Summary: Kaspersky Lab Files for a Preliminary Injunction Against DHS
On Jan. 17, cybersecurity and software vendor Kaspersky Lab filed for a preliminary injunction against the Department of Homeland Security’s (DHS) order designating the company’s software as an “information security risk” and banning its use on federal systems. What follows is a summary of the facts underlying the Kaspersky litigation, the terms of the DHS order, and the application for the preliminary injunction.
Factual Background and the DHS Order
Published by The Lawfare Institute
in Cooperation With
On Jan. 17, cybersecurity and software vendor Kaspersky Lab filed for a preliminary injunction against the Department of Homeland Security’s (DHS) order designating the company’s software as an “information security risk” and banning its use on federal systems. What follows is a summary of the facts underlying the Kaspersky litigation, the terms of the DHS order, and the application for the preliminary injunction.
Factual Background and the DHS Order
Kaspersky is a Russian-based multinational cybersecurity company with over 400 million users, who, according to its injunction request, range from “governments to private individuals, commercial enterprise to critical infrastructure owners and operators alike.” The company is also widely believed to have very close ties to Russian intelligence. These ties led to concerns inside the U.S. government that Kaspersky software was being used as a means of espionage, particularly after the revelations that Russia interfered in the 2016 presidential election. On July 11, 2017, the General Services Administration removed Kaspersky from its list of approved software in order to “ensure the integrity and security of U.S. government systems and networks.”
Soon after, on Sept. 13, 2017, DHS issued Binding Operational Directive 17-01, entitled “Removal of Kaspersky-Branded Products.” The directive labeled all Kaspersky software as constituting an “information security risk,” and directing all executive branch officials to “identify Kaspersky-branded products ... provide plans to discontinue use of Kaspersky-branded products, and ... unless directed otherwise by DHS in light of new information, begin to remove Kaspersky-branded products.” DHS issued the directive pursuant to the Federal Information Security Modernization Act of 2017, which allows for the use of a such orders to “safeguard[] Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk.”
In an accompanying press release, DHS explained that it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies” and that the “risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” The DHS also based its decision on “an analysis of relevant portions of Russian law prepared by Professor Peter Maggs of the University of Illinois College of Law,” known as the “Maggs Report.”
The removal of Kaspersky software was to proceed in three stages:
- Within 30 days, government agencies were to identify the “use or presence” of Kaspersky-branded products, with a report to DHS;
- Within 60 days, the agencies were to “develop and provide to DHS a detailed plan of action to remove and discontinue present and future use of all Kaspersky-branded products; and
- Within 90 days, the agencies were to “begin to implement the agency plan of action and provide a status report to DHS on the progress of that implementation every 30 calendar days thereafter.”
The directive also outlined the administrative process for responding to these actions. It explained that Kaspersky could, if it wished, initiate a DHS review if it provided a written response and supporting evidence by Nov. 3, 2017. The response would have to “explain the adverse consequences [of the BOD], address the Department’s concerns, or mitigate those concerns.” The Department’s decision in response would be communicated to Kaspersky by Dec. 13, 2017.
On Nov. 10, 2017 (after receiving an extension), Kaspersky delivered its response, in which it “rebutted at length the legal arguments and factual allegations” levied at it and “corrected many misunderstandings apparently held by DHS and perpetuated by the cited news reports.” The response also “highlighted the deficiencies in the administrative process offered by DHS.” After a meeting on Nov. 29 between DHS and Kaspersky representatives, DHS issued its final decision on Dec. 6, which maintained the directive without revisions. Kaspersky sued DHS twelve days later.
Application for Preliminary Injunction
Kaspersky, citing Winter v. Natural Res. Def. Council, Inc., explains that an application for a preliminary injunction is granted if the plaintiff is “likely to succeed on the merits … likely to suffer irreparable harm in the absence of preliminary relief … the balance of equities tips in his favor, and … an injunction is in the public interest.”
Kaspersky then makes two claims in its application for a preliminary injunction, nesting both under the Administrative Procedures Act (APA). First, Kaspersky claims that DHS violated its Fifth Amendment due process rights by depriving it of a liberty interest and by failing to follow the requirements for pre-deprivation under Mathews v. Eldridge. Kaspersky claims that, if the directive violates the Plaintiff’s Fifth Amendment rights then it “should not withstand [APA] review.” Second, Kaspersky claims that the directive is “unsupported by substantial evidence,” and therefore is arbitrary and capricious.
a. Standing
Kaspersky claims that it has standing under the standard articulated in Spokeo, Inc. v. Robins: It has suffered an injury in fact, the injury is “fairly traceable” to the defendant’s conduct, and it is judicially redressable. Specifically, Kaspersky claims the directive’s preclusive effect in debarring use of Kaspersky-branded products, coupled with “DHS’s derogatory and inaccurate comments” through the order, press releases, and public statements, has had an adverse effect on its commercial sales. With these injuries, Kaspersky claims that “the other two Article III elements naturally follow.”
Further, Kaspersky claims standing for its U.K. parent company, Kaspersky Labs Limited, based on an exception to the “shareholder standing rule” in which allows shareholders with “a direct, personal interest in a cause of action to bring a suit even if the corporation’s’ rights are implicated,” so long as the law of the state of incorporation (in this case, Massachusetts) allows for it. Lastly, Kaspersky claims that it has standing to assert Fifth Amendment due process rights because it has “substantial connections” to the United States based on its employment of 300 people in Massachusetts and its sales to customers and thus, comes under the framework announced in United States v. Verdugo-Urquidez.
b. Fifth Amendment Due Process Claim
Kaspersky claims that it has a high likelihood of success on its Fifth Amendment due process claim because (1) DHS deprived it of a liberty interest, and (2) the procedures that the directive enunciated were constitutionally insufficient.
i. Deprivation of Liberty Interest
Kaspersky’s deprivation claim is three-pronged: (1) DHS effected a formal debarment of Kaspersky’s products; (2) DHS impugned Kaspersky reputation as part of that debarment; and (3) DHS also stigmatized Kaspersky during that process.
Kaspersky first claims that DHS deprived it of the liberty interest of following its chosen profession “free from unreasonable government interference.” Specifically, Kaspersky points to the directive’s debarment of “future use” of Kaspersky-branded products by federal agencies as implicating its liberty interests, especially since the orderis both prospective and retrospective.
Kaspersky next invokes the “reputation-plus test” articulated in New Vision Photography Program, Inc. v. District of Columbia, where a liberty interest is implicated “if the Government effectively bars a contractor from virtually all Government work due to charges that the contractor lacks honesty or integrity,” because doing so puts the company’s “good name, reputation, honor, or integrity” at risk. Kaspersky draws attention to the press release accompanying the directive as “essentially alleg[ing] that Kaspersky Lab is an arm of the Russian intelligence services,” and thus impugning its reputation and integrity.
Kaspersky further invokes the interrelated “stigma-plus” theory, in that the directive either formally excluded it from future government contracts, or had the “broad effect of largely precluding [it] from pursuing [its] chosen career.” Kaspersky posits that the directive “does exactly that.”
ii. Mathews v. Eldridge Pre-Deprivation Process
Much of Kaspersky’s first claim rests on the theory that it was entitled to pre-deprivation notice of the directive and an opportunity to be heard based on the three-factor Eldridge test: (1) the private interest to be affected by the official action; (2) the risk of erroneous deprivation of that interest through the procedures used; and (3) the government’s interest, including fiscal and administrative burdens that additional or substitute procedures would entail.
Kaspersky first points to its “substantial private interest” in its ability to sell to federal agencies and its reputation as a “market-leading anti-virus developer,” which has been qualitatively impacted by DHS’s that it presents “information security risks.” Kaspersky next points to the high risk of erroneous deprivation presented by the directive processes. Since DHS “simply refused to engage with Kaspersky” during the investigative process, this, according to Kaspersky, did not allow it to engage in a dialogue with DHS that could have led to mitigating action and thus, would have prevented DHS’s “erroneous, unnecessary, and overly broad debarment.” Kaspersky also questions DHS’s use of the Federal Information Security Modernization Act as the statutory basis for its actions, since it does not provide for “any means to contest a compulsory directive by DHS,” as opposed to a debarment under the Federal Acquisition Regulation. And since many agencies began the physical removal of Kaspersky-branded software before the 90-day period, Kaspersky claims that the process DHS claims was available by staggering the process across stages of 30, 60, and 90 days did not give adequate time to respond, leading to a “preordained ... outcome.”
Lastly, Kaspersky claims that DHS has not proven how prior notice would have interfered with eliminating the threat to national security posed by Kaspersky software. Quoting from Nat’l Council of Resistance of Iran v. Dep’t of State, People’s Mojahedin Organization of Iran v. Dep’t of State, and Ralls Corp. v. Comm. on Foreign Inv. in the U.S., Kaspersky argues that the interest in eliminating such threats does not affect the timing of the administrative process, which Kaspersky contends should have been before the issuance of the directive. Kaspersky argues that this episode is not an “extraordinary situation”, which constitutes an exception to the pre-deprivation requirement, because DHS provided three months for the relevant software to be removed.
Tying these factors together, Kaspersky concludes its first claim by explaining that “notwithstanding the government’s national security interest,” it is entitled to pre-deprivation process under Ralls and to the preliminary injunction standard of likely succeeding on the merits. Kaspersky also claims that it should have been afforded the opportunity to contest the conclusions of the Maggs Report under the decision in Ralls, since Kaspersky claims that it “incorrectly determines that Kaspersky Lab’s is subject to Russia’s surveillance laws” and further that Maggs is unqualified to draw those conclusions.
c. Arbitrary and Capricious Claim
Kaspersky claims that it has a high likelihood of success on its “arbitrary and capricious” claim because there is no “substantial evidence” to support the conclusion in the directive that Kaspersky-branded software presents an “information security threat,” as required by Section 706(2)(A) of the APA. Kaspersky argues that since most of the evidence was based on “uncorroborated news reports,” then it is not substantial enough to meet the statutory definition.
d. Irreparable Harm
Kaspersky rests its claim of irreparable harm on the directive’s damage to its reputation and core values―which it says is “beyond any reasonable dispute” based on Amazon.com reviews and other consumer indicia―and financial losses. Kaspersky highlights that courts have found both of these harms as supporting injunctive relief, and the requirement that they be significant is fulfilled here: Due to the removal of Kaspersky software from shelves, and retailers encouraging consumers to switch to Kaspersky competitors, Kaspersky’s quarterly profits decreased by 37 to 61 percent. Kaspersky also claims that an “unprecedented” volume of product return and early termination requests and a reduction in the number of its U.S. employees is due to the directive.
e. Balance of Harms and Public Interest
Kaspersky closes by examining the balance of harms and the public interest as part of the preliminary injunction. Arguing that the due process violation should be prevented under Klayman v. Obama and KindHearts for Charitable Humanitarian Dev., Inc. v. Geithner, Kaspersky concludes that the balance of harms and public interest weigh in its favor.