WASHINGTON (CN) – A federal judge has upheld a U.S. government ban on the use of Kaspersky Lab cybersecurity products in government networks, dismissing two lawsuits the Moscow-based antivirus company brought challenging the constitutionality of the ban.
Pointing to evolving and expanding threats posed to government networks and computer systems, U.S. District Judge Colleen Kollar-Kotelly said in a pair of identical rulings issued Tuesday that preventive action is necessary to protect these “extremely important strategic national assets.”
And while that might harm Kaspersky, it’s not illegal, she said.
“These defensive actions may very well have adverse consequences for some third-parties,” the 55-page opinions state. “But that does not make them unconstitutional.”
The ban on Kaspersky products emerged amid growing concerns about the company’s connection to Russian intelligence and fears that its antivirus software could be used to find and remove files.
On Sept. 13 the Department of Homeland Security issued a binding operational directive instructing federal agencies to remove Kaspersky’s products, which will take effect on Oct.1 this year.
That in turn prompted a pair of lawsuits from Kaspersky, the first on Dec. 19 against the DHS, which alleged due process violations and claimed the ban deprived them of U.S. sales and harmed the company’s reputation.
Kaspersky sued again after Congress codified the ban when it passed the 2018 National Defense Authorization Act, or NDAA. That lawsuit alleged that the ban constituted an unconstitutional bill of attainder, which prohibits punishment without trial.
Kollar-Kotelly said she issued identical opinions in both suits, even though they are “separate and distinct” because the motions pending in each case “present overlapping and interrelated issues.”
On the first lawsuit, Kollar-Kotelly said Kaspersky lacked standing to sue. She noted that even if she ruled in Kaspersky’s favor, the harms would continue because the NDAA remains “on the books” and most agencies have likely already removed the company’s products from their systems.
“Accordingly, the empty ‘right’ to sell to the federal government for the short period before October 1st that Plaintiffs could stand to gain from success in the BOD Lawsuit lacks any concrete value,” the rulings say, abbreviating the DHS’s Sept. 13 binding operational directive.
On the second lawsuit, Kollar-Kotelly rejected the company’s argument that the ban punishes Kaspersky without judicial protections.
“The NDAA does not inflict ‘punishment’ on Kaspersky Lab,” the rulings say. “It eliminates a perceived risk to the Nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation.”
With more than 400 million users around the world, Kaspersky has said its licenses to federal government agencies represent only 0.03 percent of its annual sales in the United States.
Kaspersky has consistently denied any wrongdoing, including engaging in any cyber espionage on behalf of the Kremlin.
In a statement issued Wednesday, Kaspersky said it was disappointed in the ruling and promised to appeal.
“Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding,” the statement said.
“Given the lack of evidence of wrongdoing by the company and the imputation of malicious cyber activity by nation-states to a private company, these decisions have broad implications for the global technology community. Policy prohibiting the U.S Government’s use of Kaspersky Lab products and services actually undermines the government’s expressed goal of protecting federal systems from the most serious cyber threats.”