Kaspersky Faces Tough Questions at Appeals Court

Attorneys for Kaspersky Lab faced tough questioning Friday from a three-judge federal appeals court panel in what could mark the Russian anti-virus company’s last chance to make a public case against a U.S. governmentwide ban.

That December 2017 congressional ban came after months of alarms across government that Kaspersky software might be used as a spying tool for the Russian government or that the company might be compelled to collect and turn over U.S. government information under Russian law.

The Homeland Security Department had also ordered a more limited Kaspersky ban on civilian government agencies three months earlier.

Kaspersky attorney Scott Christensen argued Friday that the order unfairly singled out Kaspersky for punishment—what’s known as a bill of attainder.

Congress also imposed a financial and reputational burden on Kaspersky that was out of proportion to any national security benefit to the U.S. government, Christensen said. He asked the U.S. Court of Appeals for the District of Columbia judges to halt the ban, which officially goes into effect for federal agencies and contractors Oct. 1.

The judges appeared dubious.

Judge David Tatel suggested Congress’ goal in passing the Kaspersky ban was “attempting to protect the security of U.S. computer systems,” rather than punishing the company.

That echoes the government’s argument throughout the case and the ruling of District Court Judge Colleen Kollar-Kotelly, who dismissed Kaspersky’s case against the government in May.

Perhaps more damagingly, Judge Harry Edwards disputed Christensen’s claim that the ban placed a disproportionate burden on Kaspersky compared with the national security aims Congress wanted to achieve.

“You [say] the magnitude of the imbalance is significant … Given our concern about Russian intrusion into our national affairs, I don’t see an imbalance,” Edwards said. “Given real-world circumstances, that doesn’t seem so to me at all.”

Punishment or Protection

Kaspersky has steadfastly maintained that it does not share client information with any government and U.S. intelligence agencies have never made a public case that Kaspersky assisted with Russian government spying or cyberattacks.

U.S. intelligence leaders have, however, testified before Congress that they would not personally use Kaspersky anti-virus and media reports have suggested the anti-virus might have been instrumental in a theft of National Security Agency secrets—possibly without Kaspersky’s knowledge.

Christensen argued Friday that Congress passed the Kaspersky ban in haste without the sort of hearings and debates that typically characterize a well-considered legislative decision.

He returned several times to a New York Times op-ed penned by Sen. Jeanne Shaheen, D-N.H., who sponsored the Kaspersky banning provision in the Senate version of a must-pass defense policy bill. The op-ed published Sept. 4, just two weeks before the larger bill passed the Senate with Shaheen’s provision intact.  

That haste suggests Congress was more interested in punishing Kaspersky than in genuinely protecting national security, Christensen said.

“The effect of this ban is completely disconnected with the genuine articulable threat posed by cybersecurity,” Ryan Fayhee, another Kaspersky attorney, told reporters after the hearing.

“To limit it to that one company in a 750-page must-pass bill reveals exactly with this is,” he said.

Justice Department attorney Lewis Yellin pushed back on that claim, noting that Kaspersky was brought up in numerous congressional hearings over the course of the year and that the current Congressional session has been nearly consumed with discussions about Russian digital interference in U.S. affairs.

Fayhee dismissed questions about whether Shaheen, who serves on the Senate Intelligence Committee, and other lawmakers might have been relying on more troubling classified evidence in pushing for the ban.

“The public has a right to know,” he said. “We don’t hold trials in secret. We don’t take factual findings in secret and then impose bans in secret that aren’t allowed to be reviewed by courts.”

A Category of One

Christensen also argued Friday that, rather than specifically banning Kaspersky software, Congress could have banned a larger category that included Kaspersky, such as all companies that do business in Russia or that maintain computer servers in Russia.

Because Kaspersky is the only multinational computer security company based in Russia, however, Judge David Tatel noted it would be difficult for Congress to create a meaningful category of banned companies that included Kaspersky but wasn’t also limited to Kaspersky.

Tatel compared the situation to a 1977 Supreme Court case, Nixon vs. General Services Administration, in which the former president challenged a 1974 law that compelled him to turn over tapes and records from his presidency to the government.

Similar to Kaspersky, Nixon argued he was being unfairly singled out for punishment. Tatel quipped that Congress could have written a law that applied to all disgraced former U.S. presidents in possession of Oval Office tapes, but it would have been a pretty weak fiction.

Next Steps

Fayhee told reporters after the hearing that he’s optimistic Kaspersky will prevail at the appeals level.

He declined to say whether Kaspersky will seek another hearing by the full appeals court or seek U.S. Supreme Court review if the three-judge panel upholds the company’s loss at the district court level.

“Let’s wait to see what the judges do,” he said, adding “that’s something we’ll obviously consider.”