Federal Software Ban Violates Due Process, Anti-Virus Firm Alleges
Kaspersky Lab has sued the U.S. Department of Homeland Security for issuing an order that bans the Moscow-based anti-virus firm’s software from being used on federal systems (see New Law Bans Kaspersky AV Software From Federal Computers).
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The lawsuit, filed this week in federal court, challenges DHS’s Binding Operational Directive 17-01, issued by Acting Homeland Security Secretary Elaine Duke. The directive, published in a Sept. 19 Federal Register notice, required all federal government agencies to develop and begin implementing a plan to expunge all “information security products, solutions and services supplied directly or indirectly” by Kaspersky Lab “or related entities” from federal government systems by Dec. 18 (see Kaspersky Software Ordered Removed From US Government Computers).
DHS said the 90-day implementation period was designed in part to allow Kaspersky Lab to engage with the government and address multiple concerns. Kaspersky Lab said that it has been attempting to address DHS concerns for some time, including submitting detailed, written responses to DHS following the directive being issued, but to no avail.
In its lawsuit, Kaspersky Lab alleges that it has been denied due process – meaning fair treatment, including the right to see charges against it and have a hearing before an impartial judge – and that the company’s reputation, as well as the reputation of its U.S.-based employees and business partners, have been damaged by the U.S. government’s unproven allegations. DHS’s decision “relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the directive,” the company alleges.
“Because Kaspersky Lab has not been provided a fair opportunity in regards to the allegations and no technical evidence has been produced to validate DHS’s actions, it is in the company’s interests to defend itself in this matter,” founder and CEO Eugene Kaspersky says in an open letter published Monday. “Regardless of the DHS decision, we will continue to do what really matters: make the world safer from cybercrime.”
Anonymously sourced media reports have suggested that the Russian government was using the company’s widely installed anti-virus software to try to spy on U.S. intelligence agencies (see Will Kaspersky Lab Survive the Russia Hacking Scandal?).
Kaspersky Lab has denied those allegations and reports and says it’s a pawn in a political battle between Moscow and Washington of which it wants no part, saying it’s been singled out solely on the basis of where it is headquartered.
DHS did not immediately respond to a request for comment on Kaspersky Lab’s lawsuit.
Concerns Cited by DHS
When announcing the directive that bans Kaspersky Lab software from federal systems, officials voiced concerns that Kaspersky Lab has inappropriate ties to Russian intelligence and other government operations, that Russian law allows intelligence agencies to compel the company to assist it and that Russian intelligence agencies might eavesdrop or intercept information collected by the company.
Another concern: “Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems,” DHS said in a statement.
Officials have also cited the fact that Eugene Kaspersky graduated from a cryptography institute run by the Soviet Union’s KGB – as cause for concern.
How AV Works
But security experts say that technically, anti-virus software must have deep access to systems, and that politically, concerns about ties between intelligence agencies and domestic cybersecurity vendors could apply to vendors from any country (see Surveying 17 Anti-Virus Firms on Their Security Practices).
Many of today’s top information security experts were trained at universities that have ties to intelligence agencies or worked for those intelligence agencies. That’s no surprise, since intelligence agencies tend to be on the leading edge of cryptographic research.
The U.S. government has not published any evidence that demonstrates that Kaspersky Lab colluded with the Russian government or that the Russian government interfered with its software or eavesdropped on telemetry data (see Kaspersky Lab Debate: Put Up or Shut Up).
Governments, however, are not generally in the business of publishing intelligence, because it could reveal sensitive sources and methods (see FBI Defends Sony Hack Attribution).
“That’s the thing about geopolitical infowars,” cryptographer Matthew Green at Johns Hopkins University has noted via Twitter. “They are not conducted in such a way that random people like us get evidence briefings.”
Founder and CEO Defends Company
Eugene Kaspersky and his firm have continued to deny any improper behavior, saying they would never help “any government in the world with its cyber espionage efforts.”
What to do when banned without evidence and the right to be heard? Well, we’re securing our rights by taking this to the courts. Why? We’ve done nothing wrong. https://t.co/uPmS0iy2qW
— Eugene Kaspersky (@e_kaspersky) December 18, 2017
Kaspersky Lab says it has continued to try and engage with the U.S. government, including reaching out to DHS in mid-July, offering “to provide any information or assistance concerning the company, its operations, or its products” that DHS might desire. It says DHS acknowledged the offer. But Kaspersky Lab said the next step by DHS was to issue the directive, to which the company says it submitted detailed, written responses on Nov. 10.
In its lawsuit, Kaspersky Lab alleges that the “administrative process” through which it was allowed to appeal the directive was inherently flawed, “because the company did not have the opportunity to see and contest the information relied upon by DHS before the issuance of the directive.”
Eugene Kaspersky has continued to offer to testify before Congress as well, and he was scheduled to do so before a House subcommittee on technology on Sept. 27. Lawmakers, however, indefinitely postponed the hearing (see 10 Reactions: Allegations Against Kaspersky Lab).