The Russian cybersecurity software firm Kaspersky’s days of operating in the United States are now officially numbered.
The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers.
“When you think about national security, you may think about guns and tanks and missiles,” Commerce secretary Gina Raimondo told reporters during a briefing Thursday. “But the truth is, increasingly, it’s about technology, and it’s about dual-use technology, and it’s about data.”
The US conducted an “extremely thorough” investigation of Kaspersky and explored “every option” to mitigate its risks, Raimondo said, but officials settled on a full ban “given the Russian government’s continued offensive cyber capabilities and capacity to influence Kasersky’s operations.”
The Kaspersky ban represents the latest rift in relations between the US and Russia as the latter country remains locked in a brutal war with Ukraine and takes other steps to threaten Western democracies, including testing a nuclear-powered anti-satellite weapon and forming a strategic alliance with North Korea. But the ban could also immediately complicate business operations for American companies using Kaspersky software, which will lose up-to-date antivirus definitions critical for blocking malware in only three months.
The Biden administration knows roughly how many customers Kaspersky has in the US, but government lawyers have determined that this information is proprietary business data and cannot be published, according to a Commerce Department official, who briefed reporters on the condition of anonymity to discuss a sensitive matter. The official did say the “significant number” of US customers includes state and local governments and organizations that supply critical infrastructure such as telecommunications, power, and health care.
Raimondo had a message for Kaspersky’s US customers on Thursday: “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”
Commerce will work with the departments of Homeland Security and Justice to “get this message out” and “ensure a smooth transition,” including through a website explaining the ban, Raimondo said. “We certainly don’t want to disrupt the business or families of any Americans.”
DHS’s Cybersecurity and Infrastructure Security Agency will contact critical infrastructure organizations that use Kaspersky to brief them on the alleged national security risks and “help them identify alternatives,” the Commerce Department official said.
Kaspersky has consistently denied being a national security risk or an agent of the Kremlin. In a statement to WIRED, the company accused the government of having “made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.”