The Biden administration is preparing to take the unusual step of issuing an order that would prevent U.S. companies and citizens from using software from a major Russian cybersecurity firm over national security concerns, five U.S. officials familiar with the matter said. case to CNN.
The move, which is currently being finalized and could happen as soon as this month, would use relatively new Commerce Department authorities, based on executive orders signed by Presidents Joe Biden and Donald Trump, to ban Kaspersky Lab from making certain products and services to offer in the US. sources said.
US government agencies are already banned from using Kaspersky Lab software, but action to prevent private companies from using the software would be unprecedented. Nothing is final until it is announced, the sources warned, but the Commerce Department has made an “initial decision” to ban certain transactions between the Russian company and U.S. persons, the sources said.
It’s the latest attempt by the U.S. government to use its vast regulatory powers to prevent Americans from using popular technology that U.S. officials consider a national security risk. It comes as the Senate weighs a bill that would force TikTok into Chinese hands to find a new owner or face a US ban.
One goal of the order would be to limit any risk to critical U.S. infrastructure, sources familiar with the policy process told CNN. A draft of the initial provision banning certain Kaspersky software that circulated last year applied to US residents but could have been changed, according to a source who reviewed the draft.
The sources declined to detail the full scope of any final injunction against Kaspersky products, but the focus is expected to be on the company’s antivirus software.
A spokesperson for Kaspersky Lab did not respond to questions about a possible ban or how big the company’s market share is in the US.
A Commerce Department spokesperson declined to comment on any ongoing actions regarding Kaspersky products.
U.S. officials have claimed for years that the Russian government could force Kaspersky Lab to turn over data or use its antivirus software to try to hack or surveil Americans — accusations that Kaspersky Lab vehemently denies.
Under U.S. law, Kaspersky Lab can appeal the “initial decision” to ban use of its products or make a deal with the government that addresses U.S. security concerns before a final ruling from Commerce is announced.
Commerce Department officials should carefully consider how practical such a regulation would be for the Department to enforce and for users to comply with. For example, it would make little sense to force a small company somewhere in America to remove Kaspersky software if it is disruptive and the company has no impact on national security.
According to the company, more than 400 million people and 240,000 companies worldwide use Kaspersky Lab’s software products. It is not clear how many of these people and companies are in the US. But U.S. officials believe the risk the software poses to U.S. infrastructure is great enough to warrant the ongoing order.
‘A new era’ in trade regulation
The Trump administration forced US federal civilian agencies to remove Kaspersky Lab software products from their networks in 2017, and Congress later codified the ban and applied it to US military networks. But the Biden administration’s expected move would go a step further by using Commerce Department authorities to prevent private companies from using Kaspersky Lab software.
The trade authorities are relatively new and are derived in part from a 2021 executive order that Biden signed in the name of protecting Americans’ personal data from “foreign adversaries” and a related order signed by Trump in 2019.
Both decisions declare a “national emergency” related to security threats to the U.S. software supply chain and the Commerce Secretary’s ability to review high-risk transactions under a 1977 law known as the International Emergency Economic Powers Act. Specifically, the Secretary may prohibit or limit the risk of transactions involving the information and communications technology supply chain, according to the updated law based on the two executive orders.
The Wall Street Journal reported last year that Commerce was considering using its authorities to restrict the use of Kaspersky Lab software, but no decision had yet been made to do so.
But after months of deliberation on how to effectively use the Commerce Department’s regulatory powers against the use of Kaspersky Lab software, US officials are finally preparing to engage authorities, a US official familiar with the matter said. with the private conversations to CNN.
The ongoing action “heralds a new era in which the trade will be more willing to intervene in the name of protecting national security,” Henry Young, a former senior adviser at the Commerce Department, told CNN.
Companies “owned or controlled by a foreign adversary should take heed” if the Commerce Secretary “demonstrates a willingness to prohibit transactions that pose an unacceptable risk to U.S. national security,” said Young, who is now a senior is policy director at the Business Software Alliance. , an industry lobby.
The Commerce Department is committed to using its authorities as accurately as possible to address national security concerns without adversely impacting U.S. businesses or consumers, a trade official told CNN. The official was discussing the department’s general approach to regulating technology transactions and not any specific possible action.
“We will do what addresses the national security risk and no more,” the trade official said. “If that means saying, operators of critical infrastructure And if it needs to be broader, we will do that.”
Major cybersecurity player
Founded in Moscow in 1997, Kaspersky Lab grew to become one of the most successful antivirus software companies in the world, alongside American rivals such as McAfee and Symantec. Recognized as top in the cybersecurity industry, Kaspersky Lab researchers are known for analyzing hacking operations suspected to be carried out by various governments, including Russia, the US and Israel, as well as cybercriminal threats that affect regular users to have.
Some of U.S. officials’ speculation and suspicion about the Russian company centers around Eugene Kaspersky, a charismatic computer expert who co-founded Kaspersky Lab in Moscow in 1997.
Eugene Kaspersky studied cryptography at a KGB-sponsored university – a fact that some US lawmakers like to mention when trying to tie the company to the Russian government. Kaspersky Lab has denied having “any unethical ties or connections with any government, including Russia.” After graduating, Kaspersky worked as a software engineer at a Russian Defense Ministry institute, and that is “the extent of his military experience,” the company says.
Kaspersky has lamented that his company is a victim of geopolitical tensions between the West and Russia – tensions that have only intensified since the Kremlin’s large-scale invasion of Ukraine in 2022.
But despite the legal battles and years of heated rhetoric, Kaspersky Lab’s relationship with the US government has not always been bitter. A tip from the company to the U.S. government ultimately led to the 2016 arrest of Harold Martin, a National Security Agency contractor, who was convicted on charges of stealing classified information, Politico reports.
But another reported incident involving another NSA contractor failed to calm U.S. officials’ suspicions about the Russian software company.
Hackers working for the Russian government in 2015 stole files on U.S. cyber operations from another NSA contractor, the Wall Street Journal reported in 2017. The Russian hackers appeared to have targeted the contractor after identifying files through the use of Kaspersky Lab software by the contractor. the Journal reported, citing people familiar with the incident.
Kaspersky Lab said in a statement at the time that the company had “not received any information or evidence to substantiate this alleged incident, and as a result we must assume that this is yet another example of a false accusation.”
CNN’s Zachary Cohen, Phil Mattingly and Evan Perez contributed reporting.
For more CNN news and newsletters, create an account at CNN.com