Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Kaspersky Lab, Inc. v. United States Department of Homeland Security

United States District Court, District of Columbia

May 30, 2018

KASPERSKY LAB, INC., et al., Plaintiffs
v.
UNITED STATES DEPARTMENT OF HOMELAND SECURITY, et al., Defendants KASPERSKY LAB, INC., et al., Plaintiffs
v.
UNITED STATES OF AMERICA, Defendant

          MEMORANDUM OPINION

          COLLEEN KOLLAR-KOTELLY, UNITED STATES DISTRICT JUDGE.

         The United States government's networks and computer systems are extremely important strategic national assets. Threats to these systems are constantly expanding and evolving. Their security depends on the government's ability to act swiftly against perceived threats and to take preventive action to minimize vulnerabilities. These defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional.

         Plaintiffs in the two lawsuits discussed in this Opinion represent Kaspersky Lab, a large multinational cybersecurity company headquartered in Russia. At least until 2017, Kaspersky Lab's cybersecurity products were used to defend the networks and computer systems of a number of United States federal government agencies. Amid growing concerns in early 2017 about malicious Russian cyber activity against the United States, government officials and members of Congress began asking questions, and voicing concerns, about the presence of these products on government systems. These concerns were based on the risk that the use of Kaspersky Lab products to defend United States government computer systems could be exploited by Russia, either with or without Kaspersky Lab's consent, cooperation, or knowledge. The concerns were fueled, in very summary form, by some combination of the following facts: Kaspersky Lab products enjoy extremely broad access and elevated privileges within the computer systems on which they are installed; Kaspersky Lab is headquartered in Russia; Kaspersky Lab and its founder and Chief Executive Officer, Eugene Kaspersky, have close connections to the Russian government and intelligence services; Kaspersky Lab products cycle users' data to the company's servers that are based in (or accessible from) Russia; Kaspersky Lab is subject to Russian laws that allow the Russian government to request or compel assistance from Russian companies, and is also susceptible to non-legal forms of pressure from the Russian government.

         The apparent national security risk presented by federal government agencies using Kaspersky Lab products eventually proved intolerable to both Executive Branch officials and Congress. On September 13, 2017, the Department of Homeland Security (“DHS”) issued a Binding Operative Directive (“BOD 17-01”) pursuant to the Federal Information Security Modernization Act of 2014 (“FISMA”), that required all federal departments and agencies to identify and, ninety days later, remove Kaspersky Lab products from their systems. That directive was soon effectively superseded when Congress passed the National Defense Authorization Act for Fiscal Year 2018 (“NDAA”), which contains a provision entitled “Prohibition on Use of Products and Services Developed or Provided by Kaspersky Lab.” As its title suggests, that provision prohibits all elements of the federal government from using any Kaspersky Lab products or services.

         Shortly after BOD 17-01 was finalized and the NDAA was signed into law, Kaspersky Lab filed a lawsuit (17-cv-2697) claiming that the BOD violated the Administrative Procedures Act (“APA”) and the Due Process Clause of the Fifth Amendment to the United States Constitution (hereinafter the “BOD Lawsuit”). The BOD Lawsuit did not challenge the legality of the NDAA's prohibition on the use of Kaspersky Lab products. Months later, after this omission became a point of contention regarding Plaintiffs' standing in the BOD Lawsuit, Plaintiffs filed a second lawsuit (18-cv-325) claiming that the NDAA's prohibition was an unconstitutional bill of attainder (hereinafter the “NDAA Lawsuit”).

         These lawsuits are separate and distinct, but both are pending before this Court. The Court is issuing this Opinion in both lawsuits, because there are motions pending in each that present overlapping and interrelated issues. Those motions include: Defendant's [10] Motion to Dismiss the Complaint in the NDAA Lawsuit, Plaintiffs' [19] Motion for Summary Judgment in the BOD Lawsuit, and Defendants' [21] Motion to Dismiss or Alternatively for Summary Judgment in the BOD Lawsuit.

         Having carefully reviewed the record, the pleadings, [1] and the relevant authorities, the Court GRANTS Defendant's Motion to Dismiss the NDAA Lawsuit. Plaintiffs have not plausibly alleged that the NDAA constitutes a bill of attainder. A bill of attainder is “a law that legislatively determines guilt and inflicts punishment upon an identifiable individual without provision of the protections of a judicial trial.” Nixon v. Adm'r of Gen. Servs., 433 U.S. 425, 468 (1977). The NDAA does not inflict “punishment” on Kaspersky Lab. It eliminates a perceived risk to the Nation's cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation.

         Having carefully reviewed the record, the pleadings, [2] and the relevant authorities, the Court also GRANTS Defendants' Motion to Dismiss the BOD Lawsuit for lack of standing. Plaintiffs allege that BOD 17-01 causes them harm by depriving them of the ability to sell to the United States federal government and by damaging their reputation. Even if the Court were to rule in Plaintiffs' favor in the BOD Lawsuit and order the rescission of BOD 17-01, these harms would continue. The NDAA would remain on the books, preventing any federal government agency from purchasing Kaspersky Lab products. It is true that the NDAA's prohibition does not become effective until October 1, 2018. However, government agencies have likely already removed all Kaspersky Lab products from their systems as a result of BOD 17-01 and they know that, regardless, all such products must be removed by the fast-approaching NDAA effective date. Under these circumstances, it is completely implausible that any government entity would purchase a Kaspersky Lab product before October 1st. Accordingly, the empty “right” to sell to the federal government for the short period before October 1st that Plaintiffs could stand to gain from success in the BOD Lawsuit lacks any concrete value. It is insufficient to confer standing. An order rescinding the BOD would also not redress the alleged harm to Plaintiffs' reputation as a cybersecurity business because, according to Plaintiffs themselves, the NDAA independently causes, at least, that same harm. Plaintiffs attempted to avoid this jurisdictional roadblock by filing a separate lawsuit challenging the NDAA, but even if the later-filed NDAA Lawsuit had any relevance to Plaintiffs' standing in the BOD Lawsuit, that relevance has been eliminated by its dismissal. Because the BOD Lawsuit is dismissed for lack of standing, the Court need not reach the parties' cross-motions for summary judgment.

         I. BACKGROUND

         A. The Threat of Russian Cyber-Attacks

         An important context of Plaintiffs' lawsuits, which neither party appears to dispute, is that it is the assessment of the United States government that cyber-attacks, especially from Russia, present a potent threat to critical United States infrastructure. As described by then-Director of National Intelligence James R. Clapper in a statement to the Senate Armed Services Committee in 2015, “[p]olitically motivated cyber-attacks are now a growing reality, and foreign actors are reconnoitering and developing access to U.S. critical infrastructure systems, which might be quickly exploited for disruption if an adversary's intent became hostile.” AR0106. “[T]hose conducting cyber espionage are targeting U.S. government, military, and commercial networks on a daily basis.” Id. As current Director of National Intelligence Daniel R. Coats recently stated in a similar report, “Russia is a full-scope cyber actor that will remain a major threat to U.S. Government, military, diplomatic, commercial, and critical infrastructure.” AR0065. “Moscow has a highly advanced offensive cyber program, and in recent years, the Kremlin has assumed a more aggressive cyber posture.” Id. “This aggressiveness was evident in Russia's efforts to influence the 2016 U.S. election.” Id.

         B. Kaspersky Lab and Eugene Kaspersky

         Kaspersky Lab is a large cybersecurity company headquartered in Moscow. See Decl. of Angelo Gentile, BOD Lawsuit ECF No. 19-3 (“Gentile Decl.”), ¶¶ 9-11. It sells products that are intended to protect its customers' computer systems against cyber-threats. Id. ¶ 9. The company was founded in 1997 by Eugene Kaspersky, who serves as the company's Chief Executive Officer. Id. ¶ 11. Kaspersky Lab is a multinational corporation present in countries throughout the world, but the particular Plaintiffs in the two lawsuits discussed in this Opinion are Kaspersky Lab, Inc., a Massachusetts corporation that acts as the North American headquarters for Kaspersky Lab, and Kaspersky Lab Limited, a U.K.-based holding company for Kaspersky Lab entities. Id. ¶¶ 4, 9-11.

         It is important to note that Kaspersky Lab does not sell its products exclusively to the United States federal government. Id. ¶ 9. Far from it. To the contrary, “[o]ver 400 million users-from governments to private individuals, commercial enterprise to critical infrastructure owners and operators alike-utilize Kaspersky Lab technologies.” Id. ¶ 9. Indeed, only a tiny fraction of Kaspersky Lab sales in the United States are to the federal government. Id. ¶ 15. “Active licenses held by federal agencies in September 2017 had a total value (to Kaspersky Lab, Inc. and the Company as a whole) of less than $54, 000-approximately 0.03% of Kaspersky Lab, Inc.'s annual U.S. sales at the time.” Id.

         C. Early Concerns Voiced About Kaspersky Lab Products

         Members of Congress and the Executive Branch began expressing concerns about the government's use of Kaspersky Lab products-and acting on those concerns-in, at least, early 2017. For example, during a March 2017 Senate hearing on Russian cyber activities, Senator Marco Rubio of Florida cited a “long history” of open-source reporting connecting Kaspersky Lab to Russian security services, and asked a panel of cybersecurity experts if they would feel comfortable using Kaspersky Lab products on their devices. Although one of those experts noted that “Kaspersky is not an arm of the Russian government, ” another responded “no, I wouldn't, and I wouldn't recommend that you do it either.” Disinformation: A Primer in Russian Active Measures and Influence Campaigns, Panel II Before the S. Select Comm. on Intelligence, 115th Cong. 40 (Mar. 30, 2017). In April 2017, the Senate Select Committee on Intelligence asked the Director of National Intelligence and the Attorney General to investigate Kaspersky Lab's ties to the Russian government. See Bolstering the Government's Cybersecurity: Assessing the Risks of Kaspersky Lab Products to the Federal Government Before the H. Comm. on Science, Space, and Technology, 115th Cong. 33 (Oct. 25, 2017). That same month, two Congressmen introduced a bill describing Kaspersky Lab as “a company suspected of having ties with the Russian intelligence services and later caught up in a Russian espionage investigation.” H.R. Con. Res. 47, 115th Cong. (2017). In May 2017, six United States intelligence directors, including the directors of the Central Intelligence Agency (“CIA”) and the National Security Agency (“NSA”), told the Senate Select Committee on Intelligence that they would not be comfortable using Kaspersky Lab products on their computers. See Hearing on Worldwide Threats Before the S. Select. Comm. on Intelligence, 115th Cong. (May 11, 2017), https://www.intelligence.senate.gov/hearings/open-hearing-worldwide-threats-hearing-0. N S A Director Michael Rogers said that he was “personally involved” in monitoring the Kaspersky Lab issue, and then-CIA Director Michael Pompeo acknowledged that concerns about Kaspersky Lab products “ha[d] risen to the director” level at the CIA. Id.

         Throughout the summer of 2017, lawmakers continued to raise concerns about the presence of Kaspersky Lab products on federal government systems in at least three other committee hearings in the House and the Senate. See Bolstering the Government's Cybersecurity: Lessons Learned from Wannacry Before H. Comm. on Science, Space, and Technology, 115th Cong. (June 15, 2017); Russian Interference in the 2016 U.S. Elections Before S. Select Comm. on Intelligence, 115th Cong. (June 21, 2017); Help or Hindrance? A Review of SBA's Office of the Chief Information Officer Before the H. Comm. on Small Business, 115th Cong. (July 12, 2017). In July 2017, Congressman Lamar Smith, Chairman of the House Science Committee, sent a letter to various federal agencies requesting information about their use of Kaspersky Lab software and expressing concern that the company's products were “susceptible to manipulation by the Russian government.” AR0557-58. Also in July 2017, the General Services Administration (“GSA”) removed Kaspersky Lab as a pre-approved vendor for contracts. AR0017.

         D. Communications Between Kaspersky Lab and DHS Prior to BOD 17-01

         On July 18, 2017, amidst this growing consensus that the use of Kaspersky Lab products to defend federal systems posed national security risks, Eugene Kaspersky wrote then-Secretary of Homeland Security John F. Kelly a letter “offer[ing] any information or assistance we can provide with regard to any Department investigation regarding the company, its operations, or its products.” AR0749. The letter generally extolled Kaspersky Lab's integrity and sought to assure Secretary Kelly that the company had no ties with the Russian government and has not, and would not, assist any government with cyber-espionage efforts. Id. Mr. Kaspersky offered to make himself available to DHS, the Senate Select Committee on Intelligence, or any other committees or agencies conducting any relevant investigations. Id.

         DHS responded by letter on August 14, 2017, thanking Mr. Kaspersky for offering to provide information, stating that DHS looked forward to communicating with him further, and indicating that DHS “will be in touch again shortly.” AR0940.

         E. BOD 17-01

         Much to Plaintiffs' dismay, the next they heard from DHS was on September 13, 2017, when, pursuant to her authority under FISMA, Acting DHS Secretary Elaine C. Duke issued BOD 17-01, entitled “Removal of Kaspersky-Branded Products.” AR0633-35.

         A very brief explanation of BODs generally is necessary here. Pursuant to FISMA, federal agencies are required, under the supervision of the Director of the Office of Management and Budget and the Secretary of Homeland Security, to establish and implement their own policies, principles, standards and guidelines on information security. 44 U.S.C. § 3554(b) (“Each agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency.”). As particularly relevant to this case, FISMA provides that “[t]he Secretary, in consultation with the Director, shall administer the implementation of agency information security policies and practices for information systems, ” including by “developing and overseeing the implementation of binding operational directives to agencies.” 44 U.S.C. § 3553(b)(2). A binding operational directive, or BOD, is “a compulsory direction to an agency that (A) is for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk; (B) shall be in accordance with policies, principles, standards, and guidelines issued by the Director; and (C) may be revised or repealed by the Director if the direction issued on behalf of the Director is not in accordance with policies and principles developed by the Director.” Id. § 3552(b)(1). In other words, BODs are used to address suspected threats, vulnerabilities, or risks to federal information systems. In this way, the BOD is a tool that gives the DHS Secretary the ability to take swift action based on predictive judgments to address constantly evolving cyber-threats.

         BOD 17-01 in particular required all federal departments and agencies to take three actions: (1) within 30 days of the issuance of the BOD (October 13, 2017), all agencies were required to identify the use or presence of Kaspersky-branded products on all federal information systems and report this information to DHS; (2) within 60 days (November 12, 2017), all agencies were required to develop and provide to DHS a plan for removing and discontinuing present and future use of all Kaspersky-branded products beginning 90 days after the issuance of the BOD; and (3) within 90 days (December 12, 2017), unless otherwise directed, all agencies were required to begin implementing their plan and provide DHS a status report on that implementation every 30 days thereafter until full removal and discontinuance of Kaspersky-branded products was achieved. AR0634-35. “Kaspersky-branded products” were defined as “information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.” AR0634. BOD 17-01 exempted from its scope “national security systems” and certain other systems operated by the Department of Defense and the intelligence community. AR0633.

         The BOD itself stated that “DHS, in consultation with interagency partners, ha[d] determined that the risks presented by Kaspersky-branded products justif[ied] the issuance of” the BOD, AR0633, and a “Decision Memorandum” accompanying the BOD explained the reasoning underlying that determination. The Acting Secretary stated that she had issued the BOD because, based on the evidence presented to her by the Assistant Secretary for Cyber Security and Communications, she had concluded that Kaspersky-branded products on federal information systems presented a known or reasonably suspected information security threat, vulnerability, and risk to federal information and information systems. AR0628-29. That conclusion was based primarily on the following factors: (1) Kaspersky-branded products were currently being used by federal agencies, and Kaspersky Lab intended to expand its sale of those products to federal agencies in the near future; (2) anti-virus products like Kaspersky Lab's enjoy broad access to files and elevated privileges on the systems on which they are used that can be exploited by malicious cyber-actors; (3) data of those using Kaspersky Lab products is transferred automatically from their computers to Kaspersky Lab servers (which are either located in Russia or accessible from Russia); (4) Russia has engaged in, and will likely continue to engage in, malicious cyber-activities against United States government information systems; (5) Kaspersky Lab and Kaspersky Lab officials have ties to the Russian government, and specifically to its intelligence services; and (6) Russian legal provisions allow Russian intelligence services to request or compel assistance from companies like Kaspersky Lab and to intercept communications transiting Russian networks. AR0629-30.

         The BOD was not based on a determination that Kaspersky Lab was disloyal or guilty of any wrongdoing. Acting Secretary Duke explained that the “crux” of the threat addressed by the BOD was “the ability of the Russian government, whether acting on its own or through Kaspersky, to capitalize on access to federal information and information systems provided by Kaspersky-branded products.” AR0629. “These risks, ” she noted, “exist regardless of whether Kaspersky-branded products already have been used by Kaspersky or the Russian Government for malicious purposes.” Id. Her determination was supported by the unclassified information presented to her, although she noted that she had reviewed classified information as well that provided further support for her action. AR0631.

         BOD 17-01 was supported by a considerable administrative record. Most relevant for the purposes of this Opinion is a September 1, 2017, memorandum prepared for Acting Secretary Duke by the Assistant Secretary for Cyber Security and Communications, Jeanette Manfra, which outlined much of the publically available information underlying concerns about Kaspersky Lab products. AR0003-23. The memo stated that “DHS cybersecurity experts in the National Protection and Programs Directorate, in consultation with interagency partners, agree that Kaspersky-branded products present known or reasonably suspected information security risks to federal information and information systems.” AR0004. More specifically, the memo stated that:

BOD 17-01 is based on expert judgment about threats to U.S. national security. The danger stems in part from the inherent properties of anti-virus software, which operates with broad file access and elevated privileges. Such access and privileges can be exploited by a malicious cyber actor such as Russia, which has demonstrated the intent to target the U.S. government and the capability to exploit vulnerabilities in federal information systems. Kaspersky or the Russian government could use this software to engage in a wide range of malicious cyber activities against federal information and information systems, including exfiltrating files, modifying data, or installing malicious code, with potentially grave consequences for U.S. national security. These actions could take place because of a range of factors, including Russian laws that authorize the Russian Federal Security Service (“FSB”) to compel Russian enterprises to assist the FSB in the execution of FSB duties, to second FSB agents to Russian enterprises (with the enterprise's consent), and to require Russian companies to include hardware or software needed by the FSB to engage in “operational/technical measures.” Kaspersky also relies on the FSB for needed business licenses and certificates, and the FSB could condition the granting of such approvals on Kaspersky's cooperation. Finally, Russian law allows the FSB to intercept all communications transiting Russian telecommunications and Internet Service Provider networks, which presumably includes data transmissions between Kaspersky and its U.S. government customers. Because of these known or reasonably suspected risks to federal information and information systems, which directly implicate U.S. national security, this memorandum recommends that you exercise your authority to issue BOD 17-01.

Id. The Assistant Secretary's memo goes on to explain these concerns in far more detail than the Court will recount in this Opinion. However, certain of her findings warrant emphasis. First, according to a report prepared by the National Cybersecurity and Communications Integration Center (“NCCIC”), anti-virus products generally, and Kaspersky Lab products specifically, present unique security risks. AR0007. Because these products are intended to defend against cyber-threats, they require the highest level of privileges and access on the systems on which they are installed. Id. Those privileges may allow them to extract files and send them to company servers and may permit the interception of otherwise-encrypted communications. Id. Moreover, because these products are themselves supposed to defend the systems on which they are installed from malicious activities, they can be modified to intentionally not identify malicious files. Id. They can also be used to install malicious code under the guise of a security update, extract a file of interest under the pretext that it needs to be inspected for malware, or simply decline to install security updates that are needed. AR0008. In other words, if compromised, cybersecurity products like Kaspersky Lab's could end up being the proverbial fox guarding the hen house.

         Also warranting brief mention here is the memorandum's analysis of Kaspersky Lab's ties to the Russian government and intelligence agencies (including Eugene Kaspersky's personal ties). These include, among other things, reports that Kaspersky Lab has certificates and licenses from the Federal Security Service (“FSB”), a Russian intelligence service, that suggest a close relationship between Kaspersky Lab and that organization, as well as reports that Eugene Kaspersky, who graduated from an institute that was sponsored by the KGB and previously worked for the Russian Ministry of Defense, maintains close personal ties with Russian intelligence officers. AR0011-13. Other Kaspersky Lab leaders have similar pedigrees. AR0013.

         In addition to citing the above facts as her basis for concern that Kaspersky Lab products posed a cybersecurity risk on federal systems, Acting Secretary Duke also explained her reasoning for using a BOD to address this risk as opposed to a “debarment” process under the Federal Acquisition Regulation (“FAR”). AR0631. She concluded that debarment would not be effective because “debarment would affect only future contracts for a finite period; it would not require federal agencies to remove products previously purchased and installed on federal networks, and thus would not address current information security risks to federal information systems.” Id. Debarment also would allow third parties to continue selling Kaspersky Lab products to the federal government, and would allow agencies to continue contracts in existence at the time the contractor was debarred. Id. For those reasons, the Acting Secretary determined that debarment would not remove the threat DHS (and others) had identified because it would not completely remove Kaspersky Lab products from federal information systems. Id.[3]

         The BOD established an administrative process for the submission and consideration of comments on the removal of Kaspersky-branded products before that removal took place 90 days thereafter. AR0630. On the same day that BOD 17-01 was issued, Acting Secretary Duke also sent Eugene Kaspersky a letter informing him of the BOD and providing him “an opportunity to provide [DHS] with any information that [he thought was] relevant to [her] ongoing deliberations concerning [Kaspersky Lab's] products and services.” AR0637-38. The letter informed Mr. Kaspersky that he could initiate a review by DHS by providing the Department with a written response to the BOD and supporting evidence. Id. DHS also published a notice in the Federal Register that explained the actions required by BOD 17-01, and gave any entity whose commercial interests were directly impacted by the BOD an opportunity to respond, provide additional information, and initiate a review by DHS. AR0639-46. Mr. Kaspersky and other entities that wanted to respond were given 45 days to do so, and informed that a decision by the Secretary regarding their responses would be communicated to them in 85 days. AR0639, 646.

         F. Congressional Scrutiny of Kaspersky Lab Continues

         In the meantime, Congress continued to deliberate about the risks presented by the reliance on Kaspersky Lab products to defend federal systems. In October 2017, the House Science Committee held investigative hearings on the federal government's use of Kaspersky Lab products, and the implementation of BOD 17-01. See, e.g., Bolstering the Government's Cybersecurity: Assessing the Risks of Kaspersky Lab Products to the Federal Government Before the H. Comm. on Science, Space, and Technology, 115th Cong. 33 (Oct. 25, 2017). The BOD itself was discussed, as were the major issues raised by DHS about Kaspersky Lab products in the BOD proceedings, including, among other things, Kaspersky Lab and Eugene Kaspersky's ties to Russia and their susceptibility to exploitation by the Russian government. On October 31, 2017, the House Science Committee issued a report about the risks presented by the presence of Kaspersky Lab products on federal government systems and concluded that “Congress must take aggressive actions to support and assure a fundamentally different approach to cybersecurity that addresses the magnitude and nature of growing threats.” H.R. Rep. No. 115-376, at 4 (Oct. 31, 2017); see also Decl. of Ryan P. Fayhee, ECF No. 19-4 (“Fayhee Decl.”), Ex. D (transcript from November 2017 House Subcommittee on Oversight hearing regarding the implementation of BOD 17-01).

         G. Kaspersky Lab Responds to the BOD

         Kaspersky submitted a lengthy response to BOD 17-01 on November 10, 2017. AR0647-745; see also AR0746-48 (granting Kaspersky Lab a one-week extension of time to submit their response). According to Plaintiffs, the submission “rebutted at length the legal arguments and factual allegations levied against Plaintiffs, corrected many misunderstandings apparently held by DHS and perpetuated by the cited news reports, and highlighted the deficiencies in the administrative process offered by DHS.” Pls.' Mem. at 9. The submission argued, among other things, that Kaspersky Lab had no improper relationship with the Russian government; that there was no evidence that Kaspersky Lab had engaged in any wrongdoing or posed any more risk than similarly situated companies; that the BOD was based on uncorroborated and anonymous sources; that the administrative procedure surrounding the issuance of the BOD and for responding to the BOD was insufficient; and that the BOD violated Kaspersky Lab's equal protection and due process rights. Id. No other entity submitted a response to the BOD. AR0755.

         On November 29, 2017, Kaspersky Lab officials and their counsel met with DHS officials to discuss BOD 17-01. See Fayhee Decl. ¶ 6. DHS officials had declined to meet with Kaspersky Lab until after their written response to the BOD was submitted. AR0746-68. At the November 29, 2017 meeting, “Plaintiffs responded to a number [of] questions from DHS attorneys regarding the Kaspersky Lab Submission.” Fayhee Decl. ¶ 6. The meeting included a discussion of the company's submission and numerous related topics, including “Kaspersky's corporate structure, ” “the alleged effects to the company's business, ” “the NDAA, ” “Kaspersky's intention not to target federal business, ” and “mitigation proposals.” AR0755.

         H. Final Decision on BOD 17-01

         On December 6, 2017, Acting Secretary Duke issued a “Final Decision” on BOD 17-01. AR0934-37. She stated that the Department had “closely reviewed the Kaspersky Submission, ” “met with Kaspersky and its counsel, ” “identified additional statements made by Kaspersky from public sources, obtained information from agencies pursuant to the BOD 17-01 reporting requirements, and received a report on relevant provisions of Russian law prepared by Professor Peter Maggs of the University of Illinois College of Law, as well as a supplemental Assessment from the [NCCIC].” AR0935. Secretary Duke stated that “the information obtained by DHS since issuance of the BOD [did] not meaningfully impact, and indeed further support[ed], the information security and national security determination that [she] made in issuing the BOD.” AR0934. Accordingly-relying on the reasons explained in the preceding DHS memoranda- the Acting Secretary stated that her determination that Kaspersky-branded products presented a known or reasonably suspected information security threat, vulnerability, or risk to federal information and information systems remained unchanged, and that she maintained BOD 17-01 without modification. AR0935. Acting Secretary Duke sent a letter to Mr. Kaspersky notifying him of her decision the day it was issued. AR0938.

         The reasoning underlying the Final Decision was explained further in a memorandum from Assistant Secretary Manfra. AR0752-76. That memorandum indicated that fourteen federal government agencies had reported identifying Kaspersky-branded products on their information systems. AR0756. Some of those agencies had, on their own initiative, already removed those products prior to the 90-day deadline under BOD 17-01. Id. This was done of the agencies' own accord, pursuant to their own agency risk management responsibilities under FISMA. Id. DHS did not advise those agencies to remove the products before the BOD's 90-day deadline. Id. All other agencies had submitted plans to remove Kaspersky Lab products, but had not yet implemented them. Id.

         This memorandum also discussed the report on Russian law prepared by Professor Peter Maggs. AR0756; see also AR0777-821 (Report of Peter B. Maggs). Professor Maggs had prepared a report that, the memorandum indicated, supported DHS's view of Russian law and provided additional support for DHS's Russian law-related concerns (i.e., that under Russian law, the FSB could use companies like Kaspersky Lab with or without their consent). Id. The memorandum also contained approximately 18 pages of detailed responses to the arguments in Kaspersky Lab's response to BOD 17-01, explaining why those arguments were not persuasive to DHS. AR0757-75. In conclusion, the Assistant Secretary stated that, “the totality of the administrative record, ” including Kaspersky Lab's submission, “presents a compelling picture of the various ways that the Russian Government, and particularly the FSB intelligence agency, can compel, request, and otherwise exploit the access provided by Kaspersky-branded products to the information and information systems of Kaspersky customers, including U.S. government customers.” AR0775.

         I. The National Defense Authorization Act for Fiscal Year 2018

         Almost immediately after the BOD was finalized, it was effectively superseded by an act of Congress. On the heels of DHS's proceedings, Congress passed, and President Donald J. Trump signed into law, the NDAA. See PL 115-91, 2017 HR 2810, PL 115-91, December 12, 2017, 131 Stat 1283. In very summary terms, the NDAA is a law that authorizes appropriations and sets policies for Department of Defense programs and activities.

         The relevant portion of the NDAA for the purposes of this Opinion is Section 1634. Section 1634 falls within Subtitle C of the Act, entitled “Cyberspace-Related Matters.” Section 1634(c) requires the Secretary of Defense, in consultation with other agencies, to conduct a review of procedures for removing suspect products and services from federal information technology networks and to submit a report to Congress on the same. Section 1634(a) focuses on Kaspersky Lab products. It states that “[n]o department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by-(1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership.” Id. § 1634(a). Section 1634(b) sets October 1, 2018, as the effective date for the prohibition. Id. § 1634(b).

         This prohibition is broader in scope than BOD 17-01 in two ways. First, it applies to all Kaspersky Lab products (hardware, software, and services), whereas the BOD only applied to a smaller subset of “Kaspersky-branded products.” Second, unlike BOD 17-01, the NDAA does not have any carve outs or exceptions for national security systems or other systems used by the Department of Defense or the intelligence community.

         As initially introduced, the NDAA did not contain a provision regarding Kaspersky Lab products. An amendment to the Act adding a prohibition on the use of Kaspersky Lab products was first introduced by Senator Jeanne Shaheen of New Hampshire. A Senate Armed Services Committee executive summary described the amendment as a response to “reports that the Moscow-based company might be vulnerable to Russian government influence.” NDAA FY 2018, U.S. Senate Armed Services Committee, at 10, https://www.armed-services.senate. gov/imo/media/doc/FY18%20NDAA%20Summary6.pdf. Senator Shaheen's proposed prohibition appears to have attracted bipartisan support in Congress and grown broader before it was eventually passed into law as Section 1634.

         Plaintiffs' lawsuits cite certain statements Senator Shaheen made to the public regarding the proposed prohibition and Kaspersky Lab generally around the time that the amendment was introduced and adopted. On September 4, 2017, the New York Times published an editorial authored by Senator Shaheen, in which she asserted that the use of Kaspersky Lab products by federal agencies created a “threat” of Russian cyber-interference, and that she was proposing an amendment to bar federal government use of those products “to close this alarming national security vulnerability.” See Compl., Ex. C, NDAA ECF No. 1-3. In addition, in a September 18, 2017, press release, issued after an amendment to the NDAA barring the use ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.