Filing 1

COMPLAINT against DEPARTMENT OF HOMELAND SECURITY, KIRSTJEN M. NIELSEN ( Filing fee $ 400 receipt number 0090-5252580) filed by KASPERSKY LAB, INC., KASPERSKY LABS LIMITED. (Attachments: # 1 Civil Cover Sheet, # 2 Summons Department of Homeland Security, # 3 Summons Kirstjen Nielsen, Secretary of DHS, # 4 Summons US Attorney General, # 5 Summons US Attorney for the District of Columbia)(Chasin, Steven) (Attachment 1 replaced on 12/20/2017) (sth).

Download PDF
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA KASPERSKY LAB, INC. 500 Unicorn Park, 3rd Floor Woburn, Massachusetts 01801; and KASPERSKY LABS LIMITED New Bridge Street House 30-34 New Bridge Street London, EC4V 6BJ United Kingdom Plaintiffs, v. U.S. DEPARTMENT OF HOMELAND SECURITY Washington, D.C. 20528; and Kirstjen Nielsen, in her official capacity as Secretary of Homeland Security Washington, D.C. 20528 Defendants. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) Civil Action No. ___________ COMPLAINT 1. Kaspersky Lab, Inc., a Massachusetts corporation, together with its U.K. parent company Kaspersky Labs Limited (“Plaintiffs” or “Kaspersky Lab”), bring this action under the Administrative Procedure Act (“APA”) to uphold their constitutional due process and other rights which Defendants violated through unprecedented, sweeping, and retroactive debarment of Kaspersky Lab from U.S. Government information systems by way of the Department of Homeland Security’s (“DHS”) Binding Operational Directive 17-01 issued on September 13, 2017 (the “BOD”). 1 2. Without affording Plaintiffs notice or a prior opportunity to be heard, and without sufficient evidence, Defendants branded Kaspersky Lab’s market-leading anti-virus products an information security “threat, vulnerability and risk” to U.S. Government information systems and summarily ordered their identification, removal, and discontinuation by all subject U.S. government agencies, and the private contractors operating within their IT systems. 3. DHS was required under the APA and the U.S. Constitution to afford Plaintiffs due process—at the very least notice and a meaningful opportunity to be heard—before debarring Plaintiffs and depriving them of their liberty interest. 4. Defendants never claimed—and nothing in the record suggests—any justification for denying Plaintiffs the basic right to notice and an opportunity to contest Defendants’ “evidence” (in substantial part consisting of uncorroborated news articles) before the debarment. In particular, DHS has never claimed, and nothing in the records suggests, that the “information security risks” allegedly presented by Plaintiffs’ products were so imminent, so exigent, or so urgent, that they would justify depriving Plaintiffs of their constitutional due process rights. 5. Defendants had ample time and opportunity to afford Plaintiffs the due process to which they were entitled prior to the issuance of the BOD, and actively misled Plaintiffs regarding the status of their pre-BOD deliberations. Plaintiffs wrote in good faith to Defendants in July 2017 to offer to discuss and respond to any concerns that Defendants might have regarding Kaspersky Lab products. Defendants replied in August 2017, indicating that they “appreciate[d] [Plaintiffs’] offer to provide information” and would “be in touch again shortly.” Instead, Defendants proceeded with issuing the BOD in September, without any prior notice to Plaintiffs or any opportunity for them to be heard. 2 6. DHS issued the BOD pursuant to the Federal Information Security Modernization Act of 2014, 44 U.S.C. § 3551 et seq. (2014) (“FISMA”), which authorizes DHS to issue binding operational directives—“compulsory direction to agencies”—“for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk.” 44 U.S.C.§ 3552(b)(1). 7. The BOD compelled all federal agencies to: (1) identify Kaspersky Lab-branded products on all federal informational systems within 30 days, (2) develop a detailed plan to remove and discontinue the present and future use of all Kaspersky Lab-branded products within 60 days, and (3) unless directed otherwise by DHS based on new information, start actual removal within 90 days. (BOD at 2-3) 8. While DHS professed to give Plaintiffs an opportunity to contest the BOD and change DHS’s decision before the 90-day mark, by allowing Kaspersky to make a written submission to DHS near in time to the 60-day mark, this process was illusory and wholly inadequate because it failed to satisfy even the minimum standards of due process. 9. In actuality, the debarment of Plaintiffs and the damage caused was immediate and complete upon the issuance of the BOD. The process for identification, removal, and discontinuation had been initiated immediately upon issuance, all government agencies were prejudiced against Plaintiffs’ software at that time, and the process could therefore not have been adequately unwound. 10. DHS expressly acknowledged that following its issuance of the BOD, some “agencies removed the software in advance of the BOD’s requirement to start removal on day 90” without regard to the purported process set forth in the BOD (See Jeannette Manfra, testimony before the House Committee on Science, Space, and Technology, November 14, 2017). 3 Following the Final Decision, the Department confirmed that, rather than treating the 90 daymark as the start of the removal process (absent any change to the BOD by Defendants due to submissions received from Plaintiffs or other affected parties), many agencies had actually removed the software by that time: “For the most part, we’re closed out on removing the Kaspersky [antivirus]-branded products.” (See Christopher Krebs press briefing, December 13, 2017). 11. Plaintiffs submitted a detailed written response to the BOD on November 10, 2017 (the “Kaspersky Lab Submission”). 12. DHS issued a Final Decision on December 6, 2017. 13. Having already committed themselves, and their subject agencies, to detrimental action against Plaintiffs, Defendants failed to adequately consider, or respond to, the Kaspersky Lab Submission. Defendants simply re-asserted the BOD un-amended through the Final Decision. 14. Even in their Final Decision and supporting materials, Defendants continued to introduce new allegations, facts, and legal arguments to which Plaintiffs have had no opportunity to respond, even pursuant to the professed (but inadequate) administrative process advanced by Defendants which concluded with the Final Decision. 15. Accordingly, Plaintiffs were harmed before any due process was offered at all, and were never granted any meaningful process by which to challenge the administrative action in the BOD prior to the debarment. The debarment therefore deprived Kaspersky of a constitutionally protected liberty interest without due process of law, in violation of the Fifth Amendment of the Constitution. 4 16. The BOD also fails to meet the evidentiary requirements of the APA. Instead of relying on agency fact-finding, DHS’s principal and overwhelming source of “evidence” is uncorroborated news reports (some citing anonymous sources)—including the Rachel Maddow Show, Fox News, Wired Magazine, Bloomberg News, and Forbes. 17. In an attempt to satisfy the APA’s “substantial evidence” requirement, Defendants have mis-categorized these articles and other unsubstantiated allegations as “a substantial body of evidence.” (Final Decision Information Memorandum at 23). 18. To the contrary, Jeannette Manfra, the DHS author of the Information Memoranda in support of the BOD and the Final Decision, testified before the House Committee on Science, Space, and Technology on November 14, 2017, that in fact the Government does not have conclusive evidence that Kaspersky Lab had facilitated the breach of any U.S. Government information system. When asked in the same hearing by the Committee Chairman to address other media reports regarding Plaintiffs, Manfra testified that she could not “make a judgement based off of press reporting.” Yet that is exactly what she asked DHS’s Acting Secretary to do in her memoranda in support of the BOD and the Final Decision. 19. DHS confirmed in its Final Decision that it has no evidence of any such breach or wrongdoing on the part of Kaspersky Lab in an entire section of the Final Decision’s Information Memorandum entitled “No Need for Evidence of Wrongdoing.” DHS roundly ignores its obligation to produce any meaningful and specific evidence against Plaintiffs. 20. For these reasons, Plaintiffs bring this suit challenging the BOD and the Final Decision under the APA, as violative of Plaintiffs’ Fifth Amendment right to due process, and as arbitrary and capricious and not based on substantial evidence. Plaintiffs seek declaratory relief 5 that the BOD and Final Decision are invalid, and preliminary and permanent injunctive relief to rescind them and enjoin enforcement. PARTIES 21. Plaintiff Kaspersky Lab, Inc. is a Massachusetts corporation with its principal place of business in Woburn, Massachusetts. Plaintiff Kaspersky Lab, Inc. is a directly whollyowned subsidiary of Plaintiff Kaspersky Labs Limited, a U.K. holding company. 22. Defendant DHS is the federal agency responsible for issuing and implementing the BOD and Final Decision at issue in this case. 23. Defendant Kirstjen Nielsen is the Secretary of DHS and is being sued in her official capacity only. JURISDICTION AND VENUE 24. This action arises under the Due Process clause of the Fifth Amendment of the Constitution and the APA, 5 U.S.C. §§ 500-596, 701 et seq. This Court has jurisdiction pursuant to 28 U.S.C. §§ 1331 and the APA. 25. The Court has the authority to grant declaratory and injunctive relief pursuant to 28 U.S.C. §§ 2201 and 2202, and its inherent equitable powers. 26. Venue is proper in this district pursuant to 28 U.S.C. § 1391(e)(1). FACTUAL ALLEGATIONS I. Kaspersky Lab, Its Reputation in the Industry, and Its Principles of Fighting Cyberthreats 27. Kaspersky Lab is a multinational cybersecurity company exclusively focused on protecting against cyberthreats, no matter their origin. It is one of the world’s largest privately owned cybersecurity companies. It operates in 200 countries and territories and maintains 35 6 offices in 31 countries. Among its offices are research and development centers employing antimalware experts in the U.S., Europe, Japan, Israel, China, Russia, and Latin America. 28. Although the corporate group’s global headquarters are in Moscow, more than 85% of Kaspersky Lab’s sales are generated outside of Russia. Kaspersky Lab’s presence in Russia and its deployment in areas of the world in which many sophisticated cyberthreats originate, makes it a unique and essential partner in the fight against such threats which, in its absence, may not otherwise be met. 29. Over 400 million users—from governments to private individuals, commercial enterprise to critical infrastructure owners and operators alike—utilize Kaspersky Lab technologies to secure their data and systems. 30. Kaspersky products have received top ratings for malware detection (among other performance factors). For example, in 2016, Kaspersky Lab products participated in 78 independent tests & reviews—and the company was awarded 55 first places and 70 top-three finishes. Kaspersky Lab consistently ranks among the world’s top four vendors of security solutions for endpoint users. II. Kaspersky Lab, Inc. and Sales to the U.S. Government 31. Founded in 2004, Kaspersky Lab, Inc. is a Massachusetts corporation and is a directly wholly-owned subsidiary of Kaspersky Labs Limited. Kaspersky Lab, Inc. acts as the company’s North American headquarters through offices in Woburn, Massachusetts and employs nearly 300 people in the U.S. 32. The U.S. has been and remains one of the most significant geographic markets in Kaspersky Lab’s global business. Sales to customers in the United States represent approximately one quarter of total global bookings in 2016. Plaintiff Kaspersky Lab, Inc. has 7 invested over half a billion dollars in its operations over the last twelve years, and over $65 million in 2016 alone. 33. Active licenses held by federal agencies have a total value (to Plaintiffs) of less than USD $54,000, which represents a tiny fraction (0.03%) of Plaintiff Kaspersky Lab, Inc.’s annual sales in the United States.1 34. Notwithstanding the limited volume of U.S. Government sales, Kaspersky Lab, Inc. has a substantial interest in its status as a vendor to the U.S. Government, and in its continued ability to sell its product to the U.S. Government, inclusive of the right to be free of disparagement prejudicing commercial and enterprise customers. III. Without Affording Plaintiffs Notice or Opportunity to Be Heard, DHS Issued an Immediate and Complete Ban of Kaspersky Lab from all Government Agencies 35. On September 13, 2017, without affording any notice to Kaspersky Lab or prior opportunity to rebut the allegations, and despite Plaintiffs’ July 2017 outreach and Defendants’ professed willingness to enter into discussion in August, DHS announced that it had “determined that the risks presented by Kaspersky-branded products justify the issuance of” Binding Operational Directive 17-01 (“Removal of Kaspersky-Branded Products”). (BOD at 1). The BOD, as explained below, effectively banned all U.S. government agencies from using Kaspersky products and debarred the company immediately. Additionally, it required existing software instances to be identified and removed. The BOD applied to virtually all products, solutions, and services supplied, directly or indirectly, by Kaspersky Lab.2 (Id. at 2). In the accompanying Decision, DHS branded Kaspersky Lab products a threat to U.S. national security, 1 Based on Plaintiff Kaspersky Lab, Inc.’s 2016 net booking data. The BOD excepted two specific services, Kaspersky Threat Intelligence and Kaspersky Security Training. (BOD at 2). 8 2 based on the “ability of the Russian government, whether acting on its own or through Kaspersky, to capitalize on access to federal information and information systems provided by Kasperskybranded products.” (Decision at 2). 36. DHS issued the BOD pursuant to FISMA, which authorizes DHS to issue binding operational directives—“compulsory direction to agencies … for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk.” (Id. at 1, citing 44 U.S.C.§ 3552(b)(1)). 37. Specifically, DHS claimed that FISMA justified the BOD because “unclassified evidence”—almost entirely uncorroborated media reports, several citing anonymous sources— established that “[a]s long as Kaspersky branded products are present on federal information systems, Kaspersky [Lab] or the Russian government will have the ability to exploit Kaspersky [Lab]’s access to those information systems for purposes contrary to U.S. national security, including viewing or exfiltrating sensitive data or installing malicious code on federal systems, such as through an update to the anti-virus software.” (Decision at 2). 38. The BOD compelled all federal agencies to: (1) identify the use or presence of Kaspersky Lab-branded products on all federal informational systems within 30 days, (2) develop a detailed plan to remove and discontinue present and future use of all Kaspersky Labbranded products within 60 days, and (3) start the actual removal within 90 days, unless directed otherwise by DHS in light of new information obtained by DHS, including but not limited to new information submitted by Kaspersky. (the “30-60-90 day structure”) (BOD at 2-3). The 30day identification deadline fell on October 13, 2017, the 60-day removal plan deadline fell on November 12, 2017, and the 90-day deadline to begin removal fell on December 12, 2017. 9 IV. The BOD’s Purported Administrative Process 39. In a separate letter to Plaintiffs accompanying the BOD, DHS claimed to Plaintiffs that it was providing an “administrative process to inform [DHS] decision making”—a process to be later set forth in a Federal Register Notice—but as explained below, that process had no bearing on the debarment already effectuated by the BOD, and was purely perfunctory. (See DHS Letter to Eugene Kaspersky, dated September 13, 2017). 40. On September 19, 2017, DHS did indeed announce in the Federal Register that it was permitting Plaintiffs (and any other affected parties) to initiate a review of the BOD by submitting to DHS “a written response and any additional information or evidence supporting the response, to explain the adverse consequences, address the Department’s concerns or mitigate those concerns.” (82 Fed. Reg. 180, 43783, 43784 (Sept. 19, 2017)). DHS gave Plaintiffs until November 3, 2017 (subsequently extended to November 10, 2017) to respond to the BOD. 41. The Federal Register further provided that, following DHS’s receipt of a response to the BOD, “…the Secretary’s decision will be communicated to the entity in writing by December 13, 2017.” (Id.) But this was one day after the 90-day deadline by which agencies were to have begun removing Kaspersky products. In apparent acknowledgement of this procedural deficiency, the Information Memorandum accompanying the Final Decision “recommend[s] that [the Acting Secretary] respond to Kaspersky and issue [her] Final Decision on or before Monday, December 11”—notwithstanding the December 13, 2017, deadline set forth in the Federal Register. (Final Decision Information Memorandum at 3). 42. On September 29, 2017, DHS retrospectively provided Plaintiffs, through their counsel, access to an internal 21-page DHS Information Memorandum drafted and submitted to 10 the then Acting DHS Secretary on September 1, 2017, in support of the BOD (the “BOD Information”). 43. On November 10, 2017, Plaintiffs delivered to the Defendants the Kaspersky Lab Submission, an extensive written response to the BOD and its Information. 44. The Kaspersky Lab Submission rebutted at length the legal and factual allegations levied against Plaintiffs, corrected many misunderstandings held by DHS (as perpetuated by the news articles it cited), and highlighted the deficiencies in the administrative process offered by Defendants. 45. Following the issuance of the BOD, DHS had repeatedly declined the requests of Plaintiffs and their counsel to engage in order to present the Company’s position, address DHS’s concerns, and discuss any potential options for mitigation. Following the Kaspersky Lab Submission, DHS did finally agree to meet with Plaintiffs’ representatives and counsel on November 29, 2017. At that meeting Plaintiffs responded to a number of questions from Defendants’ attorneys regarding the Kaspersky Lab Submission but Defendants did not offer any further support for the BOD, much less an indication that they were willing to rectify the procedural or substantive deficiencies in the BOD or consider any mitigating options short of the outright ban contemplated by the BOD. 46. Plaintiffs believe that such options were available to Defendants and have not been fully explored, either prior to or subsequent to the issuance of the BOD. 47. On December 6, 2017, and without any adequate consideration of the Kaspersky Lab Submission, DHS issued a “Final Decision maintaining BOD 17-01 without modification” (the “Final Decision”). The Final Decision was accompanied by a Letter to Plaintiffs and an 11 Information Memorandum directed to the Acting Secretary in support of the Final Decision (the “Final Information”). V. Without Justification, Defendants’ Administrative Process Provided No Notice or Opportunity to be Heard Prior to Deprivation 48. Although the BOD’s 30-60-90 day structure gives the impression that harm is not immediate, in reality, the BOD is an immediate and complete debarment of Kaspersky Lab from government business upon issuance. 49. At a November 14, 2017, Hearing of the Committee on Science, Space, and Technology of the U.S. House of Representatives (“Bolstering the Government’s Cybersecurity: A Survey of Compliance with the DHS Directive”), Jeanette Manfra, DHS Assistant Secretary for Cybersecurity and Communications, testified that some agencies had already proceeded with removal of Kaspersky products without regard to the 30-60-90 day structure: “We’re working with each agency individually. Some of them have chosen to go ahead and remove the products ahead of schedule…Not all of the agencies have submitted the required action plan as I mentioned. Some of them have gone ahead and just identified a way to remove the software so they’re going about that.” This testimony was just four days after Plaintiffs submitted the Kaspersky Lab Submission to DHS and Manfra testified that she had not yet even had an opportunity to review Plaintiff’s response. Thus, federal agencies had begun removing Kaspersky software long before DHS even had completed its review of the Kaspersky Lab Submission. 50. The BOD, supported by other actions in Congress, has also had a severe adverse impact on Kaspersky’s other commercial interests in the U.S., which begun long before the Defendants’ decision was officially declared “Final.” For example, several retailers have 12 removed Kaspersky Lab products from their shelves and suspended their long-standing partnerships with Kaspersky Lab following the issuance of the BOD. As a result of these and other actions, Plaintiffs’ 2017 Q3 retail sales have fallen significantly compared to the same period in 2016. Presently, Plaintiffs are receiving and processing an unprecedented volume of product return and early termination requests as a result of DHS and other U.S. Government actions, which customers specifically refer to when stating the reason for their return. 51. Indeed, Christopher Krebs, the Senior Official Performing the Duties of the Under Secretary for the National Protection and Programs Directorate, who participated in the recommendation that the BOD be issued, stated DHS’s intent bluntly during public statements on October 31 2017: “[W]hen [DHS] makes a pretty bold statement like issuing the Kaspersky Lab binding operational directive I think that’s a fairly strong signal [to consumers].”3 This statement was made in response to a question regarding how and to what extent consumers should be informed as to the nature of any risk posed by Kaspersky Lab products in light of the recent issuance of the BOD. The fact that a senior DHS official decided to make a statement of that nature at the same time Defendants were purporting to offer Kaspersky Lab a genuine and meaningful right to be heard makes clear that the DHS specifically intended to prejudice Kaspersky Lab’s commercial interests even before the expiration of DHS’s own arbitrarily imposed process and deadline for the implementation of the BOD. 52. Krebs also confirmed through his statements to the media following the Final Decision that, with his oversight, federal agencies had actually been removing Kaspersky Labbranded software, while this process was purported to be running, prior to the 90-day mark. See Aspen Institute, Is the US Losing the Cyber Battle? October 31, 2017 https://www.aspeninstitute.org/events/us-losing-cyber-battle/. 13 3 53. Kaspersky had no opportunity to test or rebut the “evidence” contained in the BOD or its Information before action was taken (at the time the BOD was issued), and therefore there has been no opportunity to effectively be heard. 54. Rather, under the circumstances, the Fifth Amendment required DHS to provide Plaintiffs procedural protections before debarring it through the BOD. Critically, DHS made no attempt to demonstrate how prior notice to Plaintiffs would have interfered with DHS’s goals of eliminating the alleged “information risks.” Nor did DHS show why it failed to consider less severe measures or potential mitigation that could have been imposed on Kaspersky to address DHS’s purported concerns. DHS’s failure to provide adequate and timely notice created a substantial risk of wrongful deprivation. 55. As explained above, the BOD, the Decision, its Information, the Final Decision, and the Final Information are all devoid of even a suggestion that the “information security risks” allegedly presented by Kaspersky Lab are imminent, exigent, or urgent—let alone to a degree that justify foreclosing pre-deprivation notice. 56. To the contrary, DHS provides three months for affected agencies to “begin to implement their plan of action.” (BOD at 2). In the same vein, the BOD rests heavily on media accounts, some of which are nearly two years old—hardly indicating a paramount need for swift action. (See, e.g., BOD Information at 8 n.23, 10 n.38.) 57. In fact, urgency and immediacy are conspicuously absent from the reasons DHS gives for relying on the BOD rather than the traditional debarment procedure under the Federal Acquisition Regulations (“FAR”). Rather, the Decision explains that DHS considers the BOD to be a more “appropriate” process than a debarment proceeding under the FAR principally because it is more draconian: unlike a debarment pursuant to the FAR, the BOD is prospective as well as 14 retrospective, requires the removal of Kaspersky-branded products “indefinitely,” and prevents third parties from selling products produced by Kaspersky. (Decision at 4). And so, paradoxically, even though it is more thorough in depriving Kaspersky Lab of its rights, the BOD provides far less adequate process than the FAR, which has a well-established and constitutionally adequate due process that requires agency decisions be made in consideration of a contractor’s response before any action is taken to exclude it from future government contracts. 58. Defendants, in fact, had ample opportunity to provide Kaspersky Lab with due process protections prior to the issuance of the BOD. Unaware of what action, if any, DHS was contemplating, Kaspersky Lab wrote to DHS on July 18, 2017, with an offer to provide any information or assistance with regard to any investigation involving the Company, its operations, or its products. DHS responded on August 14, 2017, acknowledging the Company’s letter and its offer of assistance, and indicated that DHS “will be in touch again shortly.” Nearly one month later, and absent any other communication from DHS, the BOD was issued. VI. DHS’s Introduction of New Evidence in its Final Decision also Violates Due Process 59. Aside from failing to provide due process prior to the issuance of the BOD, the process which DHS professed to provide Plaintiffs after its issuance was not meaningful or fair. 60. DHS based the BOD at least in part on a supposed concern about Russian law. In its December 6, 2017, Final Decision, DHS introduced for the first time “an analysis of relevant portions of Russian law prepared by Professor Peter Maggs of the University of Illinois College of Law (the ‘Maggs Report’).” (Final Decision at 2). 61. Rather than introducing the Maggs Report with the September 13, 2017, BOD— which would have enabled Plaintiffs to address the report when Plaintiffs filed the Kaspersky Lab Submission—DHS withheld (or did not obtain) the report until its December 6, 2017, Final 15 Decision. This approach denied Plaintiffs basic due process by unfairly foreclosing Plaintiffs any opportunity to rebut or contest the Maggs Report. VII. The BOD is Based Almost Entirely on Uncorroborated Media Reports—Not Substantial Evidence—and therefore is Arbitrary and Capricious 62. The BOD and the Final Decision are based on the following three broad allegations levied against Plaintiffs and their software: [1] the broad access to files and elevated privileges of anti-virus software, including Kaspersky software; [2] ties between Kaspersky officials and Russian government agencies; and [3] requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting between Kaspersky operations in Russia and Kaspersky customers, including U.S. government customers. (Final Decision, p. 2-3) 63. DHS’s record underlying the BOD in support of these three arguments is devoid of reliable evidence. Rather, the BOD is based on a series of uncorroborated news articles, most of which rely upon the same anonymous sources, none of which have been tested in a fair and public forum. A. Broad access to files and elevated privileges of anti-virus software, including Kaspersky Lab software 64. DHS relies on an assumption that a particular software product or vendor should be banned because of a generally presumed susceptibility to exploitation by a malicious actor, but, tellingly, it does not extend such a prohibition to other software products beyond anti-virus software or to other anti-virus software vendors besides Kaspersky Lab. 65. Kaspersky Lab software operates in a manner that closely mirrors the offerings of other providers which have not been subject to the DHS action. Neither the BOD Information, nor the assessment by the National Cybersecurity and Communications Integration Center 16 (“NCCIC Assessment”) on which it relies, provide any technical evidence to indicate that any Kaspersky Lab product represents either a greater or lesser technical risk to federal information systems than similar anti-virus software products or vendors. 66. As noted above, Kaspersky Lab’s U.S. government business represents a small fraction of its U.S., much less its global, business and software footprint. Other anti-virus software products have a much larger footprint across federal government systems and are likely as vulnerable to exploitation by malicious cyber actors as DHS alleges is the case for Kasperskybranded software products. 67. Thus, if DHS’s claims about anti-virus software were legitimate, DHS would apply the BOD to other software rather than to Kaspersky Lab products alone. B. Ties between Kaspersky Lab and the Russian government 68. There is no evidence presented by DHS of improper coordination between Kaspersky Lab or its executives and the Russian Government in furtherance of demonstrable illicit activities. Rather, DHS speculates that cybersecurity risks are presented by Kaspersky Lab products merely by virtue of the fact that the Company is headquartered in Moscow. 69. DHS’s stated concern that the Russian Government engages in cyberespionage (see, e.g., Decision at 2) is not evidence that any global company like Kaspersky Lab headquartered (or with operations) in Russia, are facilitating government sponsored cyberintrusions. 70. In fact, more than 85 percent of Kaspersky Lab’s revenue comes from outside of Russia—a powerful economic incentive to avoid any action that would endanger the trusted relationships and integrity that serve as the foundation of its business by conducting inappropriate or unethical activities with any organization or country. 17 71. The BOD Information further alleges that Kaspersky Lab senior executives have “ties” with the Russian government and highlights, among other things, their long ago former service within the Russian government and/or military and their current profiles and connections. (BOD Information at 10-11). It fails to acknowledge, however, that each of these individuals grew up in the Soviet Union at a time when the government relied heavily on conscripted service. As such, allegations of this sort could be made against the majority of Russians of the same generation. These facts do not indicate that their connections or service with the Russian Government were, or are, inappropriate or that they have continued to this day. 72. Moreover, DHS does not suggest that an inappropriate relationship (between Kaspersky Lab and the Russian Government or otherwise) is likely or probable—or even that there is any relationship whatsoever. DHS simply suggests that such an inappropriate relationship is possible: “Such an established relationship and connections between Kaspersky and the FSB [(Russian Security Services)] could facilitate future cooperation for other purposes and therefore is an area of serious concern to DHS.” (Final Information at 13)(emphasis added). C. Requirements under Russian law 73. The BOD Information alleges that Kaspersky Lab has obtained certificates and licenses from the Russian Security Services (“FSB”), and that this “suggest[s] an unusually close” relationship between the two. (BOD Information at 9). But there is simply nothing unusual about the licenses or certificates Kaspersky Lab has obtained from the FSB in the normal course of doing business in Russia. All information technology companies involved in cryptography-related activities operating in Russia (including leading U.S. companies) are required to obtain the same licenses and certificates from the FSB. In recognizing this exact role of the FSB in granting certificates for certain commercial products, the U.S. Department of the 18 Treasury’s Office of Foreign Assets Control issued General License No. 1 under the Cyber Sanctions Executive Orders which expressly authorized U.S. companies to obtain precisely the same licenses from the FSB in a way that would otherwise have been prohibited due to the FSB’s prior designation under those sanctions authorities. 74. DHS also claims that the BOD is warranted based on the FSB’s authority to compel or request assistance from companies in Russia. (Decision at 2; BOD Information at 2, 12). However, this obligation applies to all companies operating in Russia. The FSB can request information from companies in Russia only in furtherance of specified duties—and are subject to challenge in Court. Defendants fail to provide any evidence of the FSB actually compelling Plaintiffs to provide any information on Plaintiffs’ customers in the U.S. or any other evidence of Plaintiffs’ interaction with Russian authorities that would pose a security threat to federal agencies using the software in the U.S. VIII. Defendants’ Failure to Acknowledge and Fulfill Due Process and APA Protections 75. DHS, through its actions and statements described above, has demonstrated its willing failure to comply with the requirements of the APA and the U.S. Constitution in issuing the BOD. Plaintiffs explained these violations in the Kaspersky Lab Submission. 76. Rather than responding to these deficiencies and attempting in any way to remedy them, DHS cursorily dismissed them in its Final Decision and Information. DHS says simply that it is: “confident that the BOD procedures are constitutional and lawful,” that the “BOD is based on a substantial body of evidence,” and that DHS “provided Kaspersky with meaningful notice and opportunity to confront the evidence against it.” (Final Information at 23.) 19 77. For the reasons set out in this Complaint, this is not the case. DHS has not, in the Final Information, the Final Decision, or anywhere else, demonstrated its fulfillment of its obligations under the APA or the U.S. Constitution. EXHAUSTION, FINALITY, AND STANDING 78. Plaintiffs have exhausted the professed “administrative process” provided by DHS as described above, through the November 10, 2017, Kaspersky Lab Submission. 79. Plaintiffs challenge a “final agency action” for purposes section 704 of the APA. After DHS issued the BOD, and Plaintiffs submitted the Kaspersky Lab Submission, DHS issued its “Final Decision maintaining BOD 17-01,” as explained above. 80. Plaintiff Kaspersky Lab, Inc. has standing to bring this suit because the Company sold its products (through its partners) to the U.S. Government, and is injured by the debarment effectuated by the BOD. The company also has been injured by DHS’s disparagement of the Company through the BOD. 81. Plaintiff Kaspersky Labs Limited also has standing. As the U.K. parent, Kaspersky Labs Limited suffers financial harm due to its wholly-owned subsidiary’s loss of sales and reputational injury, resulting from the BOD. Kaspersky Labs Limited is also injured by the BOD’s preclusive effect. The BOD orders all federal agencies to discontinue all Kasperskybranded software, thereby precluding Kaspersky Labs Limited from making a direct sale to the U.S. Government. 20 FIRST CAUSE OF ACTION (Administrative Procedure Act, 5 U.S.C. § 706(2)(B) and the Due Process Clause of the Fifth Amendment of the United States Constitution) 82. Plaintiffs incorporate by reference, as if fully restated herein, paragraphs 1-81 83. The APA directs that the “the reviewing court shall ... hold unlawful and set aside above. agency actions, findings, and conclusions found to be … contrary to constitutional right, power, privilege, or immunity.” 5 U.S.C. § 706(2)(B). 84. The BOD, as issued to Kaspersky Lab, and upheld by the Final Decision is unlawful and contrary to constitutional right, power, privilege, and immunity. 85. DHS violated Plaintiffs’ Fifth Amendment rights to due process by depriving Plaintiffs of a protected liberty interest, with constitutionally insufficient procedures attendant upon that deprivation. Through the BOD, DHS debarred Plaintiffs from government contracting, and effectively terminated Kaspersky Lab as a government contractor while simultaneously broadcasting to the world insufficient and uncorroborated reasons for that termination. As explained above, DHS was required to provide pre-deprivation due process, and did not. SECOND CAUSE OF ACTION (Administrative Procedure Act, 5 U.S.C. § 706(2)(A)) 86. Plaintiffs incorporate by reference, as if fully restated herein, paragraphs 1-81 87. The APA directs that “the reviewing court shall...hold unlawful and set aside above. agency actions, findings, and conclusions found to be…arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2)(A). 21 88. The BOD is not supported by substantial evidence. DHS did not properly evaluate the strength of the evidence before it, and therefore failed to satisfactorily support its decision or identify a rational connection between the facts before it and the conclusions it reached. Accordingly, the BOD was arbitrary and capricious and an abuse of agency discretion. PRAYER FOR RELIEF WHEREFORE, Plaintiffs respectfully request that a judgment be granted: (a) Preliminarily and permanently invalidating and rescinding the BOD and the December 6, 2017, Final Decision maintaining the BOD and enjoining DHS from enforcing the BOD and the Final Decision; (b) Declaring the BOD and Final Decision invalid, and declaring that the presence of Kaspersky Lab-branded products on federal information systems do not present a known or reasonably suspected information security threat, vulnerability, and risk to federal information systems; and (c) Granting such other relief as the Court deems just and proper. Dated: December 18, 2017 Respectfully submitted, /s/ Ryan P. Fayhee Ryan P. Fayhee (Bar No. 1033852) Steven Chasin (Bar No. 495853) Baker & McKenzie LLP 815 Connecticut Avenue NW Washington D.C. 20006 Tel: (202) 452 7024 Fax: (202) 416 7024 Ryan.Fayhee@bakermckenzie.com Steven.Chasin@bakermckenzie.com Attorneys for Kaspersky Lab, Inc. and Kaspersky Labs Limited 22

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?