WASHINGTON (CN) – The D.C. Circuit endorsed a ban Friday that was adopted in response to Kremlin subterfuge, finding nothing unduly punitive about keeping Russian-made software out of U.S. government offices.
Based in Moscow, Kaspersky Lab counted the U.S. government as one of its clients until 2017 when officials here raised the possibility that the Kremlin could exploit the company to access U.S. federal computer systems for nefarious purposes.
After the Department of Homeland Security ordered agencies to start removing Kaspersky’s products from their computer systems, Congress formalized the directive in a November 2017 defense spending bill, and President Donald Trump signed the bill in December.
Kaspersky in turn filed suit, but a federal judge in Washington dismissed the company’s two cases with a pair of rulings on May 30.
Affirming that outcome on Friday, the D.C. Circuit ruled that the constitutional bar on so-called bills of attainder – legislation passed specifically to punish one person — was not applicable to Kaspersky’s case.
Here the law passed by Congress clearly targets Kaspersky, but the court found its aim “prophylactic, not punitive,” as lawmakers identified a specific risk and took reasonable steps to eradicate it.
“Given the not insignificant probability that Kaspersky’s products could have compromised federal systems and the magnitude of the harm such an intrusion could have wrought, Congress’ decision to remove Kaspersky from federal networks represents a reasonable and balanced response,” U.S. Circuit Judge David Tatel wrote for a three-person panel.
Tatel also noted that Congress did not block Kaspersky from making deals with other clients. As for reputational harm, Tatel noted that cases involving bills of attainder typically star people rather than corporations.
“Of course, we do not foreclose the possibility that Congress could impose a brand of infamy or disloyalty upon a corporation that would arise to the level of legislative punishment,” Tatel wrote. “But, in this case, section 1634 represents no more than a customer’s decision to take its business elsewhere. Though costly to Kaspersky, such a decision falls far short of ‘the historical meaning of legislative punishment.'”
In a statement Friday, Kaspersky said it has never engaged in “cyber offensive activities,” and did not indicate whether it plans to appeal the ruling further.
“Kaspersky Lab regrets that the court of appeals has upheld the lower court’s decision,” the company said in a statement. “Despite this development, Kaspersky Lab remains committed to providing industry-leading cybersecurity solutions to its customers in the United States and around the world.”