Kaspersky Lab Sues US Government Over BanFederal Software Ban Violates Due Process, Anti-Virus Firm Alleges
Kaspersky Lab has sued the U.S. Department of Homeland Security for issuing an order that bans the Moscow-based anti-virus firm's software from being used on federal systems.
The lawsuit, filed this week in federal court, challenges DHS's Binding Operational Directive 17-01, issued by Acting Homeland Security Secretary Elaine Duke. The directive, published in a Sept. 19 Federal Register notice, required all federal government agencies to develop and begin implementing a plan to expunge all "information security products, solutions and services supplied directly or indirectly" by Kaspersky Lab "or related entities" from federal government systems by Dec. 18 (see Kaspersky Software Ordered Removed From US Government Computers).
DHS said the 90-day implementation period was designed, in part, to allow Kaspersky Lab to engage with the government and address multiple concerns. Kaspersky Lab said that it has been attempting to address DHS concerns for some time, including submitting detailed, written responses to DHS following the directive being issued, but to no avail.
Following the release of the directive, President Donald Trump last week signed a new military bill into law that includes a provision that prohibits all civilian and military agencies from using software products from Kaspersky Lab (see New Law Bans Kaspersky AV Software From Federal Computers).
In its lawsuit, Kaspersky Lab alleges that it has been denied due process - meaning fair treatment, including the right to see charges against it and have a hearing before an impartial judge - and that the company's reputation, as well as the reputation of its U.S.-based employees and business partners, has been damaged by the U.S. government's unproven allegations. DHS's decision "relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the directive," the company alleges.
"Because Kaspersky Lab has not been provided a fair opportunity in regards to the allegations and no technical evidence has been produced to validate DHS's actions, it is in the company's interests to defend itself in this matter," founder and CEO Eugene Kaspersky says in an open letter published Monday. "Regardless of the DHS decision, we will continue to do what really matters: make the world safer from cybercrime."
The U.S. government's Kaspersky Lab scrutiny appears to have been originally sparked by reports that the company's anti-virus software flagged and transmitted for analysis exploitation tools stored on the home PC of a National Security Agency employee. The employee, 67-year-old Nghia Hoang Pho of Ellicot City, Maryland, recently pleaded guilty to one count of willful retention of national security data.
After an internal investigation, Kaspersky Lab confirmed that its anti-virus software flagged the malicious files for analysis, but after its research team realized what they had, Eugene Kaspersky ordered the files to be immediately deleted (see Kaspersky Lab Says It Spotted APT Code, Quickly Deleted It).
In October, The New York Times reported that Israeli intelligence discovered at least two years ago that Russia had infiltrated Kaspersky Lab's software and network and was using it as the equivalent of a search engine for finding classified data on U.S. intelligence programs (see Will Kaspersky Lab Survive the Russia Hacking Scandal?).
Kaspersky Lab has denied those allegations and contends that it's a pawn in a political battle between Moscow and Washington of which it wants no part, saying it's been singled out solely on the basis of where it is headquartered.
Reached for comment, a DHS spokeswoman declined to comment on Kaspersky Lab's lawsuit or how it plans to respond.
Concerns Cited by DHS
When announcing the directive that bans Kaspersky Lab software from federal systems, officials voiced concerns that Kaspersky Lab has inappropriate ties to Russian intelligence and other government operations, that Russian law allows intelligence agencies to compel the company to assist it and that Russian intelligence agencies might eavesdrop or intercept information collected by the company.
Another concern: "Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems," DHS said in a statement.
Officials have also cited the fact that Eugene Kaspersky graduated from a cryptography institute run by the Soviet Union's KGB - as cause for concern.
How AV Works
But security experts say that technically, anti-virus software must have deep access to systems, and that politically, concerns about ties between intelligence agencies and domestic cybersecurity vendors could apply to vendors from any country (see Surveying 17 Anti-Virus Firms on Their Security Practices).
Many of today's top information security experts were trained at universities that have ties to intelligence agencies or worked for those intelligence agencies. That's no surprise, since intelligence agencies tend to be on the leading edge of cryptographic research.
The U.S. government has not published any evidence that demonstrates that Kaspersky Lab colluded with the Russian government or that the Russian government interfered with its software or eavesdropped on telemetry data (see Kaspersky Lab Debate: Put Up or Shut Up).
Governments, however, are not generally in the business of publishing intelligence, because it could reveal sensitive sources and methods (see FBI Defends Sony Hack Attribution).
"That's the thing about geopolitical infowars," cryptographer Matthew Green at Johns Hopkins University has noted via Twitter. "They are not conducted in such a way that random people like us get evidence briefings."
Founder and CEO Defends Company
Eugene Kaspersky and his firm have continued to deny any improper behavior, saying they would never help "any government in the world with its cyber espionage efforts."
What to do when banned without evidence and the right to be heard? Well, we're securing our rights by taking this to the courts. Why? We've done nothing wrong. https://t.co/uPmS0iy2qW— Eugene Kaspersky (@e_kaspersky) December 18, 2017
Kaspersky Lab says it has continued to try and engage with the U.S. government, including reaching out to DHS in mid-July, offering "to provide any information or assistance concerning the company, its operations, or its products" that DHS might desire. It says DHS acknowledged the offer. But Kaspersky Lab said the next step by DHS was to issue the directive, to which the company says it submitted detailed, written responses on Nov. 10.
In its lawsuit, Kaspersky Lab alleges that the "administrative process" through which it was allowed to appeal the directive was inherently flawed, "because the company did not have the opportunity to see and contest the information relied upon by DHS before the issuance of the directive."
Eugene Kaspersky has continued to offer to testify before Congress as well, and he was scheduled to do so before a House subcommittee on technology on Sept. 27. Lawmakers, however, later held the hearing without him and have indefinitely postponed inviting him to testify (see 10 Reactions: Allegations Against Kaspersky Lab).
UK Issues Guidance
Following DHS announcing that it was banning Kaspersky Lab software from federal IT systems, Britain's National Cyber Security Center, which advises organizations on cybersecurity matters and is part of intelligence agency GCHQ, delivered its own, more nuanced guidance.
Earlier this month, NCSC recommended that Russian anti-virus products not be used for certain official-tier organizations or anyone handling information classified as "secret" or higher, due simply to "some obvious risks around foreign ownership." But most systems, the agency says, face no risk from using Russian-made security software.
NCSC also promised to work with Kaspersky Lab and potentially revise its guidance. And Kaspersky Lab pledged to continue its "dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab's products and services" (see After US Allegations Against Kaspersky Lab, UK Responds).