Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Kaspersky Lab, Inc. v. United States Department of Homeland Security

United States Court of Appeals, District of Columbia Circuit

November 30, 2018

Kaspersky Lab, Inc. and Kaspersky Labs Limited, Appellants
v.
United States Department of Homeland Security and Kirstjen M. Nielsen, in her official capacity as Secretary of Homeland Security, Appellees

          Argued September 14, 2018

          Appeals from the United States District Court for the District of Columbia (No. 1:17-cv-02697) (No. 1:18-cv-00325)

          Scott H. Christensen argued the cause for appellants. With him on the briefs were Ryan P. Fayhee and Stephen R. Halpin III.

          Lewis S. Yelin, Attorney, U.S. Department of Justice, argued the cause for appellees. With him on the brief was H. Thomas Byron, III.

          Before: Tatel, Circuit Judge, and Edwards and Ginsburg, Senior Circuit Judges.

          OPINION

          Tatel, Circuit Judge

         Kaspersky Lab is a Russian-based cybersecurity company that provides products and services to customers around the world. Recently, however, Kaspersky lost an important client: the United States government. In September 2017, based on concerns that the Russian government could exploit Kaspersky's access to federal computers for ill, the Acting Secretary of Homeland Security directed federal agencies to remove the company's products from government information systems. And a few months later, Congress broadened and codified that prohibition in the National Defense Authorization Act. Kaspersky sued, arguing that the prohibition constitutes an impermissible legislative punishment-what the Constitution calls a bill of attainder. The government responded that the prohibition is not a punishment but a prophylaxis necessary to protect federal computer systems from Russian cyber-threats. In consolidated cases, the district court concluded that Kaspersky failed to adequately allege that Congress enacted a bill of attainder and that the company lacked standing to bring a related suit against the Department of Homeland Security. The district court thus granted the government's motions to dismiss. We affirm.

         I.

         According to the allegations contained in Kaspersky's complaint, which we "must . . . accept . . . as true" at the motion-to-dismiss stage, Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322 (2007), Kaspersky Lab is one of the world's largest cybersecurity companies. See Complaint, Kaspersky Lab, Inc. v. United States, No. 1:18-cv-00325, ¶ 18 (D.D.C. Feb. 12, 2018) ("Compl."). Kaspersky operates in 200 countries and territories and maintains 35 offices in 31 of those countries. Id. The United States is one of Kaspersky's most important geographic markets, and Kaspersky has "a substantial interest in its ability to conduct federal government business." Id. ¶¶ 22-23.

         Ranking among the world's top four cybersecurity vendors, Kaspersky "has successfully investigated and disrupted" cyberattacks by "Arabic-, Chinese-, English-, French-, Korean-, Russian-, and Spanish-speaking" hackers. Id. ¶¶ 20-21. Founded by a Russian national and headquartered in Moscow, Kaspersky boasts that its "presence in Russia and its deployment in areas of the world in which many sophisticated cyberthreats originate . . . makes it a unique and essential partner in the fight against such threats," including hacker groups with suspected connections to Russian intelligence services. Id. ¶ 20.

         But the U.S. government has come to disagree. Around the beginning of 2017, executive and legislative branch officials began voicing concerns that Kaspersky's ties to Russia make it a proverbial fox in the government's cyber-henhouse: a threat to the very systems it is meant to protect.

         The chorus of concern about Kaspersky began to swell in the spring of 2017. Between March and July of that year, Kaspersky garnered attention in at least five committee hearings before both houses of Congress. For example, at one hearing dedicated to the subject of Russian cyber-operations, Senator Marco Rubio highlighted "open source reports" detailing ties between Kaspersky's founder, Eugene Kaspersky, and the Russian Federal Security Service, successor to the KGB. Disinformation: A Primer in Russian Active Measures and Influence Campaigns Panel II: Hearing Before the Senate Committee on Intelligence, 115th Cong., pt. 2, at 40 (2017). And at a later hearing, Senator Rubio asked six heads of various U.S. intelligence agencies, including the Central Intelligence Agency and the Federal Bureau of Investigation, whether they would install Kaspersky software on their own computers. All six replied no. See Open Hearing on Worldwide Threats: Hearing Before the Senate Committee on Intelligence ("Worldwide Threats"), 115th Cong. 48 (2017).

         In September 2017, the Acting Secretary of Homeland Security issued Binding Operational Directive 17-01 (the "Directive"), which required most federal agencies to begin removing "Kaspersky-branded products" from their information systems within 90 days. National Protection and Programs Directorate; Notification of Issuance of Binding Operational Directive 17-01 and Establishment of Procedures for Responses ("BOD-17-01"), 82 Fed. Reg. 43, 782, 43, 783 (Sept. 19, 2017). Invoking her statutory authority to issue directives "for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk," 44 U.S.C. § 3552(b)(1), the Acting Secretary justified the Directive based on an interagency assessment of "the risks presented by Kaspersky-branded products," BOD-17-01, 82 Fed. Reg. at 43, 783. The Directive gave Kaspersky roughly two months to submit a response and announced that the Acting Secretary would issue a final decision by mid-December. BOD-17-01, 82 Fed. Reg. at 43, 784.

         More congressional hearings followed. In October, the House Science Committee's Subcommittee on Oversight held a hearing on the potential threat posed by Kaspersky products to federal information systems. See Bolstering the Government's Cybersecurity: Assessing the Risk of Kaspersky Lab Products to the Federal Government: Hearing Before the House Subcommittee on Oversight, House Committee on Science, Space, and Technology, 115th Cong. 3 (2017). Several members expressed deep concerns about Eugene Kaspersky's personal and professional ties to Russia, citing reports that he was "educated at a KGB cryptography institute" and "worked for the Russian intelligence services before starting his software company." Id. at 12 (statement of Donald S. Beyer); see also id. at 4 (statement of Lamar S. Smith); id. at 8 (statement of Darin LaHood). The Committee also heard testimony about the susceptibility of the company's software to Russian exploitation, with one expert explaining that due to Russia's permissive "telecommunications surveillance and monitoring laws," Kaspersky could passively-in the absence of any "willful complicity or collaboration" in a Russian cyber-operation-provide the Russian government access to federal computers. Id. at 44 (testimony of Sean Kanuck).

         The same subcommittee held a second hearing on November 14, this time to survey agencies' compliance with the Directive. See Bolstering the Government's Cybersecurity: A Survey of Compliance with the DHS Directive: Hearing Before the House Subcommittee on Oversight, House Committee on Science, Space, and Technology, 115th Cong. 22 (2017). The subcommittee heard testimony from Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security, who described the Department's rationale for issuing the Directive. She emphasized three concerns. First, "certain Kaspersky officials" enjoy "ties" to "Russian intelligence and other government officials." Id. at 19. Second, Russian law "allow[s] Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks." Id. And third, all antivirus software, including Kaspersky's, receives "broad access" to the systems on which it operates. Id. So like a thief who has stolen a security guard's master key, a cyberattacker can exploit antivirus software's "elevated privileges" to inflict serious damage on the systems the software ostensibly protects. Id. In the Department's view, Manfra concluded, the Directive "is a reasonable, measured approach to the information security risks posed by . . . [Kaspersky] products to the federal government." Id.

         Congress apparently agreed with the Department of Homeland Security's assessment that Kaspersky software presented a serious threat. Earlier, in July 2017, when considering the Senate version of the National Defense Authorization Act for Fiscal Year 2018 ("NDAA"), the Senate Armed Services Committee, citing "reports that the Moscow-based company might be vulnerable to Russian government influence," recommended adding a provision that would prohibit the Department of Defense from using any Kaspersky software. Senate Armed Services Committee, NDAA FY18 Executive Summary 10 (2017), http://go.usa.gov/xU5JC; see also S. Rep. No. 115-125, at 302 (2017) (recommending "a provision that would prohibit any component of the Department of Defense from using, whether directly or through work with or on behalf of another element of the United States Government, . . . any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership"). Later, after the Senate received the House version of the NDAA, Senator Jeanne Shaheen introduced an amendment that would prohibit all federal agencies from using Kaspersky products. See S. Amd. 663, 163 Cong. Rec. S4578 (daily ed. July 27, 2017). The final version of the NDAA, which included a version of Shaheen's amendment, see H.R. Rep. No. 115-404, at 460-62 (2017) (Conf. Rep.), passed the House on November 14 and the Senate on November 16.

         The legislative prohibition on Kaspersky products appears in section 1634 of the NDAA. Subsections (a) and (b) require that, beginning October 1, 2018:

No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by-(1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership.

NDAA, Pub. L. No. 115-91, § 1634, 131 Stat. 1283, 1740 (2017). In contrast to the narrow focus of subsections (a) and (b), subsection (c) of section 1634 mandates a broader review of federal cybersecurity, directing the Secretary of Defense, in consultation with other agency heads, to review and report on "the procedures for removing suspect products or services from the information technology networks of the Federal Government." Id. § 1634(c).

         The President signed the NDAA in mid-December 2017, just a few days after the Secretary finalized the Directive.

         Kaspersky filed suit shortly thereafter-or, more precisely, two Kasperskys filed two suits. Kaspersky Lab, Inc., a Massachusetts corporation, and Kaspersky Labs Limited, its U.K. parent (collectively, "Kaspersky"), first filed a complaint against the Department of Homeland Security. See Complaint, Kaspersky Lab, Inc. v. U.S. Department of Homeland Security, No. 1:17-cv-02697, ¶ 21 (D.D.C. Dec. 18, 2017). This case challenged the Directive under the Administrative Procedure Act; we shall call this the "Directive Case." The same two companies then filed a second complaint, this time against the United States, alleging that the NDAA violates the Constitution's prohibition on bills of attainder. See Complaint, Kaspersky Lab, Inc. v. United States, No. 1:18-cv-00325, ¶ 4 (D.D.C. Feb. 12, 2018). We shall call this the "NDAA Case."

         The district court consolidated the two cases for the purpose of resolving related dispositive motions, namely, cross-motions for summary judgment and a motion to dismiss in the Directive Case and a motion to dismiss in the NDAA Case. Kaspersky Lab, Inc. v. U.S. Department of Homeland Security, No. 1:17-cv-02697 (D.D.C. Feb. 16, 2018). The district court granted the government's motion to dismiss the NDAA Case for failure to state a claim, concluding that Kaspersky had failed to plausibly allege that section 1634 constitutes a bill of attainder. See Kaspersky Lab, Inc. v. U.S. Department of Homeland Security, 311 F.Supp.3d 187, 205- 18, 223 (D.D.C. 2018). Furthermore, because section 1634 covers more products and more agencies than the Directive, the court concluded that invalidating the Directive alone would redress none of Kaspersky's injuries, so it dismissed the Directive Case for lack of Article III standing. See id. at 218- 23.

         Kaspersky now appeals both orders. We review de novo a "district court's dismissal of a complaint for lack of standing or for failure to state a claim." Washington Alliance of Technology Workers v. U.S. Department of Homeland Security, 89 ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.