Notice2024-13532
Final Determination: Case No. ICTS-2021-002, Kaspersky Lab, Inc.
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 24, 2024
Issuing agencies
Commerce DepartmentIndustry and Security Bureau
Abstract
Kaspersky Lab, Inc., Sec. of the Commonw. of Mass. Corp. Div., https://corp.sec.state.ma.us/CorpWeb/ CorpSearch/ CorpSummary.aspx?sysvalue=dfuXePdZwyoTa04_4VJnwjfqm1XFpXmuQMqvGjYKkM0 - (last visited May 29, 2024). ---------------------------------------------------------------------------
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 121 (Monday, June 24, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 121 (Monday, June 24, 2024)]
[Notices]
[Pages 52434-52437]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-13532]
[[Page 52434]]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
Final Determination: Case No. ICTS-2021-002, Kaspersky Lab, Inc.
Pursuant to the authorities granted in Executive Order (``E.O.'')
13873, ``Securing the Information and Communications Technology and
Services Supply Chain,'' the Department of Commerce (the
``Department'') has reviewed transactions involving cybersecurity and
anti-virus software supplied by Kaspersky Lab, Inc. (together with all
affiliates, subsidiaries, and parent companies, ``Kaspersky'') to
determine (1) whether those transactions are covered ICTS transactions
under 15 CFR 7.103(b); and if so, (2) whether those transactions pose
an undue or unacceptable risk to U.S. national security or the safety
and security of U.S. persons, as set out in E.O. 13873 and 15 CFR part
7.
The Department finds that Kaspersky's provision of cybersecurity
and anti-virus software to U.S. persons, including through third-party
entities that integrate Kaspersky cybersecurity or anti-virus software
into commercial hardware or software, poses undue and unacceptable
risks to U.S. national security and to the security and safety of U.S.
persons. Consistent with 15 CFR 7.109(a), the Secretary now issues this
Final Determination, which sets forth the Department's decision, based
on the risks presented in the Initial Determination and the subsequent
responses and mitigation proposals from Kaspersky, as further detailed
below.
Background
Consistent with 15 CFR 7.1(b), the Secretary evaluates ICTS
transactions under this rule on a case-by-case basis. As outlined in 15
CFR 7.103(a), upon receipt of any information identified in 15 CFR
7.100(a), the Secretary may consider any referral for review of a
transaction. In a referral dated August 25, 2021, the Department of
Justice (``DOJ'') requested the Department review ICTS transactions
involving Kaspersky's provision of cybersecurity and anti-virus
software and related services to persons subject to the jurisdiction of
the United States. Prior to accepting the referral, the Department
determined that the referred transactions were covered ICTS
transactions, as identified by E.O. 13873 and consistent with the
Department's regulations at 15 CFR part 7.
First, the Kaspersky transactions meet the following criteria set
forth in E.O. 13873(1)(a)(i):
1, The transactions involve information and communications
technology or services designed, developed, manufactured, or supplied,
by persons owned by, controlled by, or subject to the jurisdiction or
direction of a foreign adversary. Kaspersky is subject to the
jurisdiction of the Russian Federation (``Russia''), a foreign
adversary designated by 15 CFR 7.4(a)(5).
Second, the referred transactions meet the following criteria set
forth in 15 CFR 7.3(a)(1-4):
1. The transactions are conducted by persons subject to the
jurisdiction of the United States. Kaspersky offers cybersecurity and
anti-virus software products and services in the United States through
Kaspersky Lab, Inc., a Massachusetts corporation.\1\
---------------------------------------------------------------------------
\1\ Business Entity Summary: Kaspersky Lab, Inc., Sec. of the
Commonw. of Mass. Corp. Div., <a href="https://corp.sec.state.ma.us/CorpWeb/CorpSearch/CorpSummary.aspx?sysvalue=dfuXePdZwyoTa04_4VJnwjfqm1XFpXmuQMqvGjYKkM0-">https://corp.sec.state.ma.us/CorpWeb/CorpSearch/CorpSummary.aspx?sysvalue=dfuXePdZwyoTa04_4VJnwjfqm1XFpXmuQMqvGjYKkM0-</a> (last visited May 29, 2024).
---------------------------------------------------------------------------
2. The transactions involve property in which any foreign country
or national has an interest. AO Kaspersky Lab, a Russian company,\2\
holds the rights to intellectual property used in Kaspersky's
cybersecurity and anti-virus software offered to U.S. persons,\3\ often
in combination with an end-user license agreement.\4\ Moreover,
Kaspersky Lab, Inc. is owned by Kaspersky Labs Limited, a United
Kingdom corporation, which in turn is headquartered in Moscow.\5\ In
addition, Kaspersky Lab Switzerland GmbH, a subsidiary of Kaspersky
Labs Limited, sells product licenses to U.S. end users via the
Kaspersky website.\6\ And finally, threat-related data received from
users of Kaspersky products in North America is processed and stored on
Swiss servers.\7\
---------------------------------------------------------------------------
\2\ AO Kaspersky Lab, Kaspersky internet Security 2019,
Kaspersky (Aug. 13, 2019), <a href="https://support.kaspersky.com/kis/2019/en-US/34744.htm">https://support.kaspersky.com/kis/2019/en-US/34744.htm</a>.
\3\ Kaspersky Lab--Global Privacy Policy, Kaspersky, <a href="https://www.kaspersky.com/global-privacy-policy">https://www.kaspersky.com/global-privacy-policy</a> (last visited May 29, 2024).
\4\ See, e.g., Kaspersky, End User License Agreement for
Kaspersky Virus Removal Tool (2021), <a href="https://support.kaspersky.com/us/kvrt2015/licensing/8530#block3">https://support.kaspersky.com/us/kvrt2015/licensing/8530#block3</a> (last visited May 29, 2024).
\5\ Company Overview, Kaspersky, <a href="https://usa.kaspersky.com/about/company">https://usa.kaspersky.com/about/company</a> (last visited May 29, 2024); <a href="https://esg.kaspersky.com/report/esg_report_2021-2022_en.pdf">https://esg.kaspersky.com/report/esg_report_2021-2022_en.pdf</a> (last accessed
on May 3, 2024).
\6\ See Kaspersky Endpoint Security for Business, Kaspersky,
<a href="https://usa.kaspersky.com/small-to-medium-business-security/endpoint-protection">https://usa.kaspersky.com/small-to-medium-business-security/endpoint-protection</a> (last visited May 29, 2024).
\7\ Kaspersky Global Transparency Initiative, Kaspersky, <a href="https://www.kaspersky.com/transparency-center">https://www.kaspersky.com/transparency-center</a> (last visited May 29, 2024).
---------------------------------------------------------------------------
3. The transactions were initiated, pending, or completed on or
after January 19, 2021. Kaspersky has offered, and continues to offer,
covered ICTS to U.S. persons on or after January 19, 2021.\8\
---------------------------------------------------------------------------
\8\ See Complete Security Plans for You & Your Family,
Kaspersky, <a href="https://usa.kaspersky.com/home-security">https://usa.kaspersky.com/home-security</a> (last visited May
29, 2024).
---------------------------------------------------------------------------
4. The transactions involve one or more listed types of ICTS. The
transactions involve at least three types of ICTS listed in 15 CFR 7.3.
First, the purpose and functionality of Kaspersky's cybersecurity and
anti-virus software make them integral to both consumer and enterprise
computing services, enabling these products and services to use,
process, and/or retain sensitive personal data of U.S. customers under
15 CFR 7.3(a)(4)(iii). Second, Kaspersky supplies its products to
customers who operate in sectors designated as critical infrastructure
by Presidential Policy Directive 21--Critical Infrastructure Security
and Resilience under 15 CFR 7.3(a)(4)(i).\9\ Finally, the Department
assesses that Kaspersky anti-virus and cybersecurity products meet the
criteria set forth in 15 CFR 7.3(a)(4)(iv).
---------------------------------------------------------------------------
\9\ See Kaspersky Enterprise Industries, Kaspersky, <a href="https://www.kaspersky.com/enterprise-security/industries">https://www.kaspersky.com/enterprise-security/industries</a> (last visited May
29, 2024).
---------------------------------------------------------------------------
Following the determination that the ICTS transactions identified
in the DOJ referral were covered transactions under E.O. 13873 and 15
CFR part 7, the Department commenced an initial review under 15 CFR
7.103 to determine whether the covered ICTS transactions involving
Kaspersky cybersecurity and anti-virus software pose undue or
unacceptable risks. Pursuant to its authorities, the Department issued
an administrative subpoena to Kaspersky on May 25, 2022. At the request
of Kaspersky and its counsel upon receiving the subpoena, the
Department met with Kaspersky on July 7, 2022, and again on September
1, 2022.
The Department reviewed all documents and information provided by
Kaspersky in response to the subpoenas. The Department also reviewed
unclassified information provided from U.S. Government agencies, as
well as information obtained from public sources (including information
available from commercial data services). The Department assessed the
covered ICTS transactions according to the criteria identified in 15
CFR 7.103(c) and (d) and made its preliminary assessment that the
transactions pose undue or unacceptable risk. The Department consulted
with the appropriate agency heads regarding its preliminary assessment,
including the information considered, analysis, and ultimate
assessment. Following the interagency consultation, the Department
reached its Initial Determination, consistent with 15
[[Page 52435]]
CFR 7.105, which proposed to prohibit certain covered ICTS
transactions. Kaspersky was served with the Initial Determination on
October 5, 2023.
The Initial Determination provided Kaspersky with an explanation as
to why transactions involving Kaspersky cybersecurity and anti-virus
software meet the criteria of 15 CFR 7.103(b). The Initial
Determination further explained the Department's assessment that ICTS
transactions to which Kaspersky is a party pose undue and unacceptable
risks, as contemplated by E.O. 13873 and 15 CFR part 7. Accordingly,
the Initial Determination recommended the Department prohibit certain
ICTS transactions involving Kaspersky cybersecurity and anti-virus
software.
On December 7, 2023, at the request of Kaspersky and its counsel,
Kaspersky briefed the Department on its response to the Initial
Determination. The Department instructed Kaspersky to condense all
relevant information into a written response, pursuant to 15 CFR 7.107,
and to provide it no later than January 3, 2024.
On January 3, 2024, Kaspersky submitted its official written
response to the Initial Determination, which included Kaspersky's
challenges to the basis of the Initial Determination, as well as
proposed mitigation measures to address the identified risks. On
January 9, 2024, the Department acknowledged receipt of Kaspersky's
written response and requested additional information regarding
Kaspersky's arguments and proposals. On January 12, 2024, Kaspersky
submitted its response to the Department's request for additional
information, providing further details regarding its proposed
mitigation measures (hereinafter, the January 3 and 12 responses are
collectively referred to as the ``Written Submission'').
In its Written Submission, Kaspersky challenged the Initial
Determination under 15 CFR 7.107(a) as lacking a sufficient factual or
other basis to justify the proposed prohibition. Kaspersky did not
provide any new material information or evidence in support of its
arguments that had not already been disclosed and considered in the
investigation leading up to the Initial Determination. Kaspersky
instead made arguments challenging the basis for the Initial
Determination, which are further identified in Appendix A. The
Department considered Kaspersky's arguments and addressed each as
reflected in Appendix A. Ultimately, the Department determined that,
contrary to Kaspersky's arguments, the proposed prohibition under 15
CFR 7.109(a) is well-supported, as discussed in Appendix A and below.
Appendix A, attached, includes a detailed response to Kaspersky about
how the Department considered the information and mitigation proposals
provided by Kaspersky during the course of this review. As it contains
business confidential information, it is protected from public
disclosure under 15 CFR 7.102(a).
Risk Determination
The Department reviewed covered ICTS transactions involving
Kaspersky cybersecurity and anti-virus software and determined that
those transactions pose undue or unacceptable risks, as set out in
Section 1(a) of E.O. 13873 and 15 CFR part 7. At the outset, it is
worth noting that regardless of whether Kaspersky's products contribute
to greater cybersecurity for its customers, this does not necessarily,
in the aggregate, increase national security. The risks to U.S.
national security addressed in this Final Determination stem not from
whether Kaspersky's products are effective at identifying viruses and
other malware, but whether they can be used strategically to cause harm
to the United States.
The Department identified the following three aspects of Kaspersky
cybersecurity and anti-virus software that contribute to the undue and
unacceptable risks posed to the national security of the United States
and the security and safety of U.S. persons:
I. Kaspersky Is Subject to the Jurisdiction, Control, or Direction of
the Russian Government, a Foreign Adversary
The Department's regulations at 15 CFR 7.4(a)(5) identify Russia as
a ``foreign adversary.'' Russia has demonstrated an intent and
capability to sabotage or subvert ICT systems in the United States and
exfiltrate sensitive data of U.S. persons for use in espionage,
influence, or other malicious activities. Russia's malicious activity
is documented in public and open-source information.\10\
---------------------------------------------------------------------------
\10\ See, e.g., Six Russian GRU Officers Charged in Connection
with Worldwide Deployment of Destructive Malware and Other
Disruptive Actions in Cyberspace, U.S. Dep't of Just. Off. of Pub.
Aff. (Oct. 19, 2020) <a href="https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and">https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and</a>.
---------------------------------------------------------------------------
Significant aspects of Kaspersky's global business are conducted in
Russia, including software design, development, and supply. The legal
entity that holds the rights to Kaspersky's intellectual property, AO
Kaspersky Lab, is organized under the laws of Russia.\11\ Kaspersky's
founder, majority owner, and current Chief Executive Officer, Eugene
Kaspersky, is a Russian national who resides in Russia.\12\
Consequently, Kaspersky is subject to the jurisdiction or direction of
the Russian government. This fact was not disputed by the company in
its responses.
---------------------------------------------------------------------------
\11\ Kaspersky Lab--Global Privacy Policy, Kaspersky, <a href="https://www.kaspersky.com/global-privacy-policy">https://www.kaspersky.com/global-privacy-policy</a> (last visited May 29, 2024).
\12\ Eugene Kaspersky Bio, Kaspersky, <a href="https://www.kaspersky.com/about/team/eugene-kaspersky">https://www.kaspersky.com/about/team/eugene-kaspersky</a> (last visited May 29, 2024); see also
Eugene Kaspersky Profile, Forbes, <a href="https://www.forbes.com/profile/eugene-kaspersky/?sh=4a8a767e34d7">https://www.forbes.com/profile/eugene-kaspersky/?sh=4a8a767e34d7</a> (last visited May 29, 2024).
---------------------------------------------------------------------------
As an entity subject to Russian jurisdiction, it must comply with
any Russian government request for assistance or information. Russian
laws compel companies subject to Russian jurisdiction to cooperate with
Russian intelligence and law enforcement efforts, to include requests
from the Russian Federal Security Service (``FSB'').\13\ In its
responses to the Department's subpoenas and its Written Submission,
Kaspersky did not dispute that it is obligated to comply with requests
from the FSB. Accordingly, Russia, through its jurisdiction, direction,
or control over Kaspersky, could exploit access to sensitive
information present on electronic devices that use Kaspersky's
cybersecurity and anti-virus software in the United States or install
or inject new malware through manipulation of Kaspersky's signature
library and source code updates.
---------------------------------------------------------------------------
\13\ See Report of Peter B. Maggs to the Department of Homeland
Security at 4 (Dec. 2, 2017), <a href="https://www.internetgovernance.org/wp-content/uploads/12-7-Exhibit-AR-Part-6-Maggs-report.pdf">https://www.internetgovernance.org/wp-content/uploads/12-7-Exhibit-AR-Part-6-Maggs-report.pdf</a>. In addition
to complying with Federal Law No. 40-FZ, the Report of Peter B.
Maggs explains that companies such as Kaspersky may also be
obligated to assist the FSB with operational-investigative
activities undertaken in the performance of FSB duties, such as by
installing equipment supplied by the FSB for use in obtaining
information stored on computers. Id. at 8-11 (citing Federal Law No.
144-FZ of August 12, 1995 (as amended), ``On Operational-
Investigative Activity'').
---------------------------------------------------------------------------
In its Written Submission, Kaspersky proposed two mitigation
measures to address Russian jurisdiction, control, or direction over
its actions. These measures generally proposed changes to Kaspersky's
U.S. operations and staffing, but modifying U.S. operations and
staffing, without severing U.S. operations' ties with Kaspersky's
foreign operations, does little to address the risks associated with
Russian government control and direction. The proposed mitigation
measures do not impact the technical operations, which allow logical
access by foreign employees, including in Russia. As a
[[Page 52436]]
result, the proposed mitigation measures do little to impair Russia's
ability to compel Kaspersky to provide the Russian government access to
U.S. customer systems and information. Consequently, as further
explained in Appendix A, the Department determined that the proposed
mitigation measures are insufficient.
II. Kaspersky's Software Can Be Exploited To Identify Sensitive U.S.
Person Data and Make it Available to Russian Government Actors
Through its anti-virus and cybersecurity software, Kaspersky, and
certain of its employees, necessarily gain access to sensitive U.S.
person data. Kaspersky employs several thousand employees across
offices in Russia and other foreign countries to develop and refine the
source code for Kaspersky's anti-virus and cybersecurity software, to
compile the threat signatures, and manage threat information that
ultimately gets sent to end-user devices around the world, including in
the United States.\14\ Consequently, Kaspersky technical engineers have
intimate knowledge of vulnerabilities and backdoors that may exist in
the software operating on U.S. person devices, which could allow
Kaspersky engineers to exploit those devices. Because cybersecurity and
anti-virus software necessarily operates at the kernel level (i.e., the
core of the operating system, allowing for full access to all systems
on the device), this access may be misused to inspect the data and
files stored or transited through the electronic devices that use
Kaspersky's cybersecurity and anti-virus software. Additionally,
Kaspersky may modify the software on a user's device to reroute the
transmission of data collected by the device, which can include
personal and proprietary user data, to Kaspersky servers located in
Russia, or otherwise accessible from Russia. Exploiting this access
would provide the Russian government with vectors to conduct espionage,
compromise specific devices or networks, gather U.S. business
information (including intellectual property), and access U.S. person
sensitive data.
---------------------------------------------------------------------------
\14\ Company Overview, Kaspersky, <a href="https://usa.kaspersky.com/about/company">https://usa.kaspersky.com/about/company</a> (last visited May 29, 2024).
---------------------------------------------------------------------------
The Department additionally assesses that the Kaspersky Security
Network (KSN) \15\ function that is built into the software could
further facilitate the Russian government's targeted collection of
highly sensitive data from the user's device, such as the IP address,
physical location, information about the computer's hardware and
software, files downloaded, certain websites visited, running
applications, and user account names. User systems that participate in
the KSN send data about users' suspicious files or applications through
the KSN for analysis based on certain Kaspersky-identified threat
indicators. These threat indicators are proprietary, can be updated or
changed daily, and could be used to scour user data to identify and
collect sensitive user information for review by Kaspersky through the
KSN.\16\
---------------------------------------------------------------------------
\15\ Kaspersky Security Network (KSN), Kaspersky, <a href="https://www.kaspersky.com/ksn">https://www.kaspersky.com/ksn</a> (last visited May 29, 2024).
\16\ Kaspersky Lab, Kaspersky Private Security Network: Real-
Time Threat Intelligence--Inside The Corporate Infrastructure (White
Paper, 2015), <a href="https://media.kaspersky.com/en/business-security/enterprise/KPSN_Whitepaper.pdf">https://media.kaspersky.com/en/business-security/enterprise/KPSN_Whitepaper.pdf</a>.
---------------------------------------------------------------------------
The integration of Kaspersky software into third-party hardware or
software, or any ``white labeling'' of Kaspersky software, further
exacerbates these risks as the user would be less likely to know the
true source of the code, increasing the likelihood Kaspersky software
could unwittingly be introduced into devices or networks containing
highly sensitive U.S. data.
In its Written Submission, Kaspersky denies that the company could
purposefully obtain sensitive data on U.S. persons.\17\ Kaspersky
argues that its operations and employees in Russia can only access data
that is not attributable to a specific individual, and/or is used in
aggregated statistics.\18\ The Department disagrees with that argument.
As further described in Appendix A, the data security policies the
company has in place are internal policies that can be modified by
Kaspersky leaders at will. Additionally, Kaspersky engineers who work
on anti-virus or cybersecurity software can circumvent those policies
by designing vulnerabilities into the source code. Moreover, while
Kaspersky alleges the data retrieved is not attributable to a specific
individual, Kaspersky's end-user license agreement standard language
identifies various types of data that the software collects, such as
unique device identifiers, user registration data, location information
and images, and information about the operating system of the device
and versions of other software present, which could be used to track
devices on networks, websites visited, and user location, and
ultimately identify the user in a personal or professional
capacity.\19\ For certain services provided by Kaspersky, the end-user
license agreement clearly identifies a capability to locate a lost
device, including functionality that enables the operation of the
device's camera.\20\
---------------------------------------------------------------------------
\17\ Response to and Proposed Measures to Mitigate Risks
Identified in Initial Determination, Case No. ICTS-2021-002, Jan. 3,
2024, at 10 (``January 3rd Response'').
\18\ January 3rd Response at 10.
\19\ AO Kaspersky Lab, Kaspersky (Application for Android) End
User License Agreement (2022), <a href="https://products.s.kaspersky-labs.com/homeuser/kisa/11.96.4.9614/english-20230327_161605/3730363534317c44454c7c4e554c4c/eula_basic.html">https://products.s.kaspersky-labs.com/homeuser/kisa/11.96.4.9614/english-20230327_161605/3730363534317c44454c7c4e554c4c/eula_basic.html</a> (last visited May 29,
2024).
\20\ AO Kaspersky Lab, Kaspersky (Application for Android) End
User License Agreement at Art. 4 (2022), <a href="https://products.s.kaspersky-labs.com/homeuser/kisa/11.96.4.9614/english-20230327_161605/3730363534317c44454c7c4e554c4c/eula_basic.html">https://products.s.kaspersky-labs.com/homeuser/kisa/11.96.4.9614/english-20230327_161605/3730363534317c44454c7c4e554c4c/eula_basic.html</a> (last
visited May 29, 2024).
---------------------------------------------------------------------------
Kaspersky proposed several technical and operational mitigation
measures to address this aspect of the undue or unacceptable risk.
These measures have been individually as well as collectively
considered and addressed by the Department in Appendix A. None of the
measures (either combined or in the aggregate) was assessed to be
completely effective in mitigating the identified risks. Among other
things, the proposed measures did not adequately address the technical
risks associated with source code vulnerabilities that may exist in the
anti-virus and cybersecurity software design process, which largely
occurs outside of the United States. Therefore, the Department found
that Kaspersky's proposals under this aspect are not sufficient to
address the identified risks.
III. Kaspersky Cybersecurity and Anti-virus Software, Developed and
Supplied From Russia, Allows for the Capability and Opportunity To
Install Malicious Software and Strategically Withhold Critical Malware
Signature Updates
As discussed above, Kaspersky develops and controls access to the
technology and code infrastructure for its cybersecurity and anti-virus
products and may determine the level of access granted to employees.
Kaspersky's software operates at the kernel level, providing company
employees the capability to acquire unhindered access to all systems on
the device. Consequently, Kaspersky software can enable the Russian
government--either directly, or through Kaspersky employees under the
direction of the Russian government--to sabotage or subvert the
integrity of ICTS in the United States. This could include actions to
facilitate the installation of malicious tools on U.S. persons' devices
and networks, as well as actions to strategically delay or prevent
malware signature updates from reaching certain customers in a timely
manner. The
[[Page 52437]]
delay or denial of signature updates would leave these users vulnerable
to malicious actors who could target exploitation of known devices and
networks.
In its Written Submission, Kaspersky argued that it has implemented
multiple safeguards to prevent malicious code from being introduced to
a user's device.\21\ These arguments have been considered and are
addressed by the Department in greater detail in Appendix A. At a
general level, the safeguards identified would not address a
fundamental aspect of the risk--namely, that Kaspersky does not have to
affirmatively inject malware through its own code. Instead, through its
persistent access to devices, Kaspersky can provide information about
the devices on which its software operates, to enable malicious cyber
actors--whether in the Russian government or aligned therewith--to gain
access to those devices and manipulate settings on the device.
Additionally, Kaspersky's global virus scanning operation puts it at
the forefront for identifying new vulnerabilities in existing software,
providing it with significant non-public information for ways to
exploit certain versions of software, as well as a list of devices that
run that software. This capability, if leveraged by the Russian
government, greatly enhances its ability to conduct cyber espionage and
to steal sensitive data.
---------------------------------------------------------------------------
\21\ January 3rd Response at 10.
---------------------------------------------------------------------------
In its Written Submission, Kaspersky also proposed additional
technical and operational mitigation measures to address this aspect of
the undue or unacceptable risk.\22\ As described in Appendix A, the
Department concluded that these measures, when considered both
individually and in combination with one another, do not sufficiently
address the identified risk. The Department determined they fail
largely for the same reasons described above regarding the company's
existing safeguards. Specifically, the proposed technical and
operational mitigation measures address neither the risks associated
with intentional withholding of new threat signatures nor the risks
associated with Kaspersky's ability to use its kernel-level access to
U.S. user systems for a variety of malign purposes.
---------------------------------------------------------------------------
\22\ January 3rd Response at 13-14.
---------------------------------------------------------------------------
Final Determination
Pursuant to 50 U.S.C. 1701 et seq., E.O. 13873, and 15 CFR 7.109,
and in light of its assessment of the aforementioned risks, as
described above and in further detail in Appendix A, including the
consideration and determination of insufficiency of Kaspersky's
proposed measures to mitigate the risks identified, the Department
hereby issues this Final Determination regarding the following ICTS
transactions, as that term is defined under 15 CFR 7.2, with U.S.
persons:
1. ICTS transactions involving any cybersecurity product or service
designed, developed, manufactured, or supplied, in whole or in part, by
Kaspersky, to include those products and services listed in Appendix B;
2. ICTS transactions involving any anti-virus software designed,
developed, manufactured, or supplied, in whole or in part, by Kaspersky
to include those products and services listed in Appendix B; and
3. ICTS transactions involving the integration of software
designed, developed, manufactured, or supplied, in whole or in part, by
Kaspersky into third-party products or services (e.g., ``white-
labeled'' products or services).
Effective at 12 a.m. EDT on July 20, 2024, in accordance with 15
CFR 7.109(d)(5), Kaspersky, and any of its successors and assignees, is
prohibited from entering into any new agreement with U.S. persons
involving one or more ICTS transactions identified above.
Effective 12 a.m. EDT on September 29, 2024, in accordance with 15
CFR 7.109(d)(5), Kaspersky, and any of its successors or assignees,
shall be prohibited from engaging in the identified ICTS transactions
in the United States or with U.S. persons, including (1) providing any
anti-virus signature updates and codebase updates associated with the
ICTS transactions identified above; and (2) operating KSN in the United
States or on any U.S. person's information technology system. Kaspersky
may continue to operate the KSN for U.S. persons, as well as provide
anti-virus signature updates and codebase updates to current U.S.
subscribers and users of cybersecurity and anti-virus products and
services as identified in Appendix B, until 12:00 a.m. EDT on September
29, 2024.
Pursuant to the above determination, effective 12:00 a.m. EDT on
September 29, 2024, any resale of Kaspersky cybersecurity or anti-virus
software, integration of Kaspersky cybersecurity or anti-virus software
into other products and services, or licensing of Kaspersky
cybersecurity or anti-virus software for purposes of resale or
integration into other products or services is prohibited in the United
States or by U.S. persons.
This Final Determination shall not apply to transactions involving
Kaspersky Threat Intelligence products and services, Kaspersky Security
Training products and services, or Kaspersky consulting or advisory
services (including SOC Consulting, Security Consulting, Ask the
Analyst, and Incident Response) that are purely informational or
educational in nature.
In accordance with 15 CFR 7.200, any person who violates, attempts
to violate, conspires to violate, or causes any knowing violation of
this Final Determination prohibiting certain classes of ICTS
transactions is subject to civil penalties. In accordance with 15 CFR
7.200, any person who willfully commits, willfully attempts to commit,
or willfully conspires to commit, or aids and abets in the commission
of a violation of this Final Determination prohibiting certain classes
of ICTS transactions is subject to criminal penalties.
This document of the Department of Commerce was signed on June 14,
2024, by Gina M. Raimondo, Secretary of Commerce. The document with the
original signature and date is maintained by the Department of
Commerce. For administrative purposes only, and in compliance with
requirements of the Office of the Federal Register, the undersigned
Department of Commerce Federal Register Liaison Officer has been
authorized to sign and submit the document in electronic format for
publication, as an official document of the Department of Commerce.
This administrative process in no way alters the legal effect of this
document upon publication in the Federal Register.
Signed in Washington, DC, on June 14, 2024.
Beth Grossman,
Federal Register Liaison Officer, U.S. Department of Commerce.
[FR Doc. 2024-13532 Filed 6-20-24; 4:15 pm]
BILLING CODE 3510-33-P
</pre></body>
</html>Indexed from Federal Register on June 24, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.