It’s official, Kaspersky Lab products and services are banned from federal agencies, at least for the foreseeable future.
The District of Columbia District Court Wednesday dismissed the company’s lawsuits against the Homeland Security Department and the government more broadly, trying to overturn both the 2017 Binding Operational Directive and the provision in the 2018 Defense Authorization bill.
The judge ruled Kaspersky did not plausibly allege that the NDAA constitutes a bill of attainder, and the Russian-based company did not have standing to sue DHS over the BOD.
“The NDAA does not inflict ‘punishment’ on Kaspersky Lab. It eliminates a perceived risk to the nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation,” the judge wrote in the motion. “Even if the court were to rule in plaintiffs’ favor in the BOD Lawsuit and order the rescission of BOD 17-01, these harms would continue. The NDAA would remain on the books, preventing any federal government agency from purchasing Kaspersky Lab products. It is true that the NDAA’s prohibition does not become effective until Oct. 1, 2018. However, government agencies have likely already removed all Kaspersky Lab products from their systems as a result of BOD 17-01 and they know that, regardless, all such products must be removed by the fast-approaching NDAA effective date. Under these circumstances, it is completely implausible that any government entity would purchase a Kaspersky Lab product before October 1st.”
Kaspersky filed two lawsuits: One in December asking the courts to rule DHS’ directive to have harmed its reputation and sales without due process under the Administrative Procedure Act; and one in February claiming the NDAA provision is unconstitutional based on the concept of “The Bill of Attainder Clause,” which forbids Congress from enacting laws that impose individualized deprivations of life, liberty and property, and inflict punishment on individuals and corporations without a judicial trial.
“Kaspersky Lab is disappointed with the Court’s decisions on its constitutional challenges to the U.S. Government prohibitions on the use of its products and services by federal agencies,” the company said in a statement. “We will vigorously pursue our appeal rights. Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding. Given the lack of evidence of wrongdoing by the company and the imputation of malicious cyber activity by nation-states to a private company, these decisions have broad implications for the global technology community. Policy prohibiting the U.S. Government’s use of Kaspersky Lab products and services actually undermines the government’s expressed goal of protecting federal systems from the most serious cyber threats.”
The district court says the provision banning Kaspersky doesn’t inflict punishment on the company.
“The law does not impose any form of historically recognized legislative punishment,” the court writes. “It has an obvious and eminently reasonable non-punitive purpose and, although the law has negative effects on plaintiffs, those effects are not out of balance with the goal of protecting the nation’s cybersecurity. Finally, there is no evidence that Congress acted with any motivation to punish plaintiffs.”
The court also said Kaspersky cannot satisfy the requirements of the BOD lawsuit because it cannot show the harm would be redressed by a reversal of the policy because of the NDAA provision becoming law.
“[E]ven if plaintiffs were successful and the court were to order the rescission of the BOD, their harms would not be redressed,” the court writes. “The court has no jurisdiction to proceed to the merits of a lawsuit where its ultimate decision will have no real effect.”
Agencies have removed all Kaspersky Lab products from their systems and networks. DHS told Senate Appropriations Subcommittee members earlier this month that it now is looking at ways to punish agencies for not following a specific part of a recent binding operational directive that requires agencies to make sure they are not at risk from third-party vendors working with the government.
DHS Secretary Kirstjen Nielsen said the agency is assessing federal supply chains to identify where the Kaspersky products still exist today. She said DHS is working across the government to figure out possible consequences for not following the directive.
The court’s decision to dismiss the NDAA lawsuit also bodes well for lawmakers’ next target, Chinese firms Huawei and ZTE.
House Armed Services Committee lawmakers approved a provision in the fiscal 2019 Defense Authorization bill that would ban agencies from buying equipment from telecommunications companies owned, controlled or partly managed by the Chinese government, such as Huawei and ZTE.
Under the provision, every agency by Jan. 1, 2021 would have to stop using ZTE, Huawei or any other equipment or services either directly or indirectly through a third party that is connected to the Chinese government.
At one point, the White House also was drafting an EO that would ban agencies and possibly contractors from buying telecommunications equipment from Chinese firms, including Huawei and ZTE. It’s unclear where the order stands today.
The court’s decision also reduces some of the concerns about the reasons for banning Kaspersky. Many cyber experts say the decision may be sound, but the public evidence was limited and opened more questions than answers.