Wednesday, May 30, 2018
Judge Colleen Kollar-Kotelly (D.D.C.) today tossed two lawsuits filed by Kaspersky Lab arising out of the government's rejection of Kaspersky products. The ruling ends Kaspersky's challenges and means that the federal prohibition on government use of Kaspersky products stays on the books.
Kaspersky Lab, the Russian cyber-security firm, filed its first suit in response to the Department of Homeland Security's Binding Operative Directive that required all federal departments and agencies to stop using Kaspersky products. DHS issued the BOD out of concern that Kaspersky products on the government's networks and computer systems could create a security risk. Kaspersky argued that the BOD violated the Administrative Procedure Act and the Fifth Amendment.
Kaspersky filed its second suit in response to the National Defense Authorization Act, which also prohibited the government from using Kaspersky products. (The NDAA contained a somewhat broader prohibition, effective October 1, 2018.) Kaspersky argued that the NDAA was an unconstitutional bill of attainder.
The court ruled first that the NDAA did not violate the Bill of Attainder Clause, because the prohibition wasn't "punishment" under any of the three tests adopted by the D.C. Circuit (the "Historical Test," the "Functional Test," or the "Motivational Test"). The court dismissed this suit.
The court next ruled that Kaspersky lacked standing to challenge DHS's BOD, because any ruling in its favor wouldn't redress its harm. In particular, the court said that revoking the BOD wouldn't do anything to allow Kaspersky to sell its products to the government, because the (valid) prohibition in the NDAA would prohibit that. The court said that the government, knowing that the NDAA's ban takes effect on October 1, 2018, wouldn't purchase any Kaspersky products in the interim.
The ruling means that the bans on Kaspersky products stay on the books, and the government must remove all Kaspersky products from its systems.