There is a constant drumbeat of Russian threat stories these days, but none is more important to Internet governance than the legal battle between Kaspersky Labs and the United States. It highlights the dangers of nation-states inserting themselves into cybersecurity governance, and shows why the alignment of cybersecurity with nation states puts at risk companies and economies built around a global Internet.
The U.S. Department of Homeland Security’s Binding Operational Directive 17-01 (BOD), released for comment in September 2017, ordered all USG agencies to remove all Kaspersky information security products, solutions, and services from their networks. The Final Decision by DHS in December came right after Congress’s National Defense Authorization Act for FY 2018 (NDAA) which stated that “[n]o department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part,” by Kaspersky or related entities.” (Section 1634(a)). In its Final Decision, DHS alleged that its ban was necessary because of:
 the broad access to files and elevated privileges of anti-virus software, including Kaspersky software;  ties between Kaspersky officials and Russian government agencies; and  requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting between Kaspersky operations in Russia and Kaspersky customers, including U.S. government customers.
Kaspersky Labs did not respond to this ban by quietly slinking away like an exposed spy. The USG is not a big customer for the company, it has less than $54K in contracts with federal agencies. But U.S. has been, and remains, one of the most significant geographic markets in Kaspersky Lab’s global business. Kaspersky first attempted to engage the administrative process and dissuade DHS from enforcing the BOD. When DHS decided to enforce the BOD anyway, Kaspersky challenged it in court, and now they have additionally challenged the legality of the NDAA. This case allows us, for the first time, to get a more complete sense of the actual evidence at hand instead of relying on hints, allegations, and press accounts.
Kaspersky vs. DHS
The original suit filed sought an immediate injunction against enforcing the BOD and to invalidate and rescind it. In addition to citing flaws in the decision making procedure, Kaspersky challenged the evidentiary standard being used by DHS. Despite analyses filed with the court about where data from Kaspersky’s USG customers might flow and the alleged influence that the Russian government might have on Kaspersky Labs, the case record shows no evidence of actual cooperation by Kaspersky with the Russian government. To date, the public record shows only that the USG has speculative concerns based on the possible application of Russian telecommunications and data localization laws.
Kaspersky’s latest response forcefully argues that the BOD is based largely on news reports and not on any highly technical analysis or classified information. Whereas DHS has argued that the court should defer their “to administrative decision-making process due to the ‘expert-driven and highly technical’ nature of the BOD and its subject matter,” Kaspersky has countered that: “In reality, the BOD is neither highly technical nor expert-driven, the underlying administrative record consists almost entirely of unsubstantiated news reports and allegations against the company, which the court is well within its capability to review for their evidential value.” Elsewhere in the record Kaspersky states that, “in fact, at a November 14, 2017, hearing by the House Science, Space, and Technology Committee’s Subcommittee on Oversight, Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications at DHS, testified that there was no conclusive evidence that Kaspersky Lab had facilitated any breaches of federal government information systems.”
Nonetheless, the claims of applicable Russian law do raise interesting issues. A DHS commissioned report (the “Maggs report”) states that “Kaspersky Lab qualifies as an ‘organizer of dissemination of information on the Internet’ and, as such, is required (1) to store in Russia and provide to authorized state bodies, including the FSB, metadata currently and content as of July 1, 2018; and, based on this and other laws, (2) to install equipment and implement other means that enable FSB and potentially other state authorities to monitor data transmissions between Kaspersky’s computers in Russia and Kaspersky Lab customers.” Kaspersky has denied that categorization and the ability of Russia’s intelligence apparatus to unilaterally compel surveillance, but the Maggs report notes that Kaspersky “does not deny that its data transmissions with customers over using the networks of Russian telecom providers or Russian ISPs.” Seemingly, actual evidence and technical analysis of data transmission from Kaspersky’s USG customers through networks operated by Russian companies could help clarify the situation.
Kaspersky vs. United States
Kaspersky filed a second suit seeking a declaratory judgment that the 2018 NDAA ban—as set forth in Sections 1634(a) and (b)—is unconstitutional, asking for injunctive relief enjoining its enforcement. Their argument is that Congress was overly specific in naming Kaspersky and banning all of its products, and in circumventing judicial process (again, those pesky evidentiary standards) it enacted an unconstitutional bill of attainder in direct contravention of Article I, Section 9 of the U.S. Constitution. The Bill of Attainder Clause forbids Congress from enacting laws which impose individualized deprivations of life, liberty, and property and inflict punishment on individuals and corporations without a judicial trial. With the suit only recently filed, we’ll have to see how the USG responds. (Update: Turns out Kaspersky has withdrawn this motion.)
Risks in the Kaspersky case
To be clear, governments have legitimate concerns when it comes to cybersecurity. USG agencies are required to assess risk to their own networks. And like other network operators, they use a variety of private information security products and services. But the USG actors pushing this effort should seriously consider the ramifications of the attack on Kaspersky. The DHS argument that “the broad access to files and elevated privileges provided by antivirus products and services…can be exploited by malicious cyber actors to compromise information systems” could be applied to any anti-virus service. If the standard it’s using were applied reciprocally, it could lead to a ban on software produced by US-based companies in many other jurisdictions.
Alignment of cybersecurity practices with government(s) national security subjects the Internet and information services to national rivalries. As the Kaspersky case and others (like the recent ANT-Moneygram) show, it can kick off a reaction-counterreaction that runs the risk of fragmenting global information services and the Internet. In the end, the USG’s tactics of ex ante, pseudo-attribution could be devastating to multi-national private enterprises and economies increasingly dependent on information services. It’s important to remember this as we watch the case develop.
Appendix: Chronology of key case documents
- DHS National Cybersecurity and Communications Integration Center (NCICC) Information Security Risk Assessment (Aug 29, 2017)
- DHS Information Memorandum from Asst Secretary for DHS Cybersecurity and Communications to Acting Sect of DHS (September 1, 2017) – in consultation with interagency partners, and relying on NCICC assessment, as well as other public and non-public sources, agrees “that Kaspersky-branded products present known or reasonably suspected information security risks to federal information and information systems” and that BOD 17-01 should be issued.
- DHS Notification of Issuance of Binding Operational Directive 17-01 and Establishment of Procedures for Responses (Sep 19, 2017)
- US Congress’s National Defense Authorization Act for FY 2018 – Section 1634(a) of the NDAA provides that “[n]o department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part,” by Kaspersky or related entities.” (Oct 2017)
- Kaspersky commissioned Berkeley Research Group Assessment – Information Security Risks of Anti-Virus Software (Nov 10, 2017) – questions findings of NCICC assessment
- Kaspersky Lab Request for Department of Homeland Security to Initiate Review of Binding Operational Directive 17-01 (Nov 10, 2017) – rebutted legal and factual allegations levied against Kaspersky, corrected many misunderstandings held by DHS (as perpetuated by the news articles it cited), and highlighted the deficiencies in the administrative process.
- DHS NCICC unclassified report on Kaspersky-Branded Products and Berkeley Research Group Independent Assessment (Not dated) – responds to BRG assessment, affirming BOD findings
- DHS commissioned Maggs report (Dec 2, 2017) – advises on application of Russian law, argues “Kaspersky Lab qualifies as an ‘organizer of dissemination of information on the Internet’ and, as such, is required (1) to store in Russia and provide to authorized state bodies, including the FSB, metadata currently and content as of July 1, 2018; and, based on this and other laws, (2) to install equipment and implement other means that enable FSB and potentially other state authorities to monitor data transmissions between Kaspersky’s computers in Russia and Kaspersky Lab customers.” and that “Kaspersky…does not deny that its data transmissions with customers over using the networks of Russian telecom providers or Russian ISPs.”
- DHS Final Decision on Binding Operational Directive 17-01, Removal of Kaspersky-Branded Products (Dec 6, 2017)
- Kaspersky Complaint Against Department of Homeland Security (Dec 2017) – claims violation of due process, APA, lack of evidence, and asks for 1) invalidating and rescinding the BOD and the Final Decision maintaining the BOD and enjoining DHS from enforcing the BOD and the Final Decision, and 2) Declaring the BOD and Final Decision invalid, and declaring that the presence of Kaspersky Lab-branded products on federal information systems do not present a known or reasonably suspected information security threat, vulnerability, and risk to federal information systems.
- Kaspersky 10-1-Memorandum of Law in Support of Plaintiffs’ Applicaiton for Preliminary Injunction (Jan 2018)
- 10-15-Exhibit L
- 12-6-Exhibit AR Part 5
- 12-7-Exhibit AR Part 6
- DHS 13-0-Memorandum in Opposition to Plaintiffs’ Application for Preliminary Injunction (Feb 2018)
- Kaspersky 15-0-Reply Memorandum in Support of Plaintiffs Applicaiton for Preliminary Injunction (Feb 2018)
- Kaspersky Complaint Against United States (Feb 2018) – seeking to invalidate Sections 1634 (a) and (b) of the 2018 NDAA as an unconstitutional bill of attainder.
- Kaspersky 16-0 Withdrawal of Complaint Against the United States (Feb 2018)
- Kaspersky 1-17-cv-02697-CKK Proposed Order (Feb 2018)
- Kaspersky 1-17-cv-02697-CKK Memorandum in Support of Proposed Order (Feb 2018)
- DoJ Memorandum in Opposition to Plaintiffs Motion for Summary Judgment (Mar 2018)
- DC Court Memorandum Opinion (14) dismissing both Kaspersky cases (May 2018)
- Kaspersky Notice of Appeal (Jun 2018)