Kaspersky Lab asks federal court to declare DHS cyber directive invalid

Kaspersky Lab is fighting back against the federal government’s ban of its software.

Eugene Kaspersky posted an open letter today saying the Homeland Security Department’s actions have left him no choice but to file an appeal to the ban in federal court.

“The company did not undertake this action lightly, but maintains that DHS failed to provide Kaspersky Lab with adequate due process and relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the directive,” Kaspersky states in the letter. “DHS has harmed Kaspersky Lab’s reputation and its commercial operations without any evidence of wrongdoing by the company. Therefore, it is in Kaspersky Lab’s interest to defend itself in this matter.”

Kaspersky Lab said it filed the motion in the U.S. District Court for the District of Columbia where it is suing DHS under the Administrative Procedure Act.

Advertisement

The company’s lawyers say in the filing that the lawsuit is to “uphold their constitutional due process and other rights which defendants [DHS] violated through unprecedented, sweeping and retroactive debarment of Kaspersky Lab from U.S. government information systems by way of the Department of Homeland Security’s Binding Operational Directive 17-01 issued on September 13, 2017.”

Under the BOD, DHS mandated agencies find and remove all Kaspersky Lab software from their networks in 90 days. DHS and the Trump administration said it took this action because of security risks about where the data resides when the software collects it.

Rob Joyce, the White House cyber coordinator, said in September that the software living on federal networks and interacting with federal data will send information back to a cloud in Russia.

“What you really need to understand is under Russian law the company must collaborate with the FSB so for us in the government that was an unacceptable risk,” Joyce said. “We made risk decisions based on the technology and the environment, and it’s unacceptable for federal networks.”

When DHS issued the directive, it said it would give Kaspersky Lab the opportunity to respond.

Kaspersky said in the blog post the company tried several times to have meaningful discussions with DHS.

The company says it reached out to DHS in July. The agency responded, according to Kaspersky Lab, in mid-August, “appreciating the company’s offer to provide said information and expressing interest in future communications with the company regarding this matter.”

But Kaspersky Lab says DHS didn’t communicate with the company again until notification of the BOD in September.

“Unfortunately, in the case of Binding Operational Directive 17-01, DHS did not provide Kaspersky Lab with a meaningful opportunity to be heard before the directive’s issuance, and therefore, Kaspersky Lab’s due process rights were infringed,” Kaspersky Lab writes. “In the Sept. 19 Federal Register notice announcing the issuance of Binding Operational Directive 17-01, DHS stated that Kaspersky Lab could initiate a review of the directive by submitting written information, which the company did on Nov. 10. However, this ‘administrative process’ did not afford Kaspersky Lab due process under U.S. law because the company did not have the opportunity to see and contest the information relied upon by DHS before the issuance of the directive. As I have said before, ‘genuine due process provides you with the opportunity to defend yourself and see the evidence against you before action is taken; it doesn’t ask you to respond once action is already underway.’”

An email to DHS seeking comment on the lawsuit was not immediately returned.

A former Obama administration official and cybersecurity policy expert, who requested anonymity because their current firm works with clients in the federal cybersecurity sector, said it’s not surprising that Kaspersky is filing an appeal.

“On one hand, my understanding is that they have shut down their federal sales office and more publicity wouldn’t really help their brand on reopening,” the official said. “However, on the other hand, the name has been sullied about as much as it can be, so they don’t have much to lose, and it is difficult for the US government to share the information they’d need to in open court. Both sides have several options on next steps. The government will likely ask for it to be thrown out immediately.”

The court filing and open letter details Kaspersky Lab’s attempts counter the BOD.

Kaspersky says the lack of transparency from DHS about its rationale for the ban, and its decision to rely on “uncorroborated media reports to support its assertion that Kaspersky Lab products present information security risks to government networks” are not evidence of any wrongdoing by the company.

“DHS also cites technical arguments that apply to antivirus solutions generally, including broad levels of access and privileges to the systems on which the solutions operate, the use of cloud-based technologies to process malware samples and deploy detection signatures, and data collection and processing practices,” the company writes. “These capabilities are not unique to Kaspersky Lab’s products, and if they are of concern, DHS could have taken action to address these issues holistically across the IT security industry instead of unfairly targeting a single company without any evidence of wrongdoing.”

In the court filings, Kaspersky Lab claims DHS had ample time to review the evidence and let the company respond.

“While DHS professed to give plaintiffs an opportunity to contest the BOD and change DHS’s decision before the 90-day mark, by allowing Kaspersky to make a written submission to DHS near in time to the 60-day mark, this process was illusory and wholly inadequate because it failed to satisfy even the minimum standards of due process,” the lawsuit states. “In actuality, the debarment of Plaintiffs and the damage caused was immediate and complete upon the issuance of the BOD. The process for identification, removal and discontinuation had been initiated immediately upon issuance, all government agencies were prejudiced against plaintiffs’ software at that time, and the process could therefore not have been adequately unwound.”

Kaspersky says DHS also didn’t give them an opportunity to respond to “new allegations, facts and legal arguments,” and didn’t satisfy the APA’s requirement to present “substantial evidence” of wrongdoing.

“To the contrary, Jeannette Manfra, the DHS author of the information memoranda in support of the BOD and the final decision, testified before the House Committee on Science, Space and Technology on Nov. 14, that in fact the government does not have conclusive evidence that Kaspersky Lab had facilitated the breach of any U.S. government information system,” the lawsuit states. “When asked in the same hearing by the committee chairman to address other media reports regarding plaintiffs, Manfra testified that she could not ‘make a judgement based off of press reporting.’ Yet that is exactly what she asked DHS’s acting secretary to do in her memoranda in support of the BOD and the final decision.”

DHS did provide Kaspersky with the aforementioned information memo from Manfra on Sept. 29, ahead of the deadline to respond to the BOD.

Kaspersky Lab is asking the court for relief in the form of declaring the BOD invalid and that its products “do not present a known or reasonably suspected information security threat, vulnerability and risk to federal information systems.”

Even if Kaspersky wins the lawsuit, Congress passed and President Donald Trump signed the Defense Authorization bill that includes a provision banning the company’s software. The company likely would then have to make its case to Congress, or sue to get the court to rule that the provision is unconstitutional.