The procedural move is unlikely to prevail, a former cybercrime prosecutor says.
The Moscow-based anti-virus maker Kaspersky Lab asked a federal judge Thursday to halt the Homeland Security Department from scrubbing its products from federal computers.
The department’s October directive banning Kaspersky violated the company’s constitutional due process rights and is doing “irreparable harm” to Kaspersky’s reputation, the company said in a memo seeking the preliminary injunction.
As a result of the ban, Kaspersky’s U.S. retail sales fell 61 percent during the fourth quarter of the 2017 fiscal year compared with the same quarter the year before, the company said. Results from the second half of the year showed a 50 percent decline in retail sales, the company said.
Homeland Security ordered the Kaspersky removal following months of rumors that the company had been compromised by Kremlin hackers who might use vulnerabilities in the anti-virus to spy on Americans. Reporting after the ban suggested Kaspersky might have been the conduit by which hacking groups stole troves of National Security Agency hacking tools.
The Homeland Security Department did not cite any specific incidents in its ban but said “the risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
Kaspersky products were ultimately found at 15 percent of agencies, often in small offices that were not overseen by central IT offices. Those offices are removing it.
Kaspersky sued to reverse the ban Dec. 18. Among other arguments, the company said it was not given a genuine chance to defend itself against Homeland Security’s charges.
The department, Kaspersky said, had essentially made a final decision in favor of the ban when it issued the October directive and paid little attention to the company’s explanations in a lengthy November memo and a single in-person meeting.
Kaspersky’s chances of prevailing in the courtroom are slim, according to Edward McAndrew, a former federal cybercrime prosecutor in the Eastern District of Virginia, which has been home to numerous major cyber and intelligence cases.
Even if Homeland Security gave short shrift to Kaspersky’s defense, the company will have a tough time proving the department’s fear that government data might be compromised by Russia don’t outweigh the company’s due process rights, said McAndrew, who’s a co-leader of the Ballard Spahr law firm’s privacy and data security group.
Homeland Security’s administrative move has also now been superseded by the December passage of an annual defense policy bill, the National Defense Authorization Act, which enshrined the Kaspersky ban into law, he noted.
Finally, there’s a solid argument that courts can’t review administrative actions made based on the Federal Information Security Management Act, he said. That’s based on a prior D.C. federal court decision related to the 2015 Office of Personnel Management data breach.
Even if Kaspersky doesn’t prevail in the courtroom, the lawsuit will allow the company to air its defense in a more public forum and perhaps reverse some of the reputational damage it says the government caused, McAndrew said.
“There’s been so much focus on whether Russia and Russia-based entities have been involved in unlawful cyber activities and now you have a Russian entity pushing back on that in a federal courthouse in Washington, D.C. That’s pretty breathtaking,” McAndrew said.
“[Kaspersky] will have the opportunity to present evidence [and] cross-examine government witnesses,” he said. “It’s a way for them to publicly air this dispute.”
The judge has scheduled a telephone hearing on Kaspersky’s request for Monday, according to the court docket.