The Biden administration is preparing to take the unusual step of issuing an order that would prevent US companies and citizens from using software made by a major Russian cybersecurity firm because of national security concerns, five US officials familiar with the matter told CNN.
The move, which is being finalized and could happen as soon as this month, would use relatively new Commerce Department authorities built on executive orders signed by Presidents Joe Biden and Donald Trump to prohibit Kaspersky Lab from providing certain products and services in the US, the sources said.
US government agencies are already banned from using Kaspersky Lab software but action to prevent private companies from using the software would be unprecedented. Nothing is final until it is announced, the sources cautioned, but the Commerce Department has made an “initial determination” to prohibit certain transactions between the Russian company and US persons, the sources said.
It’s the latest US government effort to use its vast regulatory powers to prevent Americans from using popular technology that US officials consider a national security risk. It comes as the Senate weighs a bill that would force Chinese-owned TikTok to find a new owner or face a US ban.
One goal of the order would be to mitigate any risk to critical US infrastructure, the sources familiar with the policy process told CNN. A draft of the initial determination to prohibit certain Kaspersky software that circulated last year applied to US persons but could have been amended, according to a source who viewed the draft.
The sources declined to detail the full scope of any final order against Kaspersky products, but its focus is expected to be on the firm’s anti-virus software.
A Kaspersky Lab spokesperson did not respond to questions about a potential prohibition or about how big the company’s market share is in the US.
A Commerce Department spokesperson declined to comment on any potential pending action related to Kaspersky products.
US officials have for years alleged that the Russian government could force Kaspersky Lab to hand over data or use its anti-virus software to attempt to carry out hacking or surveillance of Americans — accusations that Kaspersky Lab strenuously denies.
Under US law, Kaspersky Lab can appeal the “initial determination” to prohibit use of its products or strike a deal with the government that mitigates US security concerns before any final ruling from Commerce is announced.
Commerce Department officials have to carefully consider how practical any such regulation would be for the department to enforce and for users to comply with. It would make little sense, for example, to force a small business somewhere in America to uninstall Kaspersky software if it was disruptive and the business had no bearing on national security.
More than 400 million people and 240,000 companies worldwide use Kaspersky Lab’s software products, according to the company. Just how many of those people and companies are in the US is not clear. But US officials believe the risk posed by the software to US infrastructure is high enough to justify the pending order.
The Trump administration in 2017 forced US federal civilian agencies to purge Kaspersky Lab software products from their networks, and Congress later codified the ban and applied it to US military networks. But the expected move from the Biden administration would go a step further by using Commerce Department authorities to prevent private companies from using Kaspersky Lab software.
The Commerce authorities are relatively new and derived in part from a 2021 executive order that Biden signed in the name of protecting Americans’ personal data from “foreign adversaries” and a related order signed by Trump in 2019.
Both orders cite a “national emergency” related to security threats to America’s software supply chain and the ability of the Commerce secretary to review risky transactions under a 1977 law known as the International Emergency Economic Powers Act. Specifically, the secretary can prohibit, or mitigate the risk from, transactions involving information and communications technology supply chain, according to updated law based on the two executive orders.
The Wall Street Journal reported last year that Commerce was weighing using its authorities to restrict use of Kaspersky Lab software, but that no decision had been made to do so.
But after months of deliberating on how to effectively to use the Commerce Department’s regulatory powers against the use of Kaspersky Lab software, US officials are finally preparing to use the authorities, a US official familiar with the private discussions told CNN.
The pending action “signals a new era in which Commerce will be more willing to intervene in the name of protecting national security,” Henry Young, a former senior counsel at the Commerce Department, told CNN.
Companies “owned or controlled by a foreign adversary should take note” if the Commerce secretary shows “the willingness to prohibit transactions that create an unacceptable risk to US national security,” said Young, who is now senior director of policy at the Business Software Alliance, an industry lobby.
The Commerce Department aims to use its authorities in the most precise way that addresses national security concerns without having adverse impacts on American businesses or consumers, a Commerce official told CNN. The official discussed the department’s general approach to regulating technology transactions and not any specific potential action.
“We will do what addresses the national security risk and no more,” the Commerce official said. “If that involves saying: X, Y, Z critical infrastructure operators in high-risk sectors, you can’t use this software and that software provider can’t transact with you, then we’ll do that. And if it needs to be broader, we’ll do that.”
Founded in Moscow in 1997, Kaspersky Lab grew into one of the world’s most successful anti-virus software companies alongside American rivals like McAfee and Symantec. Kaspersky Lab’s researchers, recognized as top-tier in the cybersecurity industry, are known for analyzing hacking operations suspected of being carried out by a variety of governments including Russia, the US and Israel, but also cybercriminal threats that affect everyday users.
Some of the speculation and suspicion from US officials about the Russian company centers around Eugene Kaspersky, a charismatic computer expert who co-founded Kaspersky Lab in Moscow in 1997.
Eugene Kaspersky studied cryptography at a KGB-sponsored university — a fact that some US lawmakers like to mention when trying to tie the company to Russian government. Kaspersky Lab has denied having “any unethical ties or affiliations with any government, including Russia.” Kaspersky served as a software engineer at a Russian Ministry of Defense institute after graduation, and that is “the extent of his military experience,” the company says.
Kaspersky has lamented that his company is the victim of geopolitical tensions between the West and Russia — tensions that have only grown sharper since the Kremlin’s full-scale invasion of Ukraine in 2022.
But despite the legal battles and years of heated rhetoric, Kaspersky Lab’s relationship with the US government hasn’t always been acrimonious. A tip from the company to the US government eventually led to the arrest in 2016 of a National Security Agency contractor named Harold Martin, who was convicted on charges related to stealing classified information, Politico has reported.
But another reported incident involving a different NSA contractor did nothing to dampen US officials’ suspicions about the Russian software firm.
Hackers working for the Russian government in 2015 stole files on US cyber operations from a different NSA contractor, the Wall Street Journal reported in 2017. The Russian hackers appeared to have targeted the contractor after identifying files through the contractor’s use of a Kaspersky Lab software, the Journal reported, citing people familiar with the incident.
Kaspersky Lab said in a statement at the time that the company had “not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation.”
CNN’s Zachary Cohen, Phil Mattingly and Evan Perez contributed reporting.