There is a constant drumbeat of Russian threat stories these days, but none is more important to Internet governance than the legal battle between Kaspersky Labs and the United States. It highlights the dangers of nation-states inserting themselves into cybersecurity governance, and shows why the alignment of cybersecurity with nation states puts at risk companies and economies built around a global Internet.

The U.S. Department of Homeland Security’s Binding Operational Directive 17-01 (BOD), released for comment in September 2017, ordered all USG agencies to remove all Kaspersky information security products, solutions, and services from their networks. The Final Decision by DHS in December came right after Congress’s National Defense Authorization Act for FY 2018 (NDAA) which stated that “[n]o department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part,” by Kaspersky or related entities.” (Section 1634(a)). In its Final Decision, DHS alleged that its ban was necessary because of:

[1] the broad access to files and elevated privileges of anti-virus software, including Kaspersky software; [2] ties between Kaspersky officials and Russian government agencies; and [3] requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting between Kaspersky operations in Russia and Kaspersky customers, including U.S. government customers.

Kaspersky Labs did not respond to this ban by quietly slinking away like an exposed spy. The USG is not a big customer for the company, it has less than $54K in contracts with federal agencies. But U.S. has been, and remains, one of the most significant geographic markets in Kaspersky Lab’s global business. Kaspersky first attempted to engage the administrative process and dissuade DHS from enforcing the BOD. When DHS decided to enforce the BOD anyway, Kaspersky challenged it in court, and now they have additionally challenged the legality of the NDAA. This case allows us, for the first time, to get a more complete sense of the actual evidence at hand instead of relying on hints, allegations, and press accounts.

Kaspersky vs. DHS

The original suit filed sought an immediate injunction against enforcing the BOD and to invalidate and rescind it. In addition to citing flaws in the decision making procedure, Kaspersky challenged the evidentiary standard being used by DHS. Despite analyses filed with the court about where data from Kaspersky’s USG customers might flow and the alleged influence that the Russian government might have on Kaspersky Labs, the case record shows no evidence of actual cooperation by Kaspersky with the Russian government. To date, the public record shows only that the USG has speculative concerns based on the possible application of Russian telecommunications and data localization laws.

Kaspersky’s latest response forcefully argues that the BOD is based largely on news reports and not on any highly technical analysis or classified information. Whereas DHS has argued that the court should defer their “to administrative decision-making process due to the ‘expert-driven and highly technical’ nature of the BOD and its subject matter,” Kaspersky has countered that: “In reality, the BOD is neither highly technical nor expert-driven, the underlying administrative record consists almost entirely of unsubstantiated news reports and allegations against the company, which the court is well within its capability to review for their evidential value.” Elsewhere in the record Kaspersky states that, “in fact, at a November 14, 2017, hearing by the House Science, Space, and Technology Committee’s Subcommittee on Oversight, Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications at DHS, testified that there was no conclusive evidence that Kaspersky Lab had facilitated any breaches of federal government information systems.”

Nonetheless, the claims of applicable Russian law do raise interesting issues. A DHS commissioned report (the “Maggs report”) states that “Kaspersky Lab qualifies as an ‘organizer of dissemination of information on the Internet’ and, as such, is required (1) to store in Russia and provide to authorized state bodies, including the FSB, metadata currently and content as of July 1, 2018; and, based on this and other laws, (2) to install equipment and implement other means that enable FSB and potentially other state authorities to monitor data transmissions between Kaspersky’s computers in Russia and Kaspersky Lab customers.” Kaspersky has denied that categorization and the ability of Russia’s intelligence apparatus to unilaterally compel surveillance, but the Maggs report notes that Kaspersky “does not deny that its data transmissions with customers over using the networks of Russian telecom providers or Russian ISPs.” Seemingly, actual evidence and technical analysis of data transmission from Kaspersky’s USG customers through networks operated by Russian companies could help clarify the situation.

Kaspersky vs. United States

Kaspersky filed a second suit seeking a declaratory judgment that the 2018 NDAA ban—as set forth in Sections 1634(a) and (b)—is unconstitutional, asking for injunctive relief enjoining its enforcement. Their argument is that Congress was overly specific in naming Kaspersky and banning all of its products, and in circumventing judicial process (again, those pesky evidentiary standards) it enacted an unconstitutional bill of attainder in direct contravention of Article I, Section 9 of the U.S. Constitution. The Bill of Attainder Clause forbids Congress from enacting laws which impose individualized deprivations of life, liberty, and property and inflict punishment on individuals and corporations without a judicial trial. With the suit only recently filed, we’ll have to see how the USG responds. (Update: Turns out Kaspersky has withdrawn this motion.)

Risks in the Kaspersky case

To be clear, governments have legitimate concerns when it comes to cybersecurity. USG agencies are required to assess risk to their own networks. And like other network operators, they use a variety of private information security products and services. But the USG actors pushing this effort should seriously consider the ramifications of the attack on Kaspersky. The DHS argument that “the broad access to files and elevated privileges provided by antivirus products and services…can be exploited by malicious cyber actors to compromise information systems” could be applied to any anti-virus service. If the standard it’s using were applied reciprocally, it could lead to a ban on software produced by US-based companies in many other jurisdictions.

Alignment of cybersecurity practices with government(s) national security subjects the Internet and information services to national rivalries. As the Kaspersky case and others (like the recent ANT-Moneygram) show, it can kick off a reaction-counterreaction that runs the risk of fragmenting global information services and the Internet. In the end, the USG’s tactics of ex ante, pseudo-attribution could be devastating to multi-national private enterprises and economies increasingly dependent on information services. It’s important to remember this as we watch the case develop.

 

Appendix: Chronology of key case documents