Kaspersky Lab, Inc. v. U.S. Dep't of Homeland Sec.

• Decision Date: 30 May 2018
• Docket Number: Civil Action No. 18–325 (CKK),Civil Action No. 17–2697 (CKK)
• Citation: 311 F.Supp.3d 187
• Parties: KASPERSKY LAB, INC., et al., Plaintiffs v. UNITED STATES DEPARTMENT OF HOMELAND SECURITY, et al., Defendants Kaspersky Lab, Inc., et al., Plaintiffs v. United States of America, Defendant
• Court: U.S. District Court — District of Columbia

311 F.Supp.3d 187

KASPERSKY LAB, INC., et al., Plaintiffs

v.UNITED STATES DEPARTMENT OF HOMELAND SECURITY, et al., Defendants

Kaspersky Lab, Inc., et al., Plaintiffs

v.United States of America, Defendant

Civil Action No. 17–2697 (CKK)

Civil Action No. 18–325 (CKK)

United States District Court, District of Columbia.

Filed May 30, 2018

Ryan P. Fayhee, Steven Michael Chasin, Baker & McKenzie LLP, Washington, DC, for Plaintiff.

Sam M. Singer, U.S. Department of Justice, Washington, DC, for Defendant.

MEMORANDUM OPINION

COLLEEN KOLLAR–KOTELLY, United States District Judge

The United States government's networks and computer systems are extremely important strategic national assets. Threats to these systems are constantly expanding and evolving. Their security depends on the government's ability to act swiftly against perceived threats and to take preventive action to minimize vulnerabilities. These defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional.

Plaintiffs in the two lawsuits discussed in this Opinion represent Kaspersky Lab, a large multinational cybersecurity company headquartered in Russia. At least until 2017, Kaspersky Lab's cybersecurity products were used to defend the networks and computer systems of a number of United States federal government agencies. Amid growing concerns in early 2017 about malicious Russian cyber activity against the United States, government officials and members of Congress began asking questions, and voicing concerns, about the presence of these products on government systems. These concerns were based on the risk that the use of Kaspersky Lab products to defend United States government computer systems could be exploited by Russia, either with or without Kaspersky Lab's consent, cooperation, or knowledge. The concerns were fueled, in very summary form, by some combination of the following facts: Kaspersky Lab products enjoy extremely broad access and elevated privileges within the computer systems on which they are installed; Kaspersky Lab is headquartered in Russia; Kaspersky Lab and its founder and Chief Executive Officer, Eugene Kaspersky, have close connections to the Russian government and intelligence services; Kaspersky Lab products cycle users' data to the company's servers that are based in (or accessible from) Russia; Kaspersky Lab is subject to Russian laws that allow the Russian government to request or compel assistance from Russian companies, and is also susceptible to non-legal forms of pressure from the Russian government.

The apparent national security risk presented by federal government agencies using Kaspersky Lab products eventually proved intolerable to both Executive Branch officials and Congress. On September 13, 2017, the Department of Homeland Security ("DHS") issued a Binding Operative Directive ("BOD 17–01") pursuant to the Federal Information Security Modernization Act of 2014 ("FISMA"), that required all federal departments and agencies to identify and, ninety days later, remove Kaspersky Lab products from their systems. That directive was soon effectively superseded when Congress passed the National Defense Authorization Act for Fiscal Year 2018 ("NDAA"), which contains a provision entitled "Prohibition on Use of Products and Services Developed or Provided by Kaspersky Lab." As its title suggests, that provision prohibits all elements of the federal government from using any Kaspersky Lab products or services.

Shortly after BOD 17–01 was finalized and the NDAA was signed into law, Kaspersky Lab filed a lawsuit (17–cv–2697) claiming that the BOD violated the Administrative Procedures Act ("APA") and the Due Process Clause of the Fifth Amendment to the United States Constitution (hereinafter the "BOD Lawsuit"). The BOD Lawsuit did not challenge the legality of the NDAA's prohibition on the use of Kaspersky Lab products. Months later, after this omission became a point of contention regarding Plaintiffs' standing in the BOD Lawsuit, Plaintiffs filed a second lawsuit (18–cv–325) claiming that the NDAA's prohibition was an unconstitutional bill of attainder (hereinafter the "NDAA Lawsuit").

These lawsuits are separate and distinct, but both are pending before this Court.

The Court is issuing this Opinion in both lawsuits, because there are motions pending in each that present overlapping and interrelated issues. Those motions include: Defendant's [10] Motion to Dismiss the Complaint in the NDAA Lawsuit, Plaintiffs' [19] Motion for Summary Judgment in the BOD Lawsuit, and Defendants' [21] Motion to Dismiss or Alternatively for Summary Judgment in the BOD Lawsuit.

Having carefully reviewed the record, the pleadings,¹ and the relevant authorities, the Court GRANTS Defendant's Motion to Dismiss the NDAA Lawsuit. Plaintiffs have not plausibly alleged that the NDAA constitutes a bill of attainder. A bill of attainder is "a law that legislatively determines guilt and inflicts punishment upon an identifiable individual without provision of the protections of a judicial trial." Nixon v. Adm'r of Gen. Servs. , 433 U.S. 425, 468, 97 S.Ct. 2777, 53 L.Ed.2d 867 (1977). The NDAA does not inflict "punishment" on Kaspersky Lab. It eliminates a perceived risk to the Nation's cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation.

Having carefully reviewed the record, the pleadings,² and the relevant authorities, the Court also GRANTS Defendants' Motion to Dismiss the BOD Lawsuit for lack of standing. Plaintiffs allege that BOD 17–01 causes them harm by depriving them of the ability to sell to the United States federal government and by damaging their reputation. Even if the Court were to rule in Plaintiffs' favor in the BOD Lawsuit and order the rescission of BOD 17–01, these harms would continue. The NDAA would remain on the books, preventing any federal government agency from purchasing Kaspersky Lab products. It is true that the NDAA's prohibition does not become effective until October 1, 2018. However, government agencies have likely already removed all Kaspersky Lab products from their systems as a result of BOD 17–01 and they know that, regardless, all such products must be removed by the fast-approaching NDAA effective date. Under these circumstances, it is completely implausible that any government entity would purchase a Kaspersky Lab product before October 1st. Accordingly, the empty "right" to sell to the federal government for the short period before October 1st that Plaintiffs could stand to gain from success in the BOD Lawsuit lacks any concrete value. It is insufficient to confer standing. An order rescinding the BOD would also not redress the alleged harm to Plaintiffs' reputation as a cybersecurity business because, according to Plaintiffs themselves, the NDAA independently causes, at least, that same harm. Plaintiffs attempted to avoid this jurisdictional roadblock by filing a separate lawsuit challenging the NDAA, but even if the later-filed NDAA Lawsuit had any relevance to Plaintiffs' standing in the BOD Lawsuit, that relevance has been eliminated by its dismissal. Because the BOD Lawsuit is dismissed for lack of standing, the Court need not reach the parties' cross-motions for summary judgment.

I. BACKGROUND

A. The Threat of Russian Cyber–Attacks

An important context of Plaintiffs' lawsuits, which neither party appears to dispute, is that it is the assessment of the United States government that cyber-attacks, especially from Russia, present a potent threat to critical United States infrastructure. As described by then-Director of National Intelligence James R. Clapper in a statement to the Senate Armed Services Committee in 2015, "[p]olitically motivated cyber-attacks are now a growing reality, and foreign actors are reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary's intent became hostile." AR0106. "[T]hose conducting cyber espionage are targeting US government, military, and commercial networks on a daily basis." Id. As current Director of National Intelligence Daniel R. Coats recently stated in a similar report, "Russia is a full-scope cyber actor that will remain a major threat to US Government, military, diplomatic, commercial, and critical infrastructure." AR0065. "Moscow has a highly advanced offensive cyber program, and in recent years, the Kremlin has assumed a more aggressive cyber posture." Id. "This aggressiveness was evident in Russia's efforts to influence the 2016 US election." Id.

B. Kaspersky Lab and Eugene Kaspersky

Kaspersky Lab is a large cybersecurity company headquartered in Moscow. See Decl. of Angelo Gentile, BOD Lawsuit ECF No. 19–3 ("Gentile Decl."), ¶¶ 9–11. It sells products that are intended to protect its customers' computer systems against cyber-threats. Id. ¶ 9. The company was founded in 1997 by Eugene Kaspersky, who serves as the company's Chief Executive Officer. Id. ¶ 11. Kaspersky Lab is a multinational corporation present in countries throughout the world, but the particular Plaintiffs in the two lawsuits discussed in this Opinion are Kaspersky Lab, Inc., a Massachusetts corporation that acts as the North American headquarters for Kaspersky Lab, and Kaspersky Lab Limited, a U.K.-based holding company for Kaspersky Lab entities. Id. ¶¶ 4, 9–11.

It is important to note that Kaspersky Lab does not sell its products exclusively to the United States federal government. Id. ¶ 9. Far from it. To the contrary, "[o]ver 400 million users—from governments to private individuals, commercial enterprise to critical infrastructure owners and operators alike—utilize Kaspersky Lab technologies." Id. ¶ 9. Indeed, only a tiny fraction of Kaspersky Lab sales in the United States are to the federal government. Id. ¶ 15. "Active licenses held by federal agencies in September 2017 had a total value (t...