In September, the US government mysteriously announced that it was banning Moscow-based Kaspersky Labs’ anti-virus software from use on its employees’ machines. A war of words, official and unofficial, has ensued and on Monday, Kaspersky filed a lawsuit claiming that its due process rights had been violated.
In a blog post, the company’s co-founder and CEO Eugene Kaspersky insisted that the Department of Homeland Security has repeatedly rejected his offers to clear up any confusion about his software, and in doing so it denied Kaspersky Labs’ right to due process before it issued an operational directive that was formalized by President Trump last week.
In the September 19, 2017, Federal Register notice announcing the issuance of Binding Operational Directive 17-01, DHS stated that Kaspersky Lab could initiate a review of the Directive by submitting written information, which the company did on November 10, 2017. However, this “administrative process” did not afford Kaspersky Lab due process under U.S. law because the company did not have the opportunity to see and contest the information relied upon by DHS before the issuance of the Directive. As I have said before, “genuine due process provides you with the opportunity to defend yourself and see the evidence against you before action is taken; it doesn’t ask you to respond once action is already underway.”
He went on to write that only a small percentage of Kaspersky Labs’ revenue comes from software liscensed to the US federal government, but “DHS’s actions have caused a disproportionate and unwarranted adverse impact on Kaspersky Lab’s consumer, commercial, and state, local, and education (“SLED”) business interests in the United States and globally.”
DHS has given little information to the public about its motivation for instituting the ban. Various media reports have indicated that Kaspersky has at least worked to help Russia’s intelligence agency, the FSB. Anonymous sources have told reporters that Isreali intelligence observed Russian agents using the software as a personal, and indicated that Kaspersky Labs collected classified documents from the machine of an NSA employee who had taken his work home without authorization. Kaspersky subsequently confirmed that its software had detected “an illegal Microsoft Office activation key generator,” on the NSA employee’s computer. It claimed that the employee had to disable the anti-virus software in order to activate pirated software, and its possible a third party pilfered the classified files while it was vulnerable.
Officially, DHS has been vague about its reasoning for the ban. In a statement, it has said, “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
Kaspersky published letters he’d sent to the Trump administration in July and August in which he offered to work with the US government to provide reassurances of his software’s integrity. He claims that despite his offer to share his source code, and the source code for any updates, he’s received no cooperation.
This entire episode has been quite confusing. It’s true that the US government has greater reason to be cautious about a Russia-based company gaining root access to its systems following the conclusion that Russia attempted to meddle in the 2016 election. But as the commander-in-chief refuses to admit that Russia did anything wrong, and has appeared to side with Putin’s denials, little has been done to prevent future security issues. In fact, Trump’s “election integrity” commission has only served to make voter’s personal information even more vulnerable to bad actors.
Kaspersky has insisted his company remains neutral when working with any government and that it treats all malware equally. The National Security Agency certainly has an axe to grind with Kaspersky Labs after it revealed the activities of The Equation Group, an elite hacking unit that has been tied to the NSA.
It’s tough to make heads or tales of this spook stuff, especially when the DHS refuses to release its evidence against Kaspersky. But if all goes well, a district court will soon weigh-in on whether or not the company’s rights have been violated.