The D.C. District Court's Memorandum Opinion in Kaspersky Lab, Inc. v. United States Department of Homeland Security (DHS), Nos. 17-cv-2697 and 18-cv-325, 2018 WL 2433583, at *3-4 (D.D.C. May 30, 2018), appeal pending, (filed June 8, 2018 at D.C. Cir.), is a reminder of the cyber risks inherent in the global supply chain (even with antivirus software intended to protect against hackers), as well as the extraordinary power of the federal government to exclude contractors who are perceived threats to federal information systems. The court rejected Kaspersky's claim that the DHS' Binding Operational Directive 17-01 (BOD 17-01) issued pursuant to the Federal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C. § 3553(b)(2), without notice and comment or any opportunity to respond, violated the Administrative Procedures Act (APA) and the Due Process Clause of the Fifth Amendment to the United States Constitution. It ruled that "[b]ecause no government agency would buy Plaintiffs' product in the period before October 1, 2018, Plaintiffs' theoretical 'right' to sell has no value at all in the real world."
While the facts in the case are exceptional, the case reflects the broad power of the federal government to address an "apparent national security risk" without prior notice or comment. Kaspersky Lab is a cybersecurity company headquartered in Moscow with a US affiliate whose "products that are intended to protect its customers' computer systems against cyber-threats." In 2017, U.S. Intelligence reportedly became concerned with Kaspersky's ties to Russia. On September 13, 2017, the DHS issued BOD 17-01, "Removal of Kaspersky-branded Products," directing all federal agencies (with the exception of certain systems operated by the Department of Defense and the intelligence community), to identify and ninety days later remove "Kaspersky Lab products" from all "Federal information systems," which include "an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency." BOD 17-01 at 2. DHS derived the authority to blacklist a brand name from federal systems through FISMA, 44 U.S.C. § 3553(b)(2).
The timeline leading to DHS issuing BOD 17-01 illustrates how quickly DHS is capable of responding to perceived cyber security threat. Beginning in 2017, lawmakers began raising concerns regarding Kaspersky Lab's ties to the Russian government. See Kaspersky Lab, Inc. v. DHS, Nos. 17-cv-2697 and 18-cv-325, 2018 WL 2433583, at *3-4 (D.D.C. May 30, 2018). On July 18, 2017, Kaspersky Lab wrote to DHS offering information or assistance regarding Kaspersky, its operations, or its products. Id. at *4. On August 14, 2017, DHS responded to Kaspersky stating that DHS looked forward to further communications. Id. Then on September 13, 2017, DHS issued BOD 17-01. Id. On September 19, 2017, DHS published notice in the Federal Register (82 FR 43782) providing notice to entities with a commercial interest in BOD 17-01 an opportunity to respond, provide additional information, and initiate a review by DHS.
DHS' conclusion that Kaspersky-branded products presented a "known or reasonably suspected information security threat, vulnerability, and risk to federal information and information systems" was based on the following six factors, all of which relate to links to Russia rather than direct evidence of any specific wrongdoing or vulnerabilities in Kapersky's software:
(1) Kaspersky-branded products were currently being used by federal agencies, and Kaspersky Lab intended to expand its sale of those products to federal agencies in the near future;
(2) anti-virus products like Kaspersky Lab's enjoy broad access to files and elevated privileges on the systems on which they are used that can be exploited by malicious cyber-actors;
(3) data of those using Kaspersky Lab products is transferred automatically from their computers to Kaspersky Lab servers (which are either located in Russia or accessible from Russia);
(4) Russia has engaged in, and will likely continue to engage in, malicious cyber-activities against United States government information systems;
(5) Kaspersky Lab and Kaspersky Lab officials have ties to the Russian government, and specifically to its intelligence services; and
(6) Russian legal provisions allow Russian intelligence services to request or compel assistance from companies like Kaspersky Lab and to intercept communications transiting Russian networks.
Kaspersky, 2018 WL 2433583 at *5. In other words, the decision to remove this brand-name product was based on suspicion.
Further, DHS determined that a BOD was a more effective means to protect federal information systems than debarment and even argued that the BOD was not a debarment. Id. at *6. Specifically, DHS noted that debarment would only affect future procurements for a limited period of time, would not require federal agencies to remove the products, and would not prevent third party vendors from offering Kaspersky products. Id.
On December 12, 2017, National Defense Authorization Act (NDAA) of 2018, which included a broader provision entitled "Prohibition on Use of Products and Services Developed or Provided by Kaspersky Lab," superseded BOD 17-01. The NDAA prohibition was broader than the BOD in the following two respects: it applied to all Kaspersky Lab products (including software, hardware, and services) and it did not include the BOD's carve outs for the U.S. Department of Defense and intelligence community systems. Id. at *1.
Kaspersky challenged DHS's action and the provision of the NDAA in D.C. District Court. See id. at *2. On May 30, 2018, Judge Colleen Kollar-Kotelly dismissed both cases. Id. at *26. Judge Kollar-Kotelly held that the challenge to the NDAA provision failed to state a claim because Plaintiff failed to plausibly allege that the NDAA provision constituted a bill of attainder and that the BOD lawsuit lacked standing because none of the Plaintiff's alleged harms would be redressed as the NDAA effectively superseded the BOD. Id. While it would be speculative to assume the court would have upheld DHS's BOD absent the NDAA, it is worth noting that the court acknowledged that, "BOD 17-01 was supported by a considerable administrative record." Id. at *5.
DHS's response to the threat posed by Kaspersky Lab products is a reminder of the federal government's increased scrutiny of cyber security related issues and the growing obligation on contractors to ensure their systems are secure. For example, defense contractors are subject to DFAR 252.204-7012, which requires contractors to implement NIST special publication 800-171, and the Federal Acquisition Regulation (FAR) includes a basic safeguarding clause, FAR 52.204-21. The Kasperky Lab decision also reflects lawmakers' growing suspicion of foreign based IT service providers and a willingness to prohibit purchases based solely on close ties with certain foreign governments. For example, the current draft of the NDAA of 2019 includes a provision that would prohibit agencies from contracting with any entity that uses Chinese based telecommunications companies, Huawei or ZTE, equipment or services. See H.R. 5515, 115th Cong. § 891(b) (as passed by Senate, June 19, 2018).
Contractors should not only understand which legal obligations apply to them and ensure their organizational governance, compliance programs, and technology tools reflect those obligations, but also keep abreast of the government's rapidly changing view of service providers. Kaspersky Lab demonstrated that contractors should carefully consider the software, hardware, and services they utilize in performing federal contracts. Moreover, contractors who are aware that they have or may become the subject of scrutiny should act swiftly to protect their rights. While the process to restore rights deprived because of lack of due process is rarely swift, it often is achievable over time.