A federal judge has dismissed Kaspersky Lab's lawsuit challenging the U.S. government's ban on its products, meaning that the prohibition will remain in effect.
U.S. District Judge Colleen Kollar-Kotelly ruled Wednesday that Kaspersky's two lawsuits against the U.S. government should be dismissed due to a lack of standing and the fact that the government's actions don't determine guilt and inflict punishment.
"The NDAA [National Defense Authorization Act] does not inflict 'punishment' on Kaspersky Lab," Kollar-Kotelly wrote in a 55-page memorandum opinion. "It eliminates a perceived risk to the Nation's cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation."
The U.S. Department of Homeland Security issued a directive last September stipulating that civilian federal government agencies remove Kaspersky's software within 90 days after the company was accused of having links to Russian intelligence services. Three months later, President Trump signed a broader defense policy spending bill that bans Kaspersky's software from both civilian and military networks.
Kaspersky, for its part, maintains that the U.S. government's actions were the product of unconstitutional agency and legislative processes, unfairly targeting the company without any meaningful fact-finding. The government's decisions have broad implications for the global technology community, Kaspersky said, especially given the lack of evidence of wrongdoing by the company.
"Kaspersky Lab is disappointed with the court's decisions on its constitutional challenges to the U.S. Government prohibitions on the use of its products and services by federal agencies," the company said in a statement Wednesday. "We will vigorously pursue our appeal rights."
Kollar-Kotelly, however, said that the security of federal networks and computer systems depends on the government's ability to act swiftly against perceived threats and take preventative action to minimize vulnerabilities.
"These defensive actions may very well have adverse consequences for some third-parties," Kollar-Kotelly wrote. "But that does not make them unconstitutional."
The judge argued that Kaspersky lacked standing to challenge Homeland Security's September directive since the fast-approaching NDAA effective date would make it "completely implausible" for any government entity to purchase a Kaspersky product. As a result, Kollar-Kotelly said the empty 'right' to sell to the federal government would lack any concrete value.
"To 'sell' requires another to 'buy,'" Kollar-Kotelly wrote. "Because no government agency would buy Plaintiff's product in the period before October 1, 2018, Plantiffs' theoretical 'right' to sell has no value at all in the real world."
Government officials and members of Congress began voicing concerns about the presence of Kaspersky products on government systems based on the risk that these products could be exploited by Russia, either with or without Kaspersky's consent, cooperation, or knowledge, Kollar-Kotelly said. Kaspersky has vehemently denied any ties to the Russian government.
In November 2017, Kaspersky said an internal investigation found that its servers had received confidential National Security Agency files from an employee's computer. However, that happened as part of a probe into malicious code on the machine and wasn't a result of cooperation with Russia, the company said, with CEO Eugene Kaspersky ordering the classified data be deleted from the computer.
Kaspersky announced earlier this month that it plans to move a number of its core processes from Russia to Switzerland, including software assembly, threat detection updates, and customer data storage and processing for most regions.
By the end of 2019, the company expects to have established a data center in Zurich to store and process information voluntarily shared by Kaspersky Security Network users in North America, Europe, Singapore, Australia, Japan and South Korea.
Governments typically air on the side of caution around potential security issues, particularly when it comes to anti-virus software since it's so heavily ingrained into the system following installation, according to Andrew Piland, chief operating officer at San Diego, Calif.-based solution provider Datel Systems.
"If there's a concern about security, you're not going to do that," Piland said. "There's plenty of other companies in the space."
Piland said demand for Kaspersky products has been muted since concerns first surfaced since customers know Kaspersky primarily as an anti-virus company, and anti-virus products today are viewed as relatively interchangeable commodities.
Having said that, Piland doesn't anticipate the judge's ruling will cause additional commercial customers to shy away from Kaspersky since most large companies in the private sector go through their own vetting process anyways.
Piland recommends that customers conduct due diligence and run security tests and analysis on all software that's being put into a secure system, noting that concerns are usually higher for software that's produced by firms based in countries like Russia or China.
"There were security concerns, whether legitimate or government motivated," Piland said. "I don't think there's going to be a huge impact [with this ruling] … The damage has already been done."