kaspersky could inspect data and files stored or transited through such devices or reroute such data to servers located in or accessible from Russia. OICTS also noted that Kaspersky’s end-user license agreement identifies the sensitive information collected from host devices, including data that could be used to identify specific users. OICTS was not convinced by Kaspersky’s argument that its Russian employees and operations could not attribute data to any specific individual, finding that this limitation was based on internal company policies that be changed at any time and that in any case, engineers could circumvent the limitation.

  • Kaspersky software, developed and supplied from Russia, allows for the capability and opportunity to install malicious software and strategically withhold critical malware signature updates.

Kaspersky’s unhindered access to the host devices on which its software is installed enables it to install (or facilitate the installation by third parties of) malicious tools, withhold malware updates on such devices, and gain insight through its virus scanning operation into new vulnerabilities in existing software, leaving users vulnerable to malicious activity or exploitation. OICTS found that the Russian government could target such vulnerabilities to sabotage or subvert ICTS in the United States.

Although Kaspersky proposed mitigation measures to address each of these identified risks, OICTS rejected all such proposals on the grounds that they did not address the specific factual circumstances giving rise to such risks. OICTS noted, for example, that the proposed mitigation terms did not
“sever[ ] U.S. operations ties with Kaspersky’s foreign operations” and did “not impact the technical operations, which allow logical access by foreign employees, including in Russia.” Consequently, the proposed mitigation did “little to impair Russia’s ability to compel Kaspersky to provide the Russian government access to U.S. customer systems and information.”

3. OICTS review is not a licensing regime. Rather, it can result in a ban on specific products or classes of products.

Prior to seeing the first Final Determination, many expected OICTS would run a process for reviewing and licensing specific transactions. OICTS took a different approach in the Kaspersky Final Determination. OICTS did not review any specific transaction but instead took action against all transactions involving Kaspersky antivirus software and cybersecurity products or services after the specified dates. In other words, OICTS is interpreting the scope of its authority in a way that allows it to effectively ban a company from doing business in the United States.

4. We should expect increased enforcement from OICTS.

Although the Kaspersky Final Determination is the first of its kind, a senior government official indicated that OICTS expects to conduct dozens of investigations and issue several new determinations each year. We also note that since OICTS hired an Executive Director, Liz Cannon, in January 2024, the office has steadily increased its enforcement of the ICTS Regulations in other ways. Specifically, earlier this year OICTS initiated a rulemaking process to amend the ICTS Regulations to identify ICTS integral for connected vehicles as subject to the OICTS review process.5  In January 2024, OICTS also issued a proposed rule imposing “Know Your Customer” and reporting requirements on U.S. infrastructure as a service providers (see Sidley’s coverage here). With the flurry of recent action — particularly in comparison to the early years following EO 13873 — we believe companies should expect that OICTS will continue to be active.

1 EO 13873 of May 15, 2019, Securing the Information and Communications Technology and Services Supply Chain, 84 Fed. Reg. 22689 (May 15, 2019).
2 Securing the Information and Communications Technology and Services Supply Chain, 86 Fed. Reg. 4909 (Jan. 19, 2021); 15 C.F.R. Part 7.
15 C.F.R. § 7.4.
4 Appendix B to the Final Determination provides a nonexhaustive list of the Kaspersky products or services subject to the above prohibitions.
Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 15066 (Mar. 1, 2024).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Jen Fernandez

Washington, D.C.

jen.fernandez@sidley.com

James Mendenhall

Washington, D.C.

jmendenhall@sidley.com

Heather Hedges

Washington, D.C.

hhedges@sidley.com

You might also like
Top Trends in the European Digital Health/AI Market

Digital health AI technologies are transforming the advancement of drug development and healthcare delivery at an unprecedented speed, backed by governments facilitating the momentum to improve healthcare for their growing populations. Sidley’s European life sciences lawyers Josefine Sommer, Eva von Mühlenen, and Francesca Blythe share a timely take on the top 5 life sciences industry trends being shaped by pioneering digital technologies. We are delighted to present a series of insightful interviews with leaders from a diverse digital health ecosystem giving their perspectives from RocheOrigen Genetics, FemTech InsightsVergeSteto, and Clario.

Advisor to the CJEU Confirms GDPR Fines For Subsidiary Infringements Should Reflect Group Turnover

On 12 September 2024, Advocate General Medina issued their Opinion in Case C-383/23 (Opinion) in which they confirmed that supervisory data protection authorities (SAs) must, when calculating the fine for a GDPR infringement committed by a subsidiary, take into account the total annual turnover of the entire group—a concept known as parental liability.

U.S. Department of Commerce Issues Proposed Rule on ICTS Supply Chain for Connected Vehicles

On September 26, 2024, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a long-awaited rule proposing to ban certain connected vehicles transactions involving hardware and software linked to the People’s Republic of China (China) and Russia. BIS also proposed extensive compliance obligations for importers and manufacturers of connected vehicles and related components, which come as the automotive industry continues to grapple with how to protect critical safety-related data as vehicle interconnectivity increases.