A D.C. federal court judge on Wednesday dismissed a pair of lawsuits filed by Russian antivirus vendor Kaspersky Lab over rules prohibiting the U.S. government from using its products.
In a 55-page ruling, U.S. District Judge Colleen Kollar-Kotelly upheld both a Department of Homeland Security directive and congressional legislation banning government agencies and offices from using Kaspersky Lab products, rejecting the Moscow-based company’s claims of being unconstitutionally targeted.
“The United States government’s networks and computer systems are extremely important strategic national assets,” the judge explained in her decision to dismiss Kaspersky Lab’s lawsuits. “Threats to these systems are constantly expanding and evolving. Their security depends on the government’s ability to act swiftly against perceived threats and to take preventive action to minimize vulnerabilities. These defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional.”
The judge ruling consolidated separate lawsuits initiated by Kaspersky Lab after DHS and Congress took steps last year to prohibit government agencies from using the company’s software and services over concerns related to its alleged ties to Russian intelligence.
DHS “is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the Trump administration explained when it issued the binding operational directive (BOD) last September.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” the directive said.
Congress effectively codified the ban months later by including provisions prohibiting Kaspersky Lab products in the the National Defense Authorization Act (NDAA) for Fiscal Year 2018, and the company filed separate lawsuits in D.C. federal court challenging both bans on separate grounds.
Dismissing the NDAA lawsuit, the judge wrote in her ruling that Kaspersky Lab failed to argue that the provisions constituted a bill of attainder — “a law that legislatively determines guilt and inflicts punishment upon an identifiable individual without provision of the protections of a judicial trial.”
“The NDAA does not inflict ‘punishment’ on Kaspersky Lab,” the judge explained. “It eliminates a perceived risk to the Nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation.”
“The burdens placed on Kaspersky Lab by the challenged provisions of the NDAA, although perhaps not trivial in absolute terms, are not out of balance with Congress’ goal of protecting the Nation’s cybersecurity,” the judge explained. “The law does not impose any form of historically recognized legislative punishment. It has an obvious and eminently reasonable nonpunitive purpose and, although the law has negative effects on Plaintiffs, those effects are not out of balance with the goal of protecting the Nation’s cybersecurity.”
Dismissing the NDAA suit for failure to state a claim leaves the provisions in place and makes the other suit moot, the judge wrote.
“Even if the Court were to rule in Plaintiffs’ favor in the BOD Lawsuit,” she wrote, “… these harms would continue. The NDAA would remain on the books, preventing any federal government agency from purchasing Kaspersky Lab products.”
Kaspersky Lab did not immediately return messages seeking comment. The company has previously denied being in cahoots with Russia and recently announced it would relocate a “good part” of its infrastructure to Switzerland as part of an effort to regain customer trust eroded by accusations involving its ties to Moscow.
“The allegations we faced are wrong and there is no evidence. Still the allegations are there. We need to show customers we are taking them seriously and address them,” Anton Shingarev, Kaspersky Lab’s vice president of public affairs, told Financial Times earlier this month.