Cybersecurity and Deterrence
Kaspersky Lab v. DHS: The Government's Response and Kaspersky's Reply
In December 2017, the Russia-based cybersecurity firm Kaspersky Lab filed suit against the Department of Homeland Security over an order labeling Kaspersky software an “information security risk” and ordering the removal of all relevant software from government national security systems after a review process of 90 days. The firm applied for a preliminary injunction under the Administrative Procedures Act (APA), arguing the order was “arbitrary and capricious.” Lawfare has previously summarized the lawsuit.
In February, the litigation between Kaspersky and DHS heated up. On Feb. 5, the government filed its response to Kaspersky's application for a preliminary injunction, along with its evidentiary file. The evidentiary file includes a document entitled the “Maggs Report,” on which DHS relied in making its decision to link Russian espionage services and Kaspersky so closely together. On Feb. 12, Kaspersky filed its reply to these documents. The following is an update to this litigation providing a summary of all the above documents.
The “Maggs Report”
Though only briefly mentioned by both Kaspersky in its application for a preliminary injunction and by the government in its brief in opposition below, the Maggs Report, authored by Russian law expert Peter Maggs of the University of Illinois College of Law, provides a strong underpinning to the DHS says Kaspersky software presented an information security risk because of Kaspersky’s Russian connections. First, Maggs explains that Federal Law No. 40-FZ outlines a legal obligation by Kaspersky to assist Russian FSB officials in the execution of their duties, “including counterintelligence and intelligence activity.” Russian law also permits FSB personnel to be embedded in private enterprises, including Kaspersky, under the same law. Furthermore, because Kaspersky qualifies as an “organizer of the dissemination of information on the Internet” under Article 10. 1 of Federal Law No. 149-FZ, it is required to provide the FSB with metadata (as of July 1, 2018), and is also required to provide Russian officials with decryption keys for its data transmissions. Articles 6 and 8 of Federal Law No. 144-FZ also require Kaspersky to install equipment for the FSB to monitor data transmissions.
Next, the report addresses claims made by Kaspersky about Russian law in its request for DHS to review the department’s order. While agreeing with Kaspersky’s argument that the FSB’s powers are not “unlimited,” Maggs points out those powers are “very broadly written and interpreted.” Maggs also casts doubt on Kaspersky’s claim that it is not an FSB unit, as indicated by public filings. Finally, Maggs questions Kaspersky’s argument that it is not subject to a Russian law requiring private entities to allow installation of FSB devices because it is not a telecom company or an internet service provider. Maggs again references Kaspersky's obligations as an “organizer of the dissemination of information on the Internet.” Maggs concludes by pointing out that even Kaspersky concedes that encrypted data “may theoretically be intercepted by the FSB,” explaining the FSB would not need a court order to do so.
Thus the Maggs Report provides evidence that Russian intelligence services could use legal leverage to gain access to metadata and encrypted content involving American individuals and institutions.
The Government’s Brief in Opposition to Kaspersky
The government begins by explaining that its networks and computers are “a strategic national asset” and that Congress has vested DHS with broad authority protect this asset with tools such as the Binding Operational Directive. The government then summarizes the events leading up the issuance of the order against Kaspersky. After “extensive investigation and consultation with cybersecurity experts inside and outside [DHS],” which was “supported by a robust administrative record totaling hundreds of pages of source exhibits and an additional hundred-plus pages of written analysis,” the department’s acting secretary decided to restrict use of Kaspersky software on the grounds that “Russia could use Kaspersky software on U. S. information systems as an entry point for espionage or other cyber activities.” After a response from Kaspersky and a subsequent meeting between DHS and Kaspersky to discuss DHS’s order, DHS issued a final decision upholding the initial order without revisions.
The government then lays out why Kaspersky’s application for a preliminary injunction should fail, arguing: (1) Kaspersky does not have standing to sue; (2) it is not likely to succeed on the merits because it exaggerates the due process to which it is entitled and undervalues the process it received; (3) also on the merits, its APA arguments have been tried before and failed based on DHS’s wide discretion; and (4) Kaspersky has failed to show irreparable harm, while the balance of equities weigh in favor of the government.
After detailing the statutory and factual background of the case (summarized here), the government explains that standing requires the plaintiff’s injury be fairly traceable to the defendant’s conduct and that the injury will likely be redressed by the court’s decision in the plaintiff’s favor. Addressing Kaspersky’s argument that its injury stems from its inability to sell its products to the U. S. government and damage to its reputation, the government first argues the alleged injury is not redressable because “it is legally or practically foreclosed by forces outside the court’s control” (McConnell v. FEC).
Specifically, the government points to Section 1634(a) of the 2018 National Defense Authorization Act (NDAA), which independently proscribes the government from purchasing Kaspersky products beginning Oct. 1. The government therefore concludes that under a line of precedent articulated by the D. C. Circuit, this precludes the court from redressing the alleged injury, since even rescinding the DHS order would still “leave the full machinery of the congressional ban in effect.” In fact, the government asserts that the NDAA provision is worse for Kaspersky than DHS’s order because the NDAA bars the use of all Kaspersky products in all federal information systems, while the DHS directive prohibits only the use of certain Kaspersky services and embedded code in national security systems and systems used by the Defense Department and intelligence community.
Furthermore, the government argues, the NDAA prevents the redress of the alleged reputational harm to Kaspersky because the NDAA provision at issue brands Kaspersky products as unsafe to use. Likewise, the harm to Kaspersky’s reputation comes from the government’s underlying judgment that Kaspersky products are unsafe to use, not from the directive issued as a result of that judgment. Lastly, the government argues the harm alleged by Kaspersky is not fairly traceable to DHS’s order, “as opposed to the ‘endless number of diverse factors potentially contributing’ to it,” since Kaspersky had already come under scrutiny by intelligence chiefs and lawmakers in Congress before the directive was announced. The government also asserts Kaspersky’s loss of revenue is not necessarily caused by the government’s actions, and that Kaspersky has not established a causal relationship to that effect. The government therefore concludes Kaspersky has no standing to bring its suit.
b. Fifth Amendment Due Process
Arguing that Kaspersky is not entitled to a preliminary injunction, the government asserts that Kaspersky is unlikely to prevail on the merits because it has failed to state a procedural due process claim. The process Kaspersky received was crafted in line with the standards outlined by the D. C. Circuit in People's Mojahedin Org. of Iran v. Dep’t of State: providing advance notice, furnishing any releasable information, and providing an opportunity to present evidence to the decision-maker.
i. Adequate Pre-Deprivation Process
The government argues that Kaspersky’s argument “rests on a basic misconception of how the [order] works.” The order doesn’t require the immediate removal of Kaspersky products from federal systems―rather, it directs a 90-day fact-finding process which would culminate in removal absent further instructions to the relevant agencies, leaving time for additional evidence to be presented. The government contends this does not constitute a “debarment,” a process which excludes or disqualifies an entity from selling products to the government for a specific time period, as Kaspersky argues. Addressing Kaspersky’s suggestion that DHS’s process was “illusory” since it “prejudiced” federal agencies against Kaspersky, the government says the agencies that removed Kaspersky software before the 90-day mark did so “of their own initiative” and were not legally compelled to do so by DHS. The pre-deprivation process was therefore adequate.
ii. Prior Notice from DHS
Next, the government contends Kaspersky was not entitled to notice prior to DHS’s order issued under Mathews v. Eldridge, which requires the balancing of three factors: (1) the private interest to be affected by the official action; (2) the risk of erroneous deprivation of that interest through the procedures used; and (3) the government’s interest, including fiscal and administrative burdens that additional or substitute procedures would entail. The government argues that Kaspersky does not attempt to balance the factors; instead, the company assumes that based on the first factor alone, it is entitled to the same due process protections as any seller facing a debarment. As outlined in 48 C. F. R. 9. 406-3(c), the process attending debarment requires formal notice of the reasons for the debarment, opportunity to respond and notice of the ultimate decision.
While acknowledging that DHS’s order may constitute an effective debarment because of its “practical consequences,” the government argues that the debarment of Kaspersky was not “formal” and therefore that the normal debarment process was not required. The government then points to the third factor, asserting that its interests outweigh Kaspersky’s. Specifically, the government argues it has a compelling interest in “maintaining the flexibility to take effective action in response to cybersecurity risks” while Kaspersky’s private interests are “well protected by the government’s existing procedures” and thus the risk of erroneous deprivation would be slight. Moreover, the Federal Information Security Modernization Act—which provides the DHS secretary with the authority to issue the directive banning Kaspersky—does not require the secretary to show proof of danger, but only the likelihood of it. There was no need for DHS to provide conclusive evidence of the danger posed by Kaspersky software.
iii. The Maggs Report
The government quickly dispatches with Kaspersky’s argument that it should have been able to respond to the analysis of relevant portions of the Maggs Report. Kaspersky argues the report should have been introduced earlier in the process to allow it to respond. The government asserts that it did tell Kaspersky early on that its decision was in part based on an analysis of Russian law, and the Maggs Report “expanded upon those issues, adding nuance and tying them to specific provisions of Russian.” Therefore, Kaspersky was not entitled to respond to the report.
c. Arbitrary and Capricious Claim
The government continues by arguing Kaspersky fails to state an actionable claim under the APA, because the directive is a matter of agency discretion under FISMA. Under Heckler v. Chaney, 5 USC § 701(a)(2) precludes judicial review when a statute is “drawn so that a court would have no meaningful standard against which to judge the agency’s exercise of discretion.”This D. C. Circuit bases this assessment on “a variety of factors,” falling into three principal categories outlined in Watervale Marine Co. v. United States Dep’t of Homeland Sec. : (1) The language and structure of the statute applying legal standards for review; (2) Congress’s intent to commit the matter to agency discretion; and (3) The nature of the administrative action.
Applying the factors, the government explains: (1) FISMA provides insufficient standards for the court to apply because there is no legal test for what constitutes an “information security risk”; (2) the D. C. Circuit has ruled that decisions made by government agencies under FISMA are not subject to judicial review, given the discretion granted by the statute (Cobell v. Kempthorne); and (3) the nature of the administrative action deals with a matter within DHS’s particular expertise (Huls America, Inc. v. Browner), and involves an evolving threat about which information is difficult to obtain (Holder v. Humanitarian Law Project). For these reasons, the government argues that DHS’s order is precluded from judicial review under the APA.
Even if the APA did allow review of the DHS order, the government makes the case that there is substantial evidence to support DHS’s “information security risk” finding regarding Kaspersky’s software. As such, the order is not arbitrary and capricious. In addition, the government is due greater deference in national security contexts. While Kaspersky argues the government relied improperly on news accounts in building the record against Kaspersky, the government argues the D. C. Circuit has “repeatedly” approved of public news accounts being used as part of the unclassified record in national security cases. The government further disputes the charge by Kaspersky that the news accounts constituted the “principal and overwhelming” source of evidence for DHS’s order, citing memoranda and research on Kaspersky products prepared within government. The government finally disputes Kaspersky’s argument that DHS has “presented no evidence of any ‘breach’ or ‘wrongdoing’” on Kaspersky’s part, arguing again that the DHS directive was meant to prevent future dangers, not respond to conclusively proven past dangers.
d. Irreparable Harm
In requesting injunctive relief, Kaspersky argues that the damage to its reputation and finances constitute irreparable harm. The government returns to the argument it made when addressing standing: Because these alleged harms are not redressable by the court or traceable to DHS’s order, the irreparable harm has not been substantiated.
e. Balance of Harms and Public Interest
Finally, the government addresses the balance of equities. Given that the United States has a “substantial interest in protecting the integrity of its information systems from cyber threats,” the public interest and balance of harms is better served by keeping the final decision in place. As a last matter, the government makes a familiar executive branch argument: “[I]t is neither the role of the Court nor the purpose of a preliminary injunction to dictate policy in the area of national security and foreign relations.”
Therefore, the government concludes the court should deny Kaspersky’s request for a preliminary injunction.
Kaspersky’s Reply to the Government’s Brief in Opposition
In its reply to the government’s brief in opposition, Kaspersky touches briefly on each argument made by the government, focusing most closely on the merits.
Kaspersky argues that it does have standing to sue (which requires an injury that is “fairly traceable” to the defendant’s conduct and is judicially redressable) because (1) it has filed a concurrent suit arguing the NDAA provision is an unconstitutional bill of attainder, which means it has challenged the “other force” referenced by the government; (2) the NDAA does not yet have legal effect, since it does not become effective until Oct. 1; and (3) the harm is redressable because DHS’s order has taken away Kaspersky’s right to apply for a government contract, and the order’s removal would allow Kaspersky to do so. Kaspersky then devotes the rest of its analysis to distinguishing the government’s use of case law in arguing its injuries are both redressable and traceable to DHS’s order.
b. Fifth Amendment Due Process Claim
In showing likelihood it will succeed on the merits, Kaspersky repeats many of the same arguments it made in its application for a preliminary injunction: Namely, DHS’s order was final when it was issued and did not represent pre-deprivation notice, even with the 30-60-90 day structure of removing Kaspersky software. Moreover, it suffered injury long before DHS’s final decision was issued. Kaspersky also draws attention to the government’s argument that it engaged in “extensive investigation and consultation with cybersecurity experts inside and outside [DHS],” asserting that in doing so, it left out the most relevant actor: Kaspersky.
More pointedly, Kaspersky say that the government’s view that DHS’s order constituted process was an “afterthought,” and not “a central part of the review and decision making process.” Kaspersky also highlights seemingly contradictory statements and actions on the part of DHS in delivering Kaspersky information regarding its order, as well as delays regarding meetings with DHS to discuss the order. Kaspersky also argues that the process provided falls well short of what was required under the Federal Acquisition Regulation (FAR), contradicting the government’s assertion that the process “exceeds [FAR requirements] in important ways,” before going into what is required under the FAR.
c. Arbitrary and Capricious Claim
Continuing, Kaspersky says the government overstates the degree of discretion granted to DHS under the APA and that DHS’s decision should therefore be subject to APA review. First, it argues that, contrary to the assertions of the government, FISMA binding operational directives are subject to judicial review under the APA, because Kaspersky is not attempting to “police a federal agency’s actions under the statute” but instead to challenge a debarment. The D. C. Circuit has held that the APA provides for only a “narrow” exemption from judicial review, “reserved for those rare instances where statutes are drawn in such broad terms that in a given case there is no law to apply” (Hi-Tech Furnace Systs. , Inc. v. FCC).
Kaspersky next pushes back against the government’s interpretation of the three-part test outlined in Watervale Marine Co. outlined above as applied in this case. First, Kaspersky asserts that the requirements of FISMA provide the “meaningful” standard of review required for courts to judge agency discretion under Arent v. Shalala. As to the second factor, Kaspersky argues the government does not point to any intention by Congress allowing for a debarment without judicial review, meaning DHS’s action is reviewable by the court. Finally, Kaspersky argues that DHS’s order constitutes a debarment. Specifically, Kaspersky says that in removing all of its software from national security systems as an “information security risk,” DHS has effectively barred Kaspersky from selling its product to the government, and therefore has debarred it from government procurement. Under this reading, the order is not “presumptively unreviewable” under the test’s third factor.
Kaspersky then argues the administrative record contains nothing to indicate “any operational urgency” requiring DHS to issue its order besides “intense political scrutiny.” As such, there was no reason for DHS not to provide adequate notice to Kaspersky and time for it to respond. Lastly, Kaspersky argues DHS is not entitled to heightened deference because there is nothing technical or expert-driven about its decision, which was based largely on news accounts. Kaspersky says these reports do not constitute substantial evidence and their use is not supported by the cases cited by the government out of the D. C. Circuit.
d. Remaining Elements for Granting a Preliminary Injunction
After arguing for the likelihood of its success on the merits, Kaspersky moves on to address the other standards for granting a preliminary injunction. First, it disputes the government’s argument that Kaspersky is seeking to compel the government to accept its products, which the government argues would require a mandatory injunction and would require a heightened standard. Instead, Kaspersky argues it aims only for an injunction to prevent the government from barring use of its products. Second, Kaspersky argues the financial and reputational harm done to the company is irreparable, because (1) the case law cited by the government does not relate to the APA, and (2) its financial harm is “anything but speculative.” Finally, as to the balance of equities, Kaspersky quotes from Gonzalez v. Freeman: “[T]he power of debarment is tantamount to one of life or death over a business.” Therefore the public interest and balance of equities weighs in its favor.
Based on the reasons laid out both in its application for a preliminary injunction and in the above reply, Kaspersky concludes an injunction should be granted against DHS’s order and final decision.