Federal ban on Kaspersky products upheld

NOTE: This article first appeared on FCW.com.

A U.S. court has dismissed two lawsuits filed by cybersecurity firm Kaspersky Lab against the U.S. government over a federal ban on the use of their products.

U.S. District Court Judge Colleen Kollar-Kotelly wrote in her May 30 opinion that U.S. networks and computer systems are "extremely important strategic national assets" whose security depends on the government’s ability to act swiftly against potential threats, even if such actions cause adverse affects for third-party providers like Kaspersky Labs.

"These defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional," Kollar-Kotelly wrote.

The U.S. government claimed that the company's products constitute a threat to national security and could be used to facilitate espionage by the Russian government, while news reports have detailed the role the company's software played in the theft of classified data from the computer of an NSA contractor in 2014 or 2015.

Kaspersky Lab sued the Department of Homeland Security for a September 2017 Binding Operational Directive banning the use of certain Kaspersky Lab products and software by federal agencies, the U.S. government for a ban inserted into the National Defense Authorization Act passed last year. Kaspersky argued the ban in the NDAA amounted to an unconstitutional bill of attainder.

Kollar-Kotelly wrote that there is a reasonable basis to conclude that the government acted out of a genuine concern for national security, not punishment, and thus the actions were legal. The court also found that NDAA language inserted does not amount to a bill of attainder (the targeting of a particular person or group) because federal contracts only constituted a "small source of revenue" for the company (less than $54,000, according to previous court documents filed by the company) and that the loss of business was a secondary effect of protecting national security, not the primary intent.

That decision wound up having a cascading effect on the second, with the court concluding that once the lawsuit against the NDAA was dismissed, Kaspersky Lab no longer had legal standing to credibly argue that overturning the DHS directive would provide them with any substantive form of relief.

The order may have also affected other aspects of Kaspersky business in the U.S., where private-sector partners like Best Buy stopped selling the company's products after DHS issued its binding operational directive in September 2017. The loss of commercial business due to reputational harm was one of the main justifications Kaspersky Lab offered when filing its initial lawsuit against DHS late last year, though federal officials have disputed that assertion in previous court filings.

The court found the impact of this reputational damage on Kaspersky’s business to be "real" but "exaggerated." The NDAA “does not impose any form of historically recognized legislative punishment,” Kollar-Kotelly wrote, and “although the law has negative effects on Plaintiffs, those effects are not out of balance with the goal of protecting the Nation’s cybersecurity.”

In an emailed statement, a Kaspersky spokesperson expressed disappointment with the rulings and said, "We will vigorously pursue our appeal rights."

"Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding," the spokesperson added. "Policy prohibiting the U.S. Government's use of Kaspersky Lab products and services actually undermines the government's expressed goal of protecting federal systems from the most serious cyber threats."