The ongoing saga between the government and Kaspersky Lab took a series of turns over the last few weeks, casting doubt about whether the executive and legislative branch bans will hold up.
Kaspersky filed an initial lawsuit in December seeking to stop the Homeland Security Department’s Binding Operational Directive. Then on Feb. 12, Kaspersky filed a second lawsuit in the Washington, D.C. District Court to overturn the provision in the 2018 Defense Authorization bill that prohibits federal agencies from using the company’s products or services.
Insight by GitLab: During this webinar executives from the State Department, U.S. Securities and Exchange Commission, U.S. Patent and Trademark Office and GitLab will discuss how institutionalizing a DevSecOps approach to software development is a journey that must bring together the technology and business sides to change an organization’s culture.
And it’s this second lawsuit that, according to legal experts, gives Kaspersky a strong foot to stand on.
Kaspersky argued that the NDAA provision is an “unconstitutional bill of attainder.”
“The Bill of Attainder Clause forbids Congress from enacting laws which impose individualized deprivations of life, liberty, and property and inflict punishment on individuals and corporations without a judicial trial,” Kaspersky’s lawyers wrote in the complaint. “The clause ensures that Congress accomplishes legitimate and non-punitive objectives by establishing rules of general applicability which do not specify persons to be sanctioned. The clause is intended to prevent Congress from assuming the power of the executive and judiciary branches and then determining for itself conduct it regards as blameworthy and deserving of punishment, what evidence will suffice as proof, whether to pronounce a disfavored person guilty and what manner and degree of punishment to impose.”
Eric Crusis, a partner with Holland & Knight in Washington, D.C., said the concept of Attainder hasn’t been an areas of focus for the Supreme Court or the lower courts, so it’s not a well-developed part of the law.
“Some of the recent rulings are in conflict with each other,” he said. “If Congress sought to eliminate certain software characteristics, then that may have been on stronger legal ground. But because they called out Kaspersky specifically, that may face a tougher legal challenge. It’s a pretty strong argument. The legal issues in these cases are a law school professor’s dream. Any law student would need about six months to complete a final exam on Attainder because there are unprecedented issues on top of unprecedented issues. I could see this as a case make its way up to Supreme Court if both parties are motivated to do that.”
Kaspersky argued to the court that the NDAA provision was more for political reasons than national security concerns.
“Those sections were introduced and adopted hastily by Congress in the context of mounting animosity towards Russia and substantial political pressure on all branches of government to be seen as reacting to the apparent Russian interference in the 2016 presidential elections. However, Congress’s action against plaintiffs through the NDAA is based solely on vague and inflammatory allegations directed at Plaintiffs unsubstantiated by any legislative fact finding,” Kaspersky’s lawyers wrote. “These sections of the NDAA singularly and unfairly name and punish Kaspersky Lab, one of the world’s leading antivirus software companies, by prohibiting the federal government from using any Kaspersky Lab products or services and permanently depriving Kaspersky Lab of any direct or indirect federal government business.”
The legislative ban on Kaspersky is scheduled to take place in October.
“The company did not undertake this action lightly, but maintains that DHS failed to provide Kaspersky Lab with adequate due process and relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the directive,” Kaspersky states in the letter from December. “DHS has harmed Kaspersky Lab’s reputation and its commercial operations without any evidence of wrongdoing by the company. Therefore, it is in Kaspersky Lab’s interest to defend itself in this matter.”
Ross Nodurft, the vice president of risk management at One World Identity and the former Office of Management and Budget unit chief for the cyber and national security unit, was in government when DHS drafted the BOD and said he isn’t surprised by Kaspersky’s actions.
“We all assumed this could lead to a court order and court action. We took the time to craft the BOD so it was defensible in court,” he said. “If we aren’t able to use the tools and authorities that Congress gave DHS and OMB to protect our networks and systems, then they are not useful to the government.”
Nodurft said DHS cyber executives and lawyers did as much due diligence as possible ahead of releasing the BOD to make sure it was “unimpeachable.”
Joe Stuntz, another former policy lead for OMB’s cyber and national security unit and now vice president for cybersecurity at One World Identity, added the process to reach a final version of the BOD was a long one and included a level of due diligence and awareness that this would likely be challenged in court.
Stuntz, who left the government in October, and Nodurft declined to offer any further details about the process or the case against Kaspersky citing the classified nature of the process.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
But it’s that classified nature of the rationale behind the BOD that may ultimately need to come out for this case to stand up in court.
Crusis said the government’s de facto debarment of Kaspersky without due process is at the crux of the case.
“Just because the government may have an issue with the company, it doesn’t excuse the government from going through the process to afford due process and to make sure it conforms to regulatory and legal requirements” he said. “It appears the government found a way to get to the end without using the tools to get there. We will see how this tug-of-war plays out in the courts.”
Kaspersky’s court filings come as federal intelligence community leaders started laying the ground work for a potential similar ban of Chinese companies, ZTE and Huawei.
Sens. Tom Cotton (R-Ark.) and Marco Rubio (R-Fla.) introduced a bill on Feb. 7 that would prohibit agencies from buying or leasing equipment from Huawei Technologies or ZTE Corp. because of concern that the Chinese companies could spy on federal officials.
“I think probably the simplest way to put it in this setting, would be that we’re deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks,” said FBI Director Christopher Wray at the Feb. 13 Senate Intelligence Committee hearing on worldwide threats. “That provides the capacity to exert pressure or control over our telecommunications infrastructure. It provides the capacity to maliciously modify or steal information. And it provides the capacity to conduct undetected espionage. So, at a 100,000-foot level, at least in this setting, those are the kinds of things that worry us.”
Crusis said vendors should continue to pay close attention to the Kaspersky court case in light of legislative actions against the Huawei and ZTE.
“If DHS is successful, they could look at other companies that aren’t American and find a basis not to do business with them and issue de facto bans,” he said. “The actions against Huawei and ZTE may start a larger trend and that conforms nicely to the administration’s America first agenda.”
Crusis said the issue of supply chain management and transparency, especially around counterfeit parts and cybersecurity, has been a focus of the government procurement community over the past few years and is expected to increase.
In fact, DHS’ Jeanette Manfra, the assistant secretary for the office of cybersecurity and communications at the National Protection and Programs Directorate (NPPD), announced Feb. 14 that the agency launched a supply chain security initiative earlier this year.
Nodurft said the DHS BOD is an attempt to address supply chain risks.
Stuntz added recent cyber incidents by a nation state targeting military technology is part of the ever-growing case for better supply chain security.
“We are not just talking about products, but how do we work with companies that are critical to accomplish the agency’s mission as they are being targeted to get to the government’s mission systems and data?” he said. “If the government is not looking at supply chain then they are missing a critical area.”