BIS Adds Russian Cybersecurity Firm to Entity List, Issues ICTS Restrictions
The Bureau of Industry and Security will add three entities linked to Kaspersky, a Russian cybersecurity software firm, to the Entity List for working with Russian military and intelligence services. The agency also will place new restrictions on American companies and people buying or using Kaspersky cybersecurity and antivirus software.
BIS is adding Russia-based AO Kaspersky Lab and OOO Kaspersky Group, as well as U.K.-based Kaspersky Labs Limited to the Entity List effective June 24. All three entities will face a license requirement for all items subject to the Export Administration Regulations, and licenses will be reviewed under a presumption of denial.
Commerce Secretary Gina Raimondo said the U.S. decided on the listing and the broader restrictions -- taken under the authority of the 2019 Information and Communications Technology and Services (ICTS) Supply Chain executive order -- after a "thorough investigation." Speaking on a June 20 call with reporters, Raimondo said Kaspersky has "long raised national security concerns" and has been banned from federal government systems since 2017. The new restrictions will now prohibit Kaspersky from selling its software within the U.S. or providing updates to software already in use, a move Raimondo said is the "first of its kind" under ICTS authorities.
"While we've been exploring every option at our disposal," she said, "we ultimately decided that given the Russian government's continued offensive cyber capabilities and capacity to influence Kaspersky's operation, that we have to take the significant measure of a full prohibition if we're going to protect Americans and their personal data."
Raimondo stressed that businesses that have existing Kaspersky products aren't yet in violation of federal law. Companies will be blocked from entering into new agreements with Kaspersky beginning July 20, and Kaspersky's products officially will be subject to the new ICTS restrictions Sept. 29.
After those dates, Raimondo said, U.S. companies could face both civil and criminal penalties for conducting certain covered transactions with Kaspersky. "I would encourage you in the strongest possible terms to immediately stop using that software and switch to an alternative in order to protect yourself and your data," she said.
All exports that now require a license as a result of this rule but were aboard a carrier to a port as of June 24 may proceed to their destinations under the previous eligibility as long as the items are exported before July 24, BIS said. Any items not exported before midnight July 24 will require a license.