United States Court of Appeals, District of Columbia Circuit
Kaspersky Lab, Inc. and Kaspersky Labs Limited, Appellants
United States Department of Homeland Security and Kirstjen M. Nielsen, in her official capacity as Secretary of Homeland Security, Appellees
September 14, 2018
Appeals from the United States District Court for the
District of Columbia (No. 1:17-cv-02697) (No. 1:18-cv-00325)
H. Christensen argued the cause for appellants. With him on
the briefs were Ryan P. Fayhee and Stephen R. Halpin III.
S. Yelin, Attorney, U.S. Department of Justice, argued the
cause for appellees. With him on the brief was H. Thomas
Before: Tatel, Circuit Judge, and Edwards and Ginsburg,
Senior Circuit Judges.
Lab is a Russian-based cybersecurity company that provides
products and services to customers around the world.
Recently, however, Kaspersky lost an important client: the
United States government. In September 2017, based on
concerns that the Russian government could exploit
Kaspersky's access to federal computers for ill, the
Acting Secretary of Homeland Security directed federal
agencies to remove the company's products from government
information systems. And a few months later, Congress
broadened and codified that prohibition in the National
Defense Authorization Act. Kaspersky sued, arguing that the
prohibition constitutes an impermissible legislative
punishment-what the Constitution calls a bill of attainder.
The government responded that the prohibition is not a
punishment but a prophylaxis necessary to protect federal
computer systems from Russian cyber-threats. In consolidated
cases, the district court concluded that Kaspersky failed to
adequately allege that Congress enacted a bill of attainder
and that the company lacked standing to bring a related suit
against the Department of Homeland Security. The district
court thus granted the government's motions to dismiss.
to the allegations contained in Kaspersky's complaint,
which we "must . . . accept . . . as true" at the
motion-to-dismiss stage, Tellabs, Inc. v. Makor Issues
& Rights, Ltd., 551 U.S. 308, 322 (2007), Kaspersky
Lab is one of the world's largest cybersecurity
companies. See Complaint, Kaspersky Lab, Inc. v.
United States, No. 1:18-cv-00325, ¶ 18 (D.D.C. Feb.
12, 2018) ("Compl."). Kaspersky operates in 200
countries and territories and maintains 35 offices in 31 of
those countries. Id. The United States is one of
Kaspersky's most important geographic markets, and
Kaspersky has "a substantial interest in its ability to
conduct federal government business." Id.
among the world's top four cybersecurity vendors,
Kaspersky "has successfully investigated and
disrupted" cyberattacks by "Arabic-, Chinese-,
English-, French-, Korean-, Russian-, and
Spanish-speaking" hackers. Id. ¶¶
20-21. Founded by a Russian national and headquartered in
Moscow, Kaspersky boasts that its "presence in Russia
and its deployment in areas of the world in which many
sophisticated cyberthreats originate . . . makes it a unique
and essential partner in the fight against such
threats," including hacker groups with suspected
connections to Russian intelligence services. Id.
U.S. government has come to disagree. Around the beginning of
2017, executive and legislative branch officials began
voicing concerns that Kaspersky's ties to Russia make it
a proverbial fox in the government's cyber-henhouse: a
threat to the very systems it is meant to protect.
chorus of concern about Kaspersky began to swell in the
spring of 2017. Between March and July of that year,
Kaspersky garnered attention in at least five committee
hearings before both houses of Congress. For example, at one
hearing dedicated to the subject of Russian cyber-operations,
Senator Marco Rubio highlighted "open source
reports" detailing ties between Kaspersky's founder,
Eugene Kaspersky, and the Russian Federal Security Service,
successor to the KGB. Disinformation: A Primer in Russian
Active Measures and Influence Campaigns Panel II:
Hearing Before the Senate Committee on
Intelligence, 115th Cong., pt. 2, at 40 (2017). And at a
later hearing, Senator Rubio asked six heads of various U.S.
intelligence agencies, including the Central Intelligence
Agency and the Federal Bureau of Investigation, whether they
would install Kaspersky software on their own computers. All
six replied no. See Open Hearing on Worldwide Threats:
Hearing Before the Senate Committee on Intelligence
("Worldwide Threats"), 115th Cong. 48
September 2017, the Acting Secretary of Homeland Security
issued Binding Operational Directive 17-01 (the
"Directive"), which required most federal agencies
to begin removing "Kaspersky-branded products" from
their information systems within 90 days. National Protection
and Programs Directorate; Notification of Issuance of Binding
Operational Directive 17-01 and Establishment of Procedures
for Responses ("BOD-17-01"), 82 Fed. Reg. 43, 782,
43, 783 (Sept. 19, 2017). Invoking her statutory authority to
issue directives "for purposes of safeguarding Federal
information and information systems from a known or
reasonably suspected information security threat,
vulnerability, or risk," 44 U.S.C. § 3552(b)(1),
the Acting Secretary justified the Directive based on an
interagency assessment of "the risks presented by
Kaspersky-branded products," BOD-17-01, 82 Fed. Reg. at
43, 783. The Directive gave Kaspersky roughly two months to
submit a response and announced that the Acting Secretary
would issue a final decision by mid-December. BOD-17-01, 82
Fed. Reg. at 43, 784.
congressional hearings followed. In October, the House
Science Committee's Subcommittee on Oversight held a
hearing on the potential threat posed by Kaspersky products
to federal information systems. See Bolstering the
Government's Cybersecurity: Assessing the Risk of
Kaspersky Lab Products to the Federal Government: Hearing
Before the House Subcommittee on Oversight, House
Committee on Science, Space, and Technology, 115th Cong.
3 (2017). Several members expressed deep concerns about
Eugene Kaspersky's personal and professional ties to
Russia, citing reports that he was "educated at a KGB
cryptography institute" and "worked for the Russian
intelligence services before starting his software
company." Id. at 12 (statement of Donald S.
Beyer); see also id. at 4 (statement of Lamar S.
Smith); id. at 8 (statement of Darin LaHood). The
Committee also heard testimony about the susceptibility of
the company's software to Russian exploitation, with one
expert explaining that due to Russia's permissive
"telecommunications surveillance and monitoring
laws," Kaspersky could passively-in the absence of any
"willful complicity or collaboration" in a Russian
cyber-operation-provide the Russian government access to
federal computers. Id. at 44 (testimony of Sean
same subcommittee held a second hearing on November 14, this
time to survey agencies' compliance with the Directive.
See Bolstering the Government's Cybersecurity: A
Survey of Compliance with the DHS Directive: Hearing Before
the House Subcommittee on Oversight, House Committee on
Science, Space, and Technology, 115th Cong. 22 (2017).
The subcommittee heard testimony from Jeanette Manfra,
Assistant Secretary for Cybersecurity and Communications at
the Department of Homeland Security, who described the
Department's rationale for issuing the Directive. She
emphasized three concerns. First, "certain Kaspersky
officials" enjoy "ties" to "Russian
intelligence and other government officials."
Id. at 19. Second, Russian law "allow[s]
Russian intelligence agencies to request or compel assistance
from Kaspersky and to intercept communications transiting
Russian networks." Id. And third, all antivirus
software, including Kaspersky's, receives "broad
access" to the systems on which it operates.
Id. So like a thief who has stolen a security
guard's master key, a cyberattacker can exploit antivirus
software's "elevated privileges" to inflict
serious damage on the systems the software ostensibly
protects. Id. In the Department's view, Manfra
concluded, the Directive "is a reasonable, measured
approach to the information security risks posed by . . .
[Kaspersky] products to the federal government."
apparently agreed with the Department of Homeland
Security's assessment that Kaspersky software presented a
serious threat. Earlier, in July 2017, when considering the
Senate version of the National Defense Authorization Act for
Fiscal Year 2018 ("NDAA"), the Senate Armed
Services Committee, citing "reports that the
Moscow-based company might be vulnerable to Russian
government influence," recommended adding a provision
that would prohibit the Department of Defense from using any
Kaspersky software. Senate Armed Services Committee, NDAA
FY18 Executive Summary 10 (2017),
http://go.usa.gov/xU5JC; see also S. Rep.
No. 115-125, at 302 (2017) (recommending "a provision
that would prohibit any component of the Department of
Defense from using, whether directly or through work with or
on behalf of another element of the United States Government,
. . . any software platform developed, in whole or in part,
by Kaspersky Lab or any entity of which Kaspersky Lab has a
majority ownership"). Later, after the Senate received
the House version of the NDAA, Senator Jeanne Shaheen
introduced an amendment that would prohibit all federal
agencies from using Kaspersky products. See S. Amd.
663, 163 Cong. Rec. S4578 (daily ed. July 27, 2017). The
final version of the NDAA, which included a version of
Shaheen's amendment, see H.R. Rep. No. 115-404,
at 460-62 (2017) (Conf. Rep.), passed the House on November
14 and the Senate on November 16.
legislative prohibition on Kaspersky products appears in
section 1634 of the NDAA. Subsections (a) and (b) require
that, beginning October 1, 2018:
No department, agency, organization, or other element of the
Federal Government may use, whether directly or through work
with or on behalf of another department, agency,
organization, or element of the Federal Government, any
hardware, software, or services developed or provided, in
whole or in part, by-(1) Kaspersky Lab (or any successor
entity); (2) any entity that controls, is controlled by, or
is under common control with Kaspersky Lab; or (3) any entity
of which Kaspersky Lab has majority ownership.
NDAA, Pub. L. No. 115-91, § 1634, 131 Stat. 1283, 1740
(2017). In contrast to the narrow focus of subsections (a)
and (b), subsection (c) of section 1634 mandates a broader
review of federal cybersecurity, directing the Secretary of
Defense, in consultation with other agency heads, to review
and report on "the procedures for removing suspect
products or services from the information technology networks
of the Federal Government." Id. § 1634(c).
President signed the NDAA in mid-December 2017, just a few
days after the Secretary finalized the Directive.
filed suit shortly thereafter-or, more precisely, two
Kasperskys filed two suits. Kaspersky Lab, Inc., a
Massachusetts corporation, and Kaspersky Labs Limited, its
U.K. parent (collectively, "Kaspersky"), first
filed a complaint against the Department of Homeland
Security. See Complaint, Kaspersky Lab, Inc. v.
U.S. Department of Homeland Security, No. 1:17-cv-02697,
¶ 21 (D.D.C. Dec. 18, 2017). This case challenged the
Directive under the Administrative Procedure Act; we shall
call this the "Directive Case." The same two
companies then filed a second complaint, this time against
the United States, alleging that the NDAA violates the
Constitution's prohibition on bills of attainder.
See Complaint, Kaspersky Lab, Inc. v. United
States, No. 1:18-cv-00325, ¶ 4 (D.D.C. Feb. 12,
2018). We shall call this the "NDAA Case."
district court consolidated the two cases for the purpose of
resolving related dispositive motions, namely, cross-motions
for summary judgment and a motion to dismiss in the Directive
Case and a motion to dismiss in the NDAA Case. Kaspersky
Lab, Inc. v. U.S. Department of Homeland Security, No.
1:17-cv-02697 (D.D.C. Feb. 16, 2018). The district court
granted the government's motion to dismiss the NDAA Case
for failure to state a claim, concluding that Kaspersky had
failed to plausibly allege that section 1634 constitutes a
bill of attainder. See Kaspersky Lab, Inc. v. U.S.
Department of Homeland Security, 311 F.Supp.3d 187, 205-
18, 223 (D.D.C. 2018). Furthermore, because section 1634
covers more products and more agencies than the Directive,
the court concluded that invalidating the Directive alone
would redress none of Kaspersky's injuries, so it
dismissed the Directive Case for lack of Article III
standing. See id. at 218- 23.
now appeals both orders. We review de novo a "district
court's dismissal of a complaint for lack of standing or
for failure to state a claim." Washington Alliance
of Technology Workers v. U.S. Department of Homeland
Security, 89 ...