This week, Kaspersky Lab filed an appeal in federal court challenging the U.S. Department of Homeland Security’s (“DHS”) Binding Operational Directive 17-01, which requires federal agencies and departments to remove the company’s products from federal information and federal information systems. The company did not undertake this action lightly, but maintains that DHS failed to provide Kaspersky Lab with adequate due process and relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the Directive. DHS has harmed Kaspersky Lab’s reputation and its commercial operations without any evidence of wrongdoing by the company. Therefore, it is in Kaspersky Lab’s interest to defend itself in this matter.
About Kaspersky Lab
As a global cybersecurity company founded over 20 years ago, Kaspersky Lab has proudly called the United States home to its North American headquarters in Woburn, Massachusetts for over a decade. With nearly 300 employees in Massachusetts and throughout the country, Kaspersky Lab’s corporate mission is to protect its customers from cyber threats, regardless of their origin or purpose. The company submits its products and solutions for independent testing and assessment, consistently receiving more first place finishes and top 3 awards than any other cybersecurity vendor. Furthermore, the company collaborates with law enforcement, other IT security companies, and government organizations globally to combat cybercrime, providing technical assistance and forensic malware analysis, as well as world-renowned security research into cyberespionage and targeted attack campaigns.
Kaspersky Lab has a clear policy concerning the detection of malware: it detects and remediates any malware attack. There is no such thing as “right” or “wrong” malware for the company. Its research team has been actively involved in the discovery and disclosure of several malware attacks with links to nation-state and organized cybercrime organizations. Over the past decade, Kaspersky Lab has published in-depth research into some of the biggest cyberespionage and financially motivated cybercrime operations known to date. It does not matter which language the threat “speaks”: Russian, Chinese, Spanish, German, or English. The following list of threats, as reported by Kaspersky Lab’s Global Research and Analysis Team (“GReAT”), shows the different languages used in each case:
- Russian language: Moonlight Maze, RedOctober, CloudAtlas, Miniduke, CosmicDuke, Epic Turla, Penquin Turla, Turla, Black Energy, BTZ, Teamspy,Sofacy (aka Fancy Bear, APT28), CozyDuke (aka Cozy Bear, APT29)
- English language: Regin, Equation, Duqu 2.0,Lamberts, ProjectSauron
- Chinese language: IceFog, SabPub, Nettraveler,Spring Dragon, Blue Termite
- Spanish language: Careto/Mask, El Machete
- Korean language: Darkhotel, Kimsuky, Lazarus
- French language: Animal Farm
- Arabic language: Desert Falcons, Stonedrill and Shamoon
Kaspersky Lab’s Good Faith Efforts to Engage DHS
Kaspersky Lab fully supports DHS’s mission and mandate to secure federal information and federal information systems, which aligns with its own corporate mission of protecting customers from cyber threats, regardless of their origin or purpose. Given its longstanding commitment to transparency, the trustworthy development of its technologies and services, and cooperation with governments and the IT security industry worldwide, Kaspersky Lab reached out to DHS in mid-July as part of a good faith effort to address any concerns regarding the company, its operations, or its products. DHS confirmed receipt of Kaspersky Lab’s letter in mid-August, appreciating the company’s offer to provide said information and expressing interest in future communications with the company regarding this matter. Kaspersky Lab believed in good faith that DHS would take the company up on its offer to engage on these issues and hear from the company before taking any adverse action. However, there was no subsequent communication from DHS to Kaspersky Lab until the notification regarding the issuance of Binding Operational Directive 17-01 on September 13, 2017. The July and August communications are referenced below.
“Given Kaspersky Lab’s longstanding commitment to transparency, the trustworthy development of its technologies and solutions, and cooperation with governments worldwide and the IT security industry to combat cyber threats, we write to offer any information or assistance we can provide with regards to any Department investigation regarding the company, its operations, or its products.
…The integrity and assurance of our products and technologies remain our utmost priority, and we maintain that a deeper, collaborative examination of our company and its products will assuage any concerns.
Kaspersky Lab looks forward to working with the Department and its staff and welcomes further dialogue. Please contact *************** via email or phone to discuss how we might communicate more directly with you or your staff and explore ways we might work together to make cyberspace safer.”
Jeanette Manfra, on behalf of the (then-)Acting Secretary responded:
“Thank you for your letter of July 18, 2017 addressed to then-Secretary of Homeland Security John F. Kelly. The Acting Secretary has asked me to respond on her behalf.
We appreciate your offer to provide information to the Department about your company and its operations and products as well as to communicate with the Department about making cyberspace safer. We look forward to communicating with you further on this matter and receiving such information from you, and we appreciate your patience as we work through timing and logistical issues.
We will be in touch again shortly. Thank you again for your letter.”
Addressing DHS’s Binding Operating Directive 17-01
One of the foundational principles enshrined in the U.S. Constitution, which I deeply respect, is due process: the opportunity to contest any evidence and defend oneself before the government takes adverse action. Unfortunately, in the case of Binding Operational Directive 17-01, DHS did not provide Kaspersky Lab with a meaningful opportunity to be heard before the Directive’s issuance, and therefore, Kaspersky Lab’s due process rights were infringed.
In the September 19, 2017, Federal Register notice announcing the issuance of Binding Operational Directive 17-01, DHS stated that Kaspersky Lab could initiate a review of the Directive by submitting written information, which the company did on November 10, 2017. However, this “administrative process” did not afford Kaspersky Lab due process under U.S. law because the company did not have the opportunity to see and contest the information relied upon by DHS before the issuance of the Directive. As I have said before, “genuine due process provides you with the opportunity to defend yourself and see the evidence against you before action is taken; it doesn’t ask you to respond once action is already underway.”
Furthermore, DHS primarily relies upon uncorroborated media reports to support its assertion that Kaspersky Lab products present information security risks to government networks, not evidence of any wrongdoing by the company. DHS also cites technical arguments that apply to antivirus solutions generally, including broad levels of access and privileges to the systems on which the solutions operate, the use of cloud-based technologies to process malware samples and deploy detection signatures, and data collection and processing practices. These capabilities are not unique to Kaspersky Lab’s products, and if they are of concern, DHS could have taken action to address these issues holistically across the IT security industry instead of unfairly targeting a single company without any evidence of wrongdoing.
Despite the relatively small percentage of the company’s U.S. revenue attributable to active software licenses held by federal government entities, DHS’s actions have caused a disproportionate and unwarranted adverse impact on Kaspersky Lab’s consumer, commercial, and state, local, and education (“SLED”) business interests in the United States and globally. Through Binding Operational Directive 17-01, DHS has harmed Kaspersky Lab’s reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community. Its presence in Russia and the CIS region, its technical knowhow, and its linguistic expertise uniquely position the company to advance the fight against malware and protect its customers from cyber threats. These assets have enabled Kaspersky Lab to share cyber threat information and vulnerability research with various U.S. government entities, including constituent agencies in DHS, involved in protecting U.S. cyberspace. Dissuading consumers and businesses in the United States and abroad from using Kaspersky Lab products solely because of its geographic origins and without any credible evidence does not constitute a risk-based approach to cybersecurity and does little to address information security concerns related to government networks.
In undertaking this action, Kaspersky Lab hopes to protect its rights under the U.S. Constitution and U.S. federal law, receive adequate due process, and repair the reputational and commercial damage caused by Binding Operational Directive 17-01. The company continues to welcome constructive and collaborative engagement with the U.S. government to address any concerns about its operations or its products, as it stated in its letter to DHS five months ago. Kaspersky Lab’s Global Transparency Initiative could serve as a mechanism for such dialogue. Regardless this action, Kaspersky Lab remains committed to continuing its mission and business of protecting customers in the United States and around the world from cyber threats by providing market leading anti-virus software, threat intelligence and analytics.