A federal judge on Wednesday dismissed Kaspersky Lab's two lawsuits alleging that the federal government and Congress acted unlawfully to ban products developed by the Russian-based cybersecurity firm over security concerns.
Judge Colleen Kollar-Kotelly argued that while the two lawsuits are "distinct," there are also "motions pending in each that present overlapping and interrelated issues."
Kollar-Kotelly dismissed the firm's lawsuit that sought to challenge the directive issued by Department of Homeland Security (DHS) last year, which removed and banned Kaspersky software over concerns about the firm's ties to the Russian government.
Kaspersky, which has repeatedly maintained that it operates independently of the Kremlin, argued that it did not receive proper notice about DHS's binding operational directive (BOD) or have a chance to contest the underlying evidence used to reach the ban decision. They said this has caused "significant damage to Kaspersky Lab’s reputation and the loss of sales,” according to court documents filed in January.
Kollar-Kotelly, however, disagreed with this argument, noting that none of their "alleged harms would be redressed" even if they received a favorable ruling in the case because Congress has already instituted its own government-wide ban on use of Kaspersky products, which President TrumpDonald TrumpJan. 6 panel plans to subpoena Trump lawyer who advised on how to overturn election Texans chairman apologizes for 'China virus' remark Biden invokes Trump in bid to boost McAuliffe ahead of Election Day MORE signed in December.
"The BOD Lawsuit is dismissed for lack of standing because, even if Plaintiffs were to succeed in that lawsuit and the Court were to order the rescission of BOD 17-01, none of Plaintiffs’ alleged harms would be redressed," Kollar-Kotelly wrote in her opinion of the case.
Congress passed the 2018 National Defense Authorization Act (NDAA) following the directive, after lawmakers because increasingly concerned that U.S. computer systems were using Kaspersky software.
Kaspersky's second lawsuit was directed against the NDAA, arguing that the legislation is unconstitutional because it violated the Constitution’s bill of attainder clause, which forbids Congress “from enacting laws which impose individualized deprivations of life, liberty, and property and inflict punishment on individuals and corporations without a judicial trial.”
Kotelly, however, sided with the Department of Justice that challenged the lawsuit in a motion in March, arguing the case should be dismissed because the action taken by Congress was a legal move to protect U.S. national security.
"Plaintiffs have not plausibly alleged that the NDAA constitutes a bill of attainder," Kollar-Kotelly ruled, noting that it is dismissed for "failure to state a claim."
"The NDAA does not inflict 'punishment' on Kaspersky Lab. It eliminates a perceived risk to the Nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation."
Kollar-Kotelly's decision with the NDAA lawsuit impacted her ruling on the binding operational directive lawsuit. The lawsuit against the directive has no standing, she reasoned, because their claims of a damaged reputation would not be fixed since the NDAA is lawful and will go in effect in October.
"[The Plaintiffs’ alleged harms] would continue in full force as a result of the NDAA," she concluded.
Kaspersky Labs expressed disappointment in the court's ruling.
"We will vigorously pursue our appeal rights. Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding," Kaspersky Labs said in a statement.
"Given the lack of evidence of wrongdoing by the company and the imputation of malicious cyber activity by nation-states to a private company, these decisions have broad implications for the global technology community. Policy prohibiting the U.S. Government's use of Kaspersky Lab products and services actually undermines the government's expressed goal of protecting federal systems from the most serious cyber threats."