Debevoise National Security Update: Department of Commerce Issues First Final Determination under ICTS Regime

25 June 2024
View Debevoise Update
Key Takeaways:
  • On June 20, 2024, the U.S. Department of Commerce’s Bureau of Industry & Security (“BIS”) issued its first Final Determination under the Information and Communications Technology and Services (“ICTS”) Supply Chain Rule, targeting Kaspersky Lab, Inc. and confirming that BIS intends to enhance ICTS enforcement in the near term.
  • The Final Determination goes into effect on September 29, 2024 and prohibits Kaspersky Lab, Inc. and its affiliates, subsidiaries and parent companies (“Kaspersky”) from engaging in transactions involving the provision of certain cybersecurity and antivirus products and services to U.S. persons. It also prohibits, in the United States or by U.S. persons, the resale of Kaspersky cybersecurity or antivirus software, integration of Kaspersky cybersecurity or antivirus software into other products and services or licensing of Kaspersky cybersecurity or antivirus software for purposes of resale or integration into other products or services.
  • Companies can prepare for increased ICTS enforcement by inventorying existing ICTS applications for Kaspersky products; evaluating the significant business risk posed by transacting with Kaspersky or including Kaspersky products in the company’s own products or services; conduct due diligence on other ICTS suppliers under the jurisdiction of BIS-designated “foreign adversaries” (such as China and Russia); developing a supply-chain mitigation and response plan; and integrating ICTS considerations into merger and acquisition due diligence.

On June 20, 2024, U.S. Department of Commerce’s Bureau of Industry & Security (“BIS”) issued its first Final Determination under the Information and Communications Technology and Services (“ICTS”) Supply Chain Rule, targeting Kaspersky Lab, Inc., the U.S. subsidiary of a Russia-based anti-virus software and cybersecurity company, and its affiliates, subsidiaries, and parent companies (“Kaspersky”). The Final Determination prohibits Kaspersky from providing certain anti-virus products and services in the United States or to U.S. persons, wherever located, and also prohibits, in the United States or by U.S. persons, the resale of Kaspersky cybersecurity or anti-virus software, integration of Kaspersky cybersecurity or anti-virus software into other products and services, or licensing of Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services.

This move follows our expectation, as discussed in the Debevoise National Security Update: Supply Chain Security in 2024, that the Commerce Department intends to enhance ICTS enforcement in the near term. This client alert addresses the implications of the Final Determination and ICTS enforcement more generally, including for companies that have a nexus with ICTS suppliers, namely those located in, owned or controlled by, or subject to the jurisdiction of, a “foreign adversary,” such as China or Russia.

BACKGROUND: DEPARTMENT OF COMMERCE’S ICTS REGIME

On May 15, 2019, the Trump Administration issued Executive Order 13873 to strengthen efforts to prevent certain countries designated by BIS as foreign adversaries, including China and Russia, from exploiting vulnerabilities in the nation’s ICTS supply chain. Implementing regulations were issued by the Commerce Department on January 19, 2021 (the “Supply Chain Rule”), prohibiting certain transactions that involve ICTS “designed, developed, manufactured, or supplied by persons, owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries,” whenever the Secretary of Commerce, in consultation with other federal officials, determines that such a transaction, or a class of transactions, poses an undue or unacceptable risk to U.S. national security (each, an “ICTS Transaction”). The Supply Chain Rule broadly defines the scope of covered ICTS Transactions to include, among other things, ICTS used by critical infrastructure, integral to certain network or communications systems, related to sensitive personal data of U.S. individuals, enabling of internet communications, or is integral to certain sensitive technologies, including AI, quantum computing, drones or robotics.

This Final Determination is only the second significant action under the Supply Chain Rule and follows an Advanced Notice of Proposed Rulemaking (“ANPRM”) by BIS issued on February 29, 2024, that seeks information about potential vulnerabilities in ICTS integral to “connected vehicles” that could result from access to related systems or data by a “foreign adversary.”

THE KASPERSKY FINAL DETERMINATION

The Kaspersky Final Determination is the first ICTS Transaction that BIS has prohibited under the ICTS regime. BIS found that Kaspersky’s software products – banned from use within U.S. federal agencies since 2017 – serviced over 400 million users and 270,000 corporate clients globally, and that:

  • Kaspersky is subject to the jurisdiction of the Russian government and must comply with requests for information that could lead to the exploitation of access to sensitive information present on electronic devices using Kaspersky’s anti-virus software;
  • Kaspersky has broad access to, and administrative privileges over, customer information through the provision of cybersecurity and anti-virus software, meaning that Kaspersky employees could potentially transfer U.S. customer data to Russia (where it would be accessible to the Russian government);
  • Kaspersky has the ability to use its products to install malicious software on U.S. customers’ computers or selectively deny updates; and
  • Kaspersky software is integrated into third-party products and services through resale of its software into other products and services, which increases the likelihood that Kaspersky software could be introduced into devices or networks containing highly sensitive U.S. persons data.

The ban goes into effect in two stages on July 20 and September 29, 2024. Beginning on July 20, 2024, Kaspersky will be prohibited from entering into any new agreement with U.S. persons involving one or more ICTS transactions. Then, beginning September 29, 2024, Kaspersky, with respect to all U.S. persons, will be prohibited from providing any anti-virus signature updates and codebase updates (including for software already in use) and must cease operation of the Kaspersky Security Network. Also beginning on that date, the Final Determination prohibits, in the United States or by U.S. persons, the resale of Kaspersky cybersecurity or anti-virus software, integration of Kaspersky cybersecurity or anti-virus software into other products and services, or licensing of Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services. Violations of the ban could lead to steep civil and criminal penalties: civil penalties can be the greater of $250,000 or twice the amount of the transaction that is the basis of the violation, while criminal penalties can include fines for as much as $1,000,000 and imprisonment for up to 20 years. The Final Determination does not prohibit the continued use of Kaspersky products solely for internal purposes although BIS strongly encourages a transition to alternative services.

KEY TAKEAWAYS

The issuance of the first Final Determination under the ICTS Supply Chain Rule—more than five years after Executive Order 13873—is significant. It confirms that BIS is increasing its enforcement actions and focusing on cybersecurity and connected software (via its ANPRM) in the first instance. Moreover, the Commerce Department has requested more than $30 million in FY25 budget increases for BIS, including for ICTS enforcement.

Companies can prepare for increased enforcement by:

  • Inventorying Existing ICTS Applications for Kaspersky Products. U.S. companies should inventory their ICTS applications to identify whether they utilize Kaspersky products, and if so, diversify their supply chains and seek alternative cybersecurity providers.
  • Evaluating the Significant Business Risk Posed by Transacting With Kaspersky or Including Kaspersky Products in the Company’s Own Products or Services. While the Final Determination does not prohibit companies that already utilize Kaspersky products solely for their own internal purposes from continuing to do so, companies that either do business with Kaspersky regarding software produces or include such Kaspersky products in their own products or services are at significant risk of violating the Final Determination, which can carry steep civil and criminal penalties.
  • Conducting Due Diligence on Other ICTS Suppliers under the Jurisdiction of a BIS-Designated “Foreign Adversary.” As noted, we expect additional enforcement by BIS. In preparation for this, companies should consider a related risk assessment that reviews ICTS suppliers from any “foreign adversaries,” including China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro Regime in Venezuela.
  • Developing a Supply Chain Mitigation and Response Plan. Potentially affected companies should consider a response plan to mitigate the risk of operational disruption should BIS take action against an ICTS supplier in the company’s supply chain.
  • Integrating ICTS Considerations into Merger and Acquisition Due Diligence. Companies should consider whether potential targets present enhanced ICTS risks as part of their merger and acquisition due diligence (e.g., to identify whether the target utilizes Kaspersky software or any other ICTS products banned in the future).


This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.