Managed Service Providers and purchases of cybersecurity productions and monitoring applications are wise to consult a slew of federal regulations prior to making company-wide purchases. Before inking a three or five-year enterprise agreements for a particular product, U.S.-based purchasers must identify the manufacturer of the product and the manufacturer’s country of origin. Finally wising to the security threat posed by applications and software products produced in countries with authoritarian regimes hostile to the U.S., the federal government is both launching new and expanding existing bans on such products to protect American citizens and infrastructure.
On June 20, 2024, the U.S. Department of Commerce Office of Information and Communications Technology and Services (OICTS) banned the sale of Kaspersky Lab Inc. products in the United States. Kaspersky, a Russian entity, develops and markets cybersecurity and antivirus software across the globe. OICTS’s decision loudly exercises its authority under the ICTS Regulations.
The ICTS regulations, first passed in 2021, attempt to identify commercial entities that produce software and applications and are located within and/or controlled by “foreign adversaries,” thereby likely posing a potential threat to national security in the United States. Initially formulated in an Executive Order, the ICTS regulations target those applications and web-based products that are “designed primarily for connecting with and communicating via the internet” and that are used “by greater than one million U.S. persons.” The regulations further identify China, Cuba, Hong Kong, Iran, North Korea, Russia, and the Maduro Regime in Venezuela as “foreign adversaries” of the United States.
This recent ban of Kaspersky software products follows other recent prohibitions issued against technology products owned and developed in adversarial foreign nations. On April 24, 2024, the “TikTok ban” was enacted, making it unlawful for any entity to distribute, maintain, or update an application, with more than 1,000,000 monthly users, which is also controlled by a foreign adversary. Although this ban is commonly referred to as the TikTok ban, it regulates many other applications and software that are prominent in the U.S. such as CapCut, which is a widely used video editing tool favored by many U.S. influencers.
The ICTS ban on Kaspersky and recent TikTok ban are not isolated events. On March 5, 2024, the Department of Commerce also expanded its “Federal Entity List” of prohibited products, now including two items of commercial spyware software, namely Intellexa and Cytrox. First published in 1997, the Federal Entity List contains a laundry list of companies, divided by country, prohibited from purchase and sale within the United States – similar to the ban on Cuban cigars, which continues to haunt tobacco enthusiasts. Since its enactment, inclusion on the Federal Entity List is now expanded to activities sanctioned by the State Department and activities that pose a threat to U.S. national security and/or foreign policy interests.
Attempts to buy or sell prohibited items on the Federal Entity List can result in criminal and/or civil penalties. Therefore, being renewing prior agreements or failing to stop an automatic renewal of the same, check the manufacturer of the software product to ensure a contract does not get weaponized against the customer.
コメント