A Washington D.C. court has dismissed Kaspersky Lab's lawsuits against the U.S. government over two different rules banning Kaspersky products from federal systems.
The background: Both a federal law passed as part of last years National Defense Authorization Act (NDAA,) and a binding operational directive (BOD) issued by the Department of Homeland Security, prohibit federal agencies from using Kaspersky products. Both portrayed Kaspersky, a Moscow based company, as a national security risk.
The details:
- Kaspersky sued to prevent the two rules from coming into place, claiming the NDAA was a form of unlawful punishment against a specific company known as a bill of attainder. The judge reasoned that "The NDAA does not inflict 'punishment' on Kaspersky Lab. It eliminates a perceived risk to the Nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation."
- Because the NDAA ruling remains in effect, the judge ruled the BOD case was more or less a moot point. No matter what the ruling in that case, the NDAA would continue to block federal agencies from using Kaspersky products.
The perceived threat: Lawmakers and DHS have publicly said the national security threat from Kaspersky products stems from Russian law. Antivirus programs and other security programs often upload files to a security firm's server in the course of analyzing them for threats. By law, Kaspersky would have to honor Russian official requests for the data.
- Media reports suggest there may be a more specific espionage threat. The New York Times and Wall Street Journal reported Russian spies used Kaspersky Lab products to search for classified files on U.S. systems that had Kaspersky installed.
- Kaspersky has denied any fealty to the Russian government or willing involvement in an espionage scheme and moved its data centers to Switzerland in order to boost public trust.
