chevron-down Created with Sketch Beta.

Business Law Today

July 2024

July 2024 in Brief: Internet Law & Cybersecurity

Juliet Marie Moringiello

July 2024 in Brief: Internet Law & Cybersecurity
iStock.com/FactoryTh

Jump to:

Department of Commerce Issues First Enforcement Action Protecting Information and Communications Technology and Services Supply Chain

By Jessica Varda, J.D. Candidate, Class of 2026, Louis D. Brandeis School of Law at the University of Louisville

On June 20, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) issued its first enforcement action pursuant to Executive Order No. 13873 (issued on May 15, 2019) to deter foreign adversaries from creating and exploiting vulnerabilities in information and communications technology and services (ICTS), particularly targeting vulnerabilities that could affect the ICTS supply chain.

The Final Determination announced on June 20 prohibits Russian company Kaspersky Lab, Inc., and its affiliates, subsidiaries, and parent companies (“Kaspersky”) from directly or indirectly providing antivirus software and cybersecurity products or services in the United States or to U.S. persons due to national security risks uncovered in an investigation. The Final Determination prohibits the resale, integration into other products and services, or licensing for resale or integration, of Kaspersky cybersecurity or antivirus software, with civil or criminal penalties for violations.

The Final Determination, as summarized by the BIS’s press release, “finds ICTS transactions involving such products and services, such as the ability to gather valuable U.S. business information, including intellectual property, and to gather U.S. persons’ sensitive data for malicious use by the Russian Government, pose an undue or unacceptable national security risk.”

The following reasons provided in the Risk Determination section of the Final Determination provide further insight into BIS’s intent in securing the ICTS supply chain:

  • The company is subject to the jurisdiction, control, or direction of a foreign adversary designated by 15 CFR 7.4(a)(5).
    • Kaspersky’s proposed mitigation measures were not deemed sufficient because they did not sever U.S. operations’ ties with Kaspersky’s foreign operations and did not impact technical operations or disallow logical access by foreign employees, including in Russia.
  • The software can be exploited to identify sensitive U.S. person data and make it available to government actors of the foreign adversary.
    • The Department of Commerce identified multiple ways in which Kaspersky could identify and exploit vulnerabilities, primarily based on how cybersecurity and antivirus software operate.
    • Kaspersky’s proposed mitigation measures did not adequately address this issue, particularly the risks involved with source code vulnerabilities when the design process occurs in foreign countries.
  • The software, developed and supplied from the foreign adversary, allows for the capability and opportunity to install malicious software and strategically withhold critical malware signature updates.
    • The primary risks stem from potential intentional withholding of new threat signatures and the ability to use, or allow Russian government actors to use, the software’s kernel-level (i.e., core of operating system) access to U.S. user systems for malign purposes.

    Editor