Last year, the US government made moves to ban the use of Kaspersky security software in federal agencies, claiming the company's ties to the Russian government represented a security risk. In September, the Department of Homeland Security issued an order that required federal departments and agencies to remove the company's software from their systems. Then, Congress passed and President Trump approved a bill -- the National Defense Authorization Act (NDAA) -- that also banned Kaspersky software from federal government use. Kaspersky subsequently filed two lawsuits combatting both bans, but a judge has now dismissed them.
CyberScoop reports that Colleen Kollar-Kotelly, US District Judge for the District of Columbia, rejected Kaspersky's claims that the bans were unconstitutional. Kaspersky argued that the NDAA inflicted an unconstitutional "punishment," but Judge Kollar-Kotelly disagreed. She said the act wasn't a punishment but instead, "eliminates a perceived risk to the nation's cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation."
Further, because she dismissed the lawsuit against the NDAA, the suit against the Department of Homeland Security's order was rendered moot since the act would supercede any change to the order. "These defensive actions may very well have adverse consequences for some third-parties," she said in her opinion. "But that does not make them unconstitutional."
The NDAA's Kaspersky ban goes into effect on October 1st.
Update: Kaspersky Lab sent us the following statement about the ruling.
"Kaspersky Lab is disappointed with the court's decisions on its constitutional challenges to the US government prohibitions on the use of its products and services by federal agencies. We will vigorously pursue our appeal rights. Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding. Given the lack of evidence of wrongdoing by the company and the imputation of malicious cyber activity by nation-states to a private company, these decisions have broad implications for the global technology community. Policy prohibiting the US government's use of Kaspersky Lab products and services actually undermines the government's expressed goal of protecting federal systems from the most serious cyber threats.
"We are fully transparent regarding our methods of work and through our Global Transparency Initiative, we invite concerned parties to review our various code bases, how we will create software updates and detection rules and how we will process customer data from North America and Europe, all verified by an independent third party.
"Kaspersky Lab strongly believes that open dialogue and cooperation can help all the parties to move forward and find the best ways to strengthen national and global cybersecurity policy and best practices. We believe that our expertise and threat intelligence makes the cyber world a safer place as we detect and neutralize all forms of advanced persistent threats, regardless of their origin or purpose."