The National Defense Authorization Act of 2018 did something unusual: It singled out one cybersecurity company, Moscow-based Kaspersky Labs. The company has ties to the Russian intelligence community and the Kremlin. Worse, it works with Russia’s Federal Security Service, allowing agents to maintain a presence at headquarters. Lawmakers cited concerns about not just extant ties but the possibility of Kaspersky being forced into doing Russia’s bidding.
The NDAA bans the use of Kaspersky Lab antivirus software on government computers. For good measure, a new interim rule, published June 15, also bars contractors who use Kaspersky hardware, software, or services. Of course, eliminating Kaspersky’s presence in government isn’t that simple. Back in May, officials admitted they weren’t sure how to purge Kaspersky software from government computers. It’s that embedded.
Kaspersky’s not thrilled. Its profits and reputation have taken a major hit. The company maintains it has not aided Russian intelligence, but in at least one instance intelligence agents stole files from a National Security Agency employee using Kaspersky’s antivirus software at home. There’s also the possibility of Russia demanding access to data held by Kaspersky.
Naturally, Kaspersky sued, challenging both the provision of the NDAA and a July 2017 directive from the Department of Homeland Security banning its products. The company argued that targeting Kaspersky amounted to a bill of attainder, a punishment without a trial. They object to being branded “with infamy and disloyalty.” Which is the most Putin-esque legal argument I’ve heard in a while.
On May 30, a D.C. district court judge, Colleen Kollar-Kotelly, rejected both lawsuits. She concluded that there are constitutional grounds for the federal government to act to protect the nation’s cybersecurity. It’s also pointless to challenge the DHS directive separately because the NDAA has the same effect—for the entire government.
The United States government’s networks and computer systems are extremely important strategic national assets. Threats to these systems are constantly expanding and evolving. Their security depends on the government’s ability to act swiftly against perceived threats and to take preventive action to minimize vulnerabilities. These defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional.
Kaspersky appealed, and the D.C. Circuit has fast-tracked the case—they’ll decide it by Oct.1. In the meantime, Kaspersky made a last-ditch effort in June to get the court to grant an emergency stay to block implementation of the new rule. The court rejected it with a single sentence: “Appellants have not satisfied the stringent requirements for an injunction pending appeal.”
An appellate court devoting absolutely no ink to the plea for a stay bodes poorly for Kaspersky, to put it mildly. Legal outcomes are rarely clearly predictable. There’s little doubt here, though.