Moscow-based software company Kaspersky Lab filed an appeal in federal court Dec. 18 challenging the Department of Homeland Security’s directive for federal agencies to remove its products from their networks.
Kaspersky’s lawsuit asserts a lack of due process in banning its products from government use and refutes DHS’ allegations of the company’s ties to Kremlin intelligence gathering efforts.
“The company did not undertake this action lightly, but maintains that DHS failed to provide Kaspersky Lab with adequate due process and relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the directive,” Kaspersky officials wrote in a blog post Dec. 18. “DHS has harmed Kaspersky Lab’s reputation and its commercial operations without any evidence of wrongdoing by the company. Therefore, it is in Kaspersky Lab’s interest to defend itself in this matter.”
The binding operational directive, issued in September, gave federal agencies up to 90 days to remove Kaspersky products from their IT systems.
The issuance arrived after concerns were first raised in July by Rep. Lamar Smith (R-Texas), chairman of the House Science, Space and Technology (SST) Committee, that its anti-virus software could be used to collect sensitive government information and then shared with Russian intelligence officials under the country’s communication laws.
The Russian software company argues it did not have a meaningful opportunity to state its case before the DHS directive was issued.
“Dissuading consumers and businesses in the United States and abroad from using Kaspersky Lab products solely because of its geographic origins and without any credible evidence does not constitute a risk-based approach to cyber security and does little to address information security concerns related to government networks,” Kaspersky wrote.
The company references a July letter it sent to DHS offering to quell concerns on potential Kremlin ties, and states it received a response from Jeanette Manfra, assistant secretary of the department’s Office of Cybersecurity and Communications, in August.
Manfra’s letter mentioned the opportunity for communication with Kaspersky on this issue, but the company asserts the next communication it received from DHS was when the directive was issued in September.
During a November House SST Committee hearing, Manfra testified that 94 percent of agencies had reported their Kaspersky findings to DHS and 13 percent of those had found some instance Kaspersky software on their systems.
A Kaspersky ban was also included in the National Defense Authorization Act for fiscal year 2018, which President Trump signed into law the week of Dec. 10.
“The company continues to welcome constructive and collaborative engagement with the U.S. government to address any concerns about its operations or its products, as it stated in its letter to DHS five months ago,” Kaspersky wrote.