Commerce Department Issues First Final Determination and Prohibition Under the ICTS Rule

Commerce Department Issues First Final Determination and Prohibition Under the ICTS Rule

June 24, 2024, Covington Alert

On June 20, 2024, the Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final determination prohibiting Kaspersky Lab, Inc., its affiliates, subsidiaries, and parent companies (together, “Kaspersky”) from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons (the “Final Determination”).

This action is notable as the first final determination and prohibition issued by BIS’s Office of Information and Communications Technology and Services (“OICTS”) pursuant to Executive Order (“EO”) 13873, “Securing the Information and Communications Technology and Services Supply Chain.” The determination concludes, after a years-long investigation by the Department of Commerce (“Commerce”), that Kaspersky’s continued operations in the United States—and specifically, Kaspersky’s provision of cybersecurity and anti-virus software to U.S. persons, including through third-party entities that integrate Kaspersky cybersecurity or anti-virus software into commercial hardware or software—pose undue and unacceptable risks to U.S. national security and to the security and safety of U.S. persons that could not be addressed through mitigation measures short of a total prohibition.

Background

In 2019, President Trump signed EO 13873, which focuses on addressing national security risks related to the introduction into the U.S. supply chain of information and communications technologies and services (“ICTS”) designed, developed, manufactured, or supplied by entities owned and/or controlled by or subject to the jurisdiction of foreign adversaries. The EO seeks to address U.S. government concerns regarding supply chain integrity, particularly as they relate to ICTS. The EO recognizes that existing regulatory regimes, such as the Committee on Foreign Investment in the United States (“CFIUS”) (which is limited to addressing risks related to investments in U.S. businesses) could not address other risks, particularly where vulnerabilities are introduced through commercial procurement contracts. Commerce subsequently issued regulations for purposes of implementing and enforcing the EO, which is generally known as the “ICTS Rule” and administered by OICTS, established within BIS to implement the ICTS program (see Department of Commerce Releases Final Rule on Securing the Information and Communications Technology and Services Supply Chain). Pursuant to the ICTS Rule, Commerce has the authority to review certain ICTS transactions and may impose mitigation, or even prohibit a transaction, where Commerce identifies a risk to U.S. national security.

The ICTS Rule is broad in scope, defining “ICTS transaction” as “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.” To be a transaction that would be subject to Commerce review (an “ICTS Transaction”), the transaction must meet the following criteria:

• Is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;
• Involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
• Is initiated, pending, or completed on or after January 19, 2021; and
• Involves one of the ICTS listed in Section 7.3(4) of the ICTS Rule.

The ICTS Rule further stipulates that Commerce must evaluate whether an ICTS Transaction poses an undue or unacceptable risk based on certain risk criteria set forth in 15 C.F.R. § 7.103, including whether the ICTS transaction poses a discrete or persistent threat, the nature of the vulnerability implicated by the ICTS transaction, and whether there is an ability to otherwise mitigate the risks posed by the ICTS transaction.

Final Determination

The Final Determination addresses the foregoing criteria in turn and cites the following key reasons for the prohibition:

• “Kaspersky is subject to the jurisdiction, control, or direction of the Russian government, a foreign adversary.” The Final Determination states that “significant aspects of Kaspersky’s global business” are conducted in Russia including “software design, development, and supply,” and the legal entity that holds the rights to Kaspersky’s intellectual property is organized under the laws of Russia. The Final Determination assesses that, as an entity subject to Russian jurisdiction, Kaspersky “must comply with any Russian government request for assistance or information,” and that “Russian laws compel companies subject to Russian jurisdiction to cooperate with Russian intelligence and law enforcement efforts.” In that regard, the Final Determination notes that none of the potential mitigation measures would have “sever[ed] U.S. operations’ ties with Kaspersky’s foreign operations,” and therefore would not have addressed the risks associated with Russian government control and direction.
• “Kaspersky’s software can be exploited to identify sensitive U.S. person data and make it available to Russian government actors.” The Final Determination concludes that because cybersecurity and anti-virus software “necessarily” operates at the kernel level (i.e., the core of the operating system, allowing full access to all systems on the device), certain Kaspersky employees “necessarily” gain access to sensitive U.S. person data and could “exploit such access to provide the Russian government with vectors to conduct espionage, compromise specific devices or networks, gather U.S. business information, and access U.S. person sensitive data.” Importantly, the Final Determination again emphasizes that none of the potential mitigation options would have addressed the technical risks associated with source code vulnerabilities in anti-virus and cybersecurity software design.
• “Kaspersky cybersecurity and anti-virus software, developed and supplied from Russia, allows for the capability and opportunity to install malicious software and strategically withhold critical malware signature updates.” The Final Determination further highlights that Kaspersky would not have to “affirmatively inject malware through its own code” to create a risk, but that through its persistent access to devices, it can “provide information about the devices on which its software operates, to enable malicious cyber actors—whether in the Russian government or aligned therewith—to gain access to those devices and manipulate settings on the device.”
• Third-party integration of Kaspersky products: The Final Determination also notes that the integration of Kaspersky software into third-party hardware or software, or any “white labeling” of Kaspersky software, was deemed to exacerbate the risks identified above, as the user is less likely to know the “true source of the code,” increasing the possibility that Kaspersky software could be “unwittingly introduced into devices or networks containing highly sensitive U.S. data.”

As a result of the Final Determination, effective September 29, 2024, Kaspersky will be prohibited from engaging in any ICTS transactions in the United States or with U.S. persons involving: (1) any cybersecurity product or service designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky; (2) any anti-virus software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky; or (3) any integration of software designed, developed, manufactured, or supplied, in whole or in part, by Kaspersky into third party products or services, including providing any anti-virus signature updates and codebase updates. That said, to minimize disruption to U.S. consumers and businesses, the Final Determination will allow Kaspersky to continue certain operations in the United States—including providing anti-virus signature updates and codebase updates—until September 29, 2024.

The Final Determination clarifies that the intent is not to punish U.S. customers and businesses for using Kaspersky products, and accordingly, that the Commerce Department does not intend to pursue enforcement actions against individuals and businesses that continue to use existing Kaspersky products and services. That said, because the Final Determination will preclude any anti-virus signature or codebase updates after September 29, 2024, Commerce notes that “any individual or business that continues to use Kaspersky products and services assumes all the cybersecurity and associated risks of doing so.” Additionally, U.S. persons and entities could still be subject to civil and criminal penalties for “aiding and abetting the commission of a violation of the Final Determination” (e.g., if they assist Kaspersky in continuing to sell in the United States or to U.S. persons). A violation would be subject to civil penalties not to exceed $250,000 or twice the amount of the transaction, whichever is greater; and criminal penalties not to exceed $1,000,000 and/or 20 years in imprisonment.

If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice.