The U.S. government announced on Thursday that it is banning the sale of Kaspersky antivirus software in the country, and is asking Americans who use the software to switch to a different provider.
The Commerce Department’s Bureau of Industry and Security said it imposed the “first of its kind” ban, arguing that Kaspersky threatens U.S. national security and users’ privacy because the company is based in Russia.
“Russia has shown it has the capacity, and even more than that, the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans. And that’s why we are compelled to take the action that we’re taking today,” U.S. Commerce Secretary Gina Raimondo said in a call with reporters.
News of the ban was first reported by Reuters ahead of the announcement.
Kaspersky will be banned from selling its software to American consumers and businesses starting on July 20, but the company will be able to provide software and security updates to existing customers until September 29. After that, Kaspersky will no longer be permitted to push software updates to U.S. customers, according to Raimondo.
“That means your software and services will degrade. That’s why I strongly recommend that you immediately find an alternative to Kaspersky,” Raimondo said.
Raimondo said that U.S. consumers who already use Kaspersky’s antivirus are not violating the law.
In a statement shared with TechCrunch, Kaspersky spokesperson Sawyer VanHorn said the company plans to challenge the U.S. government’s decision.
“Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies,” the company said in a statement. “The company intends to pursue all legally available options to preserve its current operations and relationships.”
“U.S. individuals and businesses that continue to use or have existing Kaspersky products and services are not in violation of the law, you have done nothing wrong and you are not subject to any criminal or civil penalties,” said Raimondo. “However, I would encourage you in the strongest possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”
To inform consumers, Raimondo said the Department of Homeland Security and the Justice Department will work to notify U.S. consumers, and the U.S. government will set up a website, “so people who are impacted can find the information they need to understand why we’re doing what we’re doing, and help them take next steps.”
A senior U.S. Commerce Department official said during the press call that federal cybersecurity agency CISA will do outreach to critical infrastructure organizations that use Kaspersky software in their operations to help them find alternatives. The official also said that they don’t plan on naming any specific action by Kaspersky that led to today’s decision. (The Commerce Department asked reporters not to name the official.)
The ban announced Thursday is the latest escalation in a long series of U.S. government actions against the Moscow-headquartered Kaspersky.
In September 2017, the Trump administration banned U.S. federal agencies from using Kaspersky software over fears that the company could be compelled to help Russian intelligence agencies. Earlier in the year, it was reported that Russian government hackers had stolen U.S. classified documents stored on an intelligence contractor’s home computer because it was running Kaspersky’s antivirus, marking the first known incident of espionage resulting from use of the company’s software.
The decision to ban Kaspersky has been in the works since last year, according to a report by The Wall Street Journal in April 2023.
According to Kaspersky, the company has more than 400 million individual customers, and over 240,000 corporate customers worldwide. The senior official declined to say how many U.S. customers Kaspersky has, but said there is a significant number, including critical infrastructure organizations, and state and local government entities.
UPDATE, Friday June 21, 10:45 a.m. ET: This story has been updated to include Kaspersky’s comment.
Comment