A U.S. District Court Judge Wednesday ruled that a ban on Kaspersky Lab products by the U.S. government set to take effect October 1 is constitutional and tossed two lawsuits filed by the Russia-based security firm.
Calling “worthless” the company's claim that it has the “right to sell to the government,” Colleen Kollar-Kotelly, U.S. District Judge for the District of Columbia, wrote that “it was rational” for Congress – when presented with the facts that “Russia had committed malicious cyber activities against the United States” and that Kaspersky is a Russian company beholden to Russia's laws and whose founder, Eugene Kaspersky, has ties to Russian intel, and its products, which are used by the federal government to prevent cyberattacks, could be exploited – “to conclude on the basis of this information that barring the federal government's use of Kaspersky Lab products would help prevent further Russian cyberattacks.”
But the company disputed the decision and contentions that it was a threat to national security, saying it would appeal the ruling. “Kaspersky Lab is disappointed with the Court's decisions on its constitutional challenges to the U.S. government prohibitions on the use of its products and services by federal agencies,” the company said. “We will vigorously pursue our appeal rights. Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding.”
Kaspersky insisted that it is “fully transparent” in its methodology and pointed out that its Global Transparency Initiative invites “concerned parties” to review its code bases as well as how it creates software updates and detection rules as well as how customer data from North America and Europe is processed.
In December President Donald Trump signed into law the National Defense Authorization Act for Fiscal Year 2018 (H.R.2810), which contained a section prohibiting federal use of products and services from Russia-based cybersecurity firm Kaspersky Lab.
According to the law, the ban takes effect on Oct. 1, 2018. Additionally, within 180 days of the passing of the act, the Secretary of Defense must present a report to relevant Congressional committees detailing the findings from a review of procedures for removing Kaspersky products from federal government networks.
Those actions might “very well have adverse consequences for some third-parties," Kollar-Kotelly said. "But that does not make them unconstitutional."
Last September, the Department of Homeland Security also issued a binding order forbidding the use of Kaspersky Lab security software. The order gave federal agencies three months to inventory and remove the software.
Kaspersky said, though, that “given the lack of evidence of wrongdoing” as well as “the imputation of malicious cyber activity by nation-states to a private company, these decisions have broad implications for the global technology community,” noting that “policy prohibiting the U.S. government's use of Kaspersky Lab products and services actually undermines the government's expressed goal of protecting federal systems from the most serious cyber threats.”