Biden administration prepares to block Americans from using Russian-made software over national security concerns

The Biden administration is preparing to take the unusual step of issuing an order that would block U.S. companies and citizens from using software made by a major Russian cybersecurity company due to national security concerns, five told CNN American officials close to the matter.

The move, which is being finalized and could happen as soon as this month, would use relatively new authorities at the Commerce Department, based on executive orders signed by Presidents Joe Biden and Donald Trump to prohibit Kaspersky Lab from providing certain products and services in the United States, the sources said.

U.S. government agencies are already banned from using Kaspersky Lab software, but action to prevent private companies from using the software would be unprecedented. Nothing is final until it is announced, the sources cautioned, but the Commerce Department has made an “initial decision” to prohibit certain transactions between the Russian company and U.S. persons, the sources said.

It’s the latest attempt by the U.S. government to use its broad regulatory powers to prevent Americans from using a popular technology that U.S. officials consider a national security risk. It comes as the Senate considers a bill that would force Chinese company TikTok to find a new owner or face a U.S. ban.

One goal of the order would be to mitigate any risk to U.S. critical infrastructure, the sources close to the policy process told CNN. An initial draft decision to ban certain Kaspersky software, circulated last year, applied to U.S. persons but could have been modified, according to a source who consulted the draft.

The sources declined to detail the full scope of a possible final order against Kaspersky products, but it is expected to focus on the company’s antivirus software.

A Kaspersky Lab spokesperson did not respond to questions about a possible ban or the company’s market share in the United States.

A Commerce Department spokesperson declined to comment on any potential pending actions related to Kaspersky products.

U.S. officials have said for years that the Russian government could force Kaspersky Lab to hand over data or use its antivirus software to try to hack or surveil Americans — accusations that Kaspersky Lab categorically denies.

Under U.S. law, Kaspersky Lab can appeal the “initial decision” to ban the use of its products or enter into an agreement with the government that alleviates U.S. security concerns before a decision is made. final Commerce is not announced.

Commerce Department officials should carefully consider the extent to which such a regulation would be practical for the Department to enforce and with which users could comply. It would make little sense, for example, to force a small business somewhere in the United States to uninstall Kaspersky software if it was disruptive and the company had no impact on national security.

More than 400 million people and 240,000 businesses worldwide use Kaspersky Lab software, according to the company. It’s unclear how many of these people and businesses are in the United States. But U.S. officials believe the risk posed by the software to U.S. infrastructure is high enough to warrant the current order.

“A new era” in trade regulation

In 2017, the Trump administration forced US federal civilian agencies to remove Kaspersky Lab software products from their networks. Congress later codified the ban and applied it to U.S. military networks. But the Biden administration’s expected move would go even further by using Commerce Department authorities to block private companies from using Kaspersky Lab software.

The trade authorities are relatively new and stem in part from a 2021 executive order that Biden signed in the name of protecting Americans’ personal data from “foreign adversaries” and a related executive order signed by Trump in 2019.

Both orders cite a “national emergency” related to security threats to the U.S. software supply chain and the Commerce Secretary’s ability to review risky transactions under a 1977 law known as the name International Emergency Economic Powers Act. Specifically, the Secretary may prohibit or mitigate risks related to transactions involving the information and communications technology supply chain, consistent with the updated law based on the two Executive Orders.

The Wall Street Journal reported last year that Commerce was considering using its authorities to restrict use of Kaspersky Lab software, but that no decision had been made to do so.

But after months of deliberations over how to effectively use the Commerce Department’s regulatory powers against the use of Kaspersky Lab software, U.S. officials are finally preparing to use those authorities, a U.S. official familiar with the issues told CNN. private discussions.

The current action “signals a new era in which Commerce will be more willing to intervene in the name of protecting national security,” Henry Young, former senior counsel for the Commerce Department, told CNN.

Companies “owned or controlled by a foreign adversary should take note” if the Commerce Secretary shows “a willingness to prohibit transactions that create an unacceptable risk to the national security of the United States,” said Young, who is now senior policy director at the Business Software Alliance. , an industrial lobby.

The Commerce Department aims to use its authorities as narrowly as possible to address national security concerns without negatively impacting American businesses or consumers, a Commerce official told CNN. The official discussed the department’s general approach to regulating technology transactions and not any specific potential action.

“We will do what meets the national security risk and no more,” the Commerce official said. “If that means saying: And if it needs to be broader, we will.

Major player in cybersecurity

Founded in Moscow in 1997, Kaspersky Lab has become one of the most successful antivirus software companies in the world, alongside American competitors like McAfee and Symantec. Kaspersky Lab researchers, recognized as the best in the cybersecurity industry, are known for analyzing suspected hacking operations carried out by various governments, including Russia, the United States and Israel, as well as cybercriminal threats that affect daily users.

Some of U.S. officials’ speculation and suspicion of the Russian company has focused on Eugene Kaspersky, a charismatic computer scientist who co-founded Kaspersky Lab in Moscow in 1997.

Eugene Kaspersky studied cryptography at a KGB-sponsored university — a fact that some U.S. lawmakers like to mention when trying to link the company to the Russian government. Kaspersky Lab denied having “unethical ties or affiliations with any government, including Russia.” Kaspersky worked as a software engineer at a Russian Defense Ministry institute after graduating, and that’s “the extent of his military experience,” the company claims.

Kaspersky lamented that his company was a victim of geopolitical tensions between the West and Russia – tensions that have only worsened since the Kremlin’s full-scale invasion of Ukraine in 2022.

But despite legal battles and years of heated rhetoric, Kaspersky Lab’s relationship with the U.S. government hasn’t always been acrimonious. A report by the company to the U.S. government ultimately led to the 2016 arrest of a National Security Agency contractor named Harold Martin, who was convicted of charges related to the theft of classified information, a reported Politico.

But another incident involving another NSA contractor did nothing to lessen U.S. officials’ suspicions of the Russian software company.

Hackers working for the Russian government in 2015 stole files on U.S. cyber operations from another NSA contractor, the Wall Street Journal reported in 2017. The Russian hackers appear to have targeted the contractor after having identified files through this subcontractor’s use of Kaspersky Lab software. » reported the Journal, citing people familiar with the matter.

Kaspersky Lab said in a statement at the time that the company had “received no information or evidence substantiating this alleged incident and, therefore, we must assume that this is another example of a false accusation “.

CNN’s Zachary Cohen, Phil Mattingly and Evan Perez contributed reporting.

For more CNN news and newsletters, create an account at CNN.com