Building Off Shaheen Law, Commerce Department Acts to Ban Kaspersky Nationwide
(Washington, DC)—U.S. Senator Jeanne Shaheen (D-NH), chair of the U.S. Senate Small Business Committee, chair of the U.S. Senate Appropriations Subcommittee on Commerce, Justice and Science and a senior member of the U.S. Senate Armed Services and Foreign Relations Committees, issued the following statement after the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced that the sale of all Kaspersky Lab cybersecurity and anti-virus software would be banned in the United States. Senator Shaheen was the first public official to sound the alarm on Kaspersky Lab. The Fiscal Year 2018 National Defense Authorization Act (NDAA), which was signed into law, included Senator Shaheen’s federal government-wide ban on Kaspersky Lab software.
“For too long, Kaspersky Lab has posed a threat to our national security, which is why I first introduced legislation—that was signed into law—to ban its products from federal government computers. I’m glad the Bureau of Industry and Security is taking decisive action to build on that by banning this Russian-linked company from accessing and exploiting Americans’ critical data and information,” said Shaheen. “Today’s decision makes clear that maintaining strong cybersecurity for Americans and our small businesses is critical to our collective national security. We must do that by ensuring malign players cannot access sensitive information.”
BIS’s Information and Communications Technology and Services (ICTS) Program investigates whether certain transactions linked to a foreign country pose an undue or unacceptable risk to U.S. national security. Based on an ICTS investigation, BIS has announced a prohibition on Kaspersky Lab and its parent companies, affiliates and subsidiaries from directly or indirectly providing cybersecurity or anti-virus services in the United States or to U.S. persons.
Once the prohibition is fully in place, no software updates may be provided in the United States or to U.S. persons with access to Kaspersky Lab software. To minimize disruption to U.S. persons and businesses, a limited set of Kaspersky Lab updates will be permitted until September 29, 2024, after which the Kaspersky Lab-related prohibitions go into full effect. For additional information on how to transition away from Kaspersky cybersecurity and anti-virus software, more information may be found here.
Senator Shaheen’s broad legislation, which was signed into law in 2017, ensured that Kaspersky Lab products, or any affiliated products and services, were banned from all federal computers and connected networks. In September 2017, the Trump administration heeded Senator Shaheen’s warnings about the Kremlin-linked company, ordering all federal agencies to remove the software from government computers within 90 days. In October 2017, Senator Shaheen sent a letter to the leadership of the U.S. Senate Armed Services Committee, requesting a hearing on the use of Kaspersky Lab software to hack the National Security Agency in 2015. Shortly thereafter, Shaheen called on the Trump administration to declassify information on Kaspersky Lab to raise public awareness regarding the serious threat that the company poses to the United States’ national security.
Senator Shaheen has also focused on ensuring small businesses have the tools and support they need to keep up with cybersecurity needs. The Small Business Cyber Training Act, led by Senators Shaheen and Marco Rubio (R-FL) and signed into law in December 2022, would require the Small Business Administration (SBA) to establish a training program to ensure that each Small Business Development Center has an employee certified in cyber strategy counseling for small businesses. Senator Shaheen also co-led the introduction of the Small Business Cyber Resiliency Act with Senator Jim Risch (R-ID), which would establish a Central Small Business Cybersecurity Unit at the SBA to create a public clearinghouse of small business cybersecurity resources, ensure training and materials are up-to-date, and improve coordination with the Cybersecurity and Infrastructure Security Agency.
###
