A federal judge has dismissed Kaspersky Lab's lawsuit challenging the US government's ban on its products, meaning that the prohibition will remain in effect.
US district judge Colleen Kollar-Kotelly ruled that Kaspersky's two lawsuits against the US government should be dismissed due to a lack of standing and the fact that the government's actions don't determine guilt and inflict punishment.
"The NDAA [National Defense Authorisation Act] does not inflict 'punishment' on Kaspersky Lab," Kollar-Kotelly wrote in a 55-page memorandum opinion. "It eliminates a perceived risk to the Nation's cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation."
The US Department of Homeland Security issued a directive last September stipulating that civilian federal government agencies remove Kaspersky's software within 90 days after the company was accused of having links to Russian intelligence services. Three months later, US president Trump signed a broader defense policy spending bill that bans Kaspersky's software from both civilian and military networks.
Kaspersky, for its part, maintains that the US government's actions were the product of unconstitutional agency and legislative processes, unfairly targeting the company without any meaningful fact-finding. The government's decisions have broad implications for the global technology community, Kaspersky said, especially given the lack of evidence of wrongdoing by the company.
"Kaspersky Lab is disappointed with the court's decisions on its constitutional challenges to the US government prohibitions on the use of its products and services by federal agencies," the company said in a statement on Wednesday. "We will vigorously pursue our appeal rights."
Kollar-Kotelly, however, said that the security of federal networks and computer systems depends on the government's ability to act swiftly against perceived threats and take preventative action to minimise vulnerabilities.
"These defensive actions may very well have adverse consequences for some third-parties," Kollar-Kotelly wrote. "But that does not make them unconstitutional."
The judge argued that Kaspersky lacked standing to challenge Homeland Security's September directive since the fast-approaching NDAA effective date would make it "completely implausible" for any government entity to purchase a Kaspersky product. As a result, Kollar-Kotelly said the empty 'right' to sell to the federal government would lack any concrete value.
"To 'sell' requires another to 'buy,'" Kollar-Kotelly wrote. "Because no government agency would buy plaintiff's product in the period before 1 October, 2018, Plantiffs' theoretical 'right' to sell has no value at all in the real world."
Government officials and members of congress began voicing concerns about the presence of Kaspersky products on government systems based on the risk that these products could be exploited by Russia, either with or without Kaspersky's consent, cooperation, or knowledge, Kollar-Kotelly said. Kaspersky has vehemently denied any ties to the Russian government.
In November 2017, Kaspersky said an internal investigation found that its servers had received confidential National Security Agency files from an employee's computer. However, that happened as part of a probe into malicious code on the machine and wasn't a result of cooperation with Russia, the company said, with CEO Eugene Kaspersky ordering the classified data be deleted from the computer.
Kaspersky announced earlier this month that it plans to move a number of its core processes from Russia to Switzerland, including software assembly, threat detection updates, and customer data storage and processing for most regions.
By the end of 2019, the company expects to have established a data center in Zurich to store and process information voluntarily shared by Kaspersky Security Network users in North America, Europe, Singapore, Australia, Japan and South Korea.