UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
KASPERSKY LAB, INC., et al.,
Plaintiffs
v.
Civil Action No. 17-2697 (CKK)
UNITED STATES DEPARTMENT OF
HOMELAND SECURITY, et al.,
Defendants
KASPERSKY LAB, INC., et al.,
Plaintiffs
v. Civil Action No. 18-325 (CKK)
UNITED STATES OF AMERICA,
Defendant
MEMORANDUM OPINION
(May 30, 2018)
The United States government’s networks and computer systems are extremely important
strategic national assets. Threats to these systems are constantly expanding and evolving. Their
security depends on the government’s ability to act swiftly against perceived threats and to take
preventive action to minimize vulnerabilities. These defensive actions may very well have
adverse consequences for some third-parties. But that does not make them unconstitutional.
Plaintiffs in the two lawsuits discussed in this Opinion represent Kaspersky Lab, a large
multinational cybersecurity company headquartered in Russia. At least until 2017, Kaspersky
Lab’s cybersecurity products were used to defend the networks and computer systems of a
number of United States federal government agencies. Amid growing concerns in early 2017
about malicious Russian cyber activity against the United States, government officials and
members of Congress began asking questions, and voicing concerns, about the presence of these
products on government systems. These concerns were based on the risk that the use of
1
Kaspersky Lab products to defend United States government computer systems could be
exploited by Russia, either with or without Kaspersky Lab’s consent, cooperation, or knowledge.
The concerns were fueled, in very summary form, by some combination of the following facts:
Kaspersky Lab products enjoy extremely broad access and elevated privileges within the
computer systems on which they are installed; Kaspersky Lab is headquartered in Russia;
Kaspersky Lab and its founder and Chief Executive Officer, Eugene Kaspersky, have close
connections to the Russian government and intelligence services; Kaspersky Lab products cycle
users’ data to the company’s servers that are based in (or accessible from) Russia; Kaspersky
Lab is subject to Russian laws that allow the Russian government to request or compel assistance
from Russian companies, and is also susceptible to non-legal forms of pressure from the Russian
government.
The apparent national security risk presented by federal government agencies using
Kaspersky Lab products eventually proved intolerable to both Executive Branch officials and
Congress. On September 13, 2017, the Department of Homeland Security (“DHS”) issued a
Binding Operative Directive (“BOD 17-01”) pursuant to the Federal Information Security
Modernization Act of 2014 (“FISMA”), that required all federal departments and agencies to
identify and, ninety days later, remove Kaspersky Lab products from their systems. That
directive was soon effectively superseded when Congress passed the National Defense
Authorization Act for Fiscal Year 2018 (“NDAA”), which contains a provision entitled
“Prohibition on Use of Products and Services Developed or Provided by Kaspersky Lab.” As its
title suggests, that provision prohibits all elements of the federal government from using any
Kaspersky Lab products or services.
2
Shortly after BOD 17-01 was finalized and the NDAA was signed into law, Kaspersky
Lab filed a lawsuit (17-cv-2697) claiming that the BOD violated the Administrative Procedures
Act (“APA”) and the Due Process Clause of the Fifth Amendment to the United States
Constitution (hereinafter the “BOD Lawsuit”). The BOD Lawsuit did not challenge the legality
of the NDAA’s prohibition on the use of Kaspersky Lab products. Months later, after this
omission became a point of contention regarding Plaintiffs’ standing in the BOD Lawsuit,
Plaintiffs filed a second lawsuit (18-cv-325) claiming that the NDAA’s prohibition was an
unconstitutional bill of attainder (hereinafter the “NDAA Lawsuit”).
These lawsuits are separate and distinct, but both are pending before this Court. The
Court is issuing this Opinion in both lawsuits, because there are motions pending in each that
present overlapping and interrelated issues. Those motions include: Defendant’s [10] Motion to
Dismiss the Complaint in the NDAA Lawsuit, Plaintiffs’ [19] Motion for Summary Judgment in
the BOD Lawsuit, and Defendants’ [21] Motion to Dismiss or Alternatively for Summary
Judgment in the BOD Lawsuit.
Having carefully reviewed the record, the pleadings, 1 and the relevant authorities, the
Court GRANTS Defendant’s Motion to Dismiss the NDAA Lawsuit. Plaintiffs have not
plausibly alleged that the NDAA constitutes a bill of attainder. A bill of attainder is “a law that
legislatively determines guilt and inflicts punishment upon an identifiable individual without
1
The Court’s consideration has focused on the following documents and their
attachments in the NDAA Lawsuit:
• Def.’s Mem. in Supp. of Mot. to Dismiss, ECF No. 10-1 (“Def.’s Mem.”);
• Pls.’ Mem. in Opp’n to Def.’s Mot. to Dismiss, ECF No. 11 (“Pls.’ Opp’n”);
• Def.’s Reply Mem. in Supp. of Mot. to Dismiss; ECF No. 12 (“Def.’s Reply”).
In an exercise of its discretion, the Court finds that holding oral argument in this action would
not be of assistance in rendering a decision. See LCvR 7(f).
3
provision of the protections of a judicial trial.” Nixon v. Adm’r of Gen. Servs., 433 U.S. 425, 468
(1977). The NDAA does not inflict “punishment” on Kaspersky Lab. It eliminates a perceived
risk to the Nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one
small source of revenue for a large multinational corporation.
Having carefully reviewed the record, the pleadings, 2 and the relevant authorities, the
Court also GRANTS Defendants’ Motion to Dismiss the BOD Lawsuit for lack of standing.
Plaintiffs allege that BOD 17-01 causes them harm by depriving them of the ability to sell to the
United States federal government and by damaging their reputation. Even if the Court were to
rule in Plaintiffs’ favor in the BOD Lawsuit and order the rescission of BOD 17-01, these harms
would continue. The NDAA would remain on the books, preventing any federal government
agency from purchasing Kaspersky Lab products. It is true that the NDAA’s prohibition does
not become effective until October 1, 2018. However, government agencies have likely already
removed all Kaspersky Lab products from their systems as a result of BOD 17-01 and they know
that, regardless, all such products must be removed by the fast-approaching NDAA effective
date. Under these circumstances, it is completely implausible that any government entity would
purchase a Kaspersky Lab product before October 1st. Accordingly, the empty “right” to sell to
2
The Court’s consideration has focused on the following documents and their
attachments in the BOD Lawsuit:
• Pls.’ Mem. of Law in Supp. of Mot. for Summ. J., ECF No. 19-1 (“Pls.’ Mem.”);
• Defs.’ Mem. in Opp’n to Pls.’ Mot. for Summ. J. and in Support of Mot. to
Dismiss or, in the Alternative, for Summ. J., ECF Nos. 20, 21-1 (“Defs.’ Opp’n”);
• Pls.’ Reply in Supp. of Mot. for Summ. J. and in Opp’n to Defs.’ Mot. to Dismiss
or, in the Alternative, for Summ. J., ECF Nos. 22, 23 (“Pls.’ Reply and Opp’n”);
• Defs.’ Reply in Supp. of Mot. to Dismiss or, in the Alternative, for Summ. J., ECF
No. 24 (“Defs.’ Reply”).
In an exercise of its discretion, the Court finds that holding oral argument in this action would
not be of assistance in rendering a decision. See LCvR 7(f).
4
the federal government for the short period before October 1st that Plaintiffs could stand to gain
from success in the BOD Lawsuit lacks any concrete value. It is insufficient to confer standing.
An order rescinding the BOD would also not redress the alleged harm to Plaintiffs’ reputation as
a cybersecurity business because, according to Plaintiffs themselves, the NDAA independently
causes, at least, that same harm. Plaintiffs attempted to avoid this jurisdictional roadblock by
filing a separate lawsuit challenging the NDAA, but even if the later-filed NDAA Lawsuit had
any relevance to Plaintiffs’ standing in the BOD Lawsuit, that relevance has been eliminated by
its dismissal. Because the BOD Lawsuit is dismissed for lack of standing, the Court need not
reach the parties’ cross-motions for summary judgment.
I. BACKGROUND
A. The Threat of Russian Cyber-Attacks
An important context of Plaintiffs’ lawsuits, which neither party appears to dispute, is
that it is the assessment of the United States government that cyber-attacks, especially from
Russia, present a potent threat to critical United States infrastructure. As described by then-
Director of National Intelligence James R. Clapper in a statement to the Senate Armed Services
Committee in 2015, “[p]olitically motivated cyber-attacks are now a growing reality, and foreign
actors are reconnoitering and developing access to US critical infrastructure systems, which
might be quickly exploited for disruption if an adversary’s intent became hostile.” AR0106.
“[T]hose conducting cyber espionage are targeting US government, military, and commercial
networks on a daily basis.” Id. As current Director of National Intelligence Daniel R. Coats
recently stated in a similar report, “Russia is a full-scope cyber actor that will remain a major
threat to US Government, military, diplomatic, commercial, and critical infrastructure.”
AR0065. “Moscow has a highly advanced offensive cyber program, and in recent years, the
5
Kremlin has assumed a more aggressive cyber posture.” Id. “This aggressiveness was evident in
Russia’s efforts to influence the 2016 US election.” Id.
B. Kaspersky Lab and Eugene Kaspersky
Kaspersky Lab is a large cybersecurity company headquartered in Moscow. See Decl. of
Angelo Gentile, BOD Lawsuit ECF No. 19-3 (“Gentile Decl.”), ¶¶ 9-11. It sells products that
are intended to protect its customers’ computer systems against cyber-threats. Id. ¶ 9. The
company was founded in 1997 by Eugene Kaspersky, who serves as the company’s Chief
Executive Officer. Id. ¶ 11. Kaspersky Lab is a multinational corporation present in countries
throughout the world, but the particular Plaintiffs in the two lawsuits discussed in this Opinion
are Kaspersky Lab, Inc., a Massachusetts corporation that acts as the North American
headquarters for Kaspersky Lab, and Kaspersky Lab Limited, a U.K.-based holding company for
Kaspersky Lab entities. Id. ¶¶ 4, 9-11.
It is important to note that Kaspersky Lab does not sell its products exclusively to the
United States federal government. Id. ¶ 9. Far from it. To the contrary, “[o]ver 400 million
users—from governments to private individuals, commercial enterprise to critical infrastructure
owners and operators alike—utilize Kaspersky Lab technologies.” Id. ¶ 9. Indeed, only a tiny
fraction of Kaspersky Lab sales in the United States are to the federal government. Id. ¶ 15.
“Active licenses held by federal agencies in September 2017 had a total value (to Kaspersky Lab,
Inc. and the Company as a whole) of less than $54,000—approximately 0.03% of Kaspersky
Lab, Inc.’s annual U.S. sales at the time.” Id.
C. Early Concerns Voiced About Kaspersky Lab Products
Members of Congress and the Executive Branch began expressing concerns about the
government’s use of Kaspersky Lab products—and acting on those concerns—in, at least, early
6
2017. For example, during a March 2017 Senate hearing on Russian cyber activities, Senator
Marco Rubio of Florida cited a “long history” of open-source reporting connecting Kaspersky
Lab to Russian security services, and asked a panel of cybersecurity experts if they would feel
comfortable using Kaspersky Lab products on their devices. Although one of those experts
noted that “Kaspersky is not an arm of the Russian government,” another responded “no, I
wouldn’t, and I wouldn’t recommend that you do it either.” Disinformation: A Primer in Russian
Active Measures and Influence Campaigns, Panel II Before the S. Select Comm. on Intelligence,
115th Cong. 40 (Mar. 30, 2017). In April 2017, the Senate Select Committee on Intelligence
asked the Director of National Intelligence and the Attorney General to investigate Kaspersky
Lab’s ties to the Russian government. See Bolstering the Government’s Cybersecurity:
Assessing the Risks of Kaspersky Lab Products to the Federal Government Before the H. Comm.
on Science, Space, and Technology, 115th Cong. 33 (Oct. 25, 2017). That same month, two
Congressmen introduced a bill describing Kaspersky Lab as “a company suspected of having ties
with the Russian intelligence services and later caught up in a Russian espionage investigation.”
H.R. Con. Res. 47, 115th Cong. (2017). In May 2017, six United States intelligence directors,
including the directors of the Central Intelligence Agency (“CIA”) and the National Security
Agency (“NSA”), told the Senate Select Committee on Intelligence that they would not be
comfortable using Kaspersky Lab products on their computers. See Hearing on Worldwide
Threats Before the S. Select. Comm. on Intelligence, 115th Cong. (May 11, 2017),
https://www.intelligence.senate.gov/hearings/open-hearing-worldwide-threats-hearing-0. NSA
Director Michael Rogers said that he was “personally involved” in monitoring the Kaspersky
Lab issue, and then-CIA Director Michael Pompeo acknowledged that concerns about Kaspersky
Lab products “ha[d] risen to the director” level at the CIA. Id.
7
Throughout the summer of 2017, lawmakers continued to raise concerns about the
presence of Kaspersky Lab products on federal government systems in at least three other
committee hearings in the House and the Senate. See Bolstering the Government’s
Cybersecurity: Lessons Learned from Wannacry Before H. Comm. on Science, Space, and
Technology, 115th Cong. (June 15, 2017); Russian Interference in the 2016 U.S. Elections Before
S. Select Comm. on Intelligence, 115th Cong. (June 21, 2017); Help or Hindrance? A Review of
SBA’s Office of the Chief Information Officer Before the H. Comm. on Small Business, 115th
Cong. (July 12, 2017). In July 2017, Congressman Lamar Smith, Chairman of the House
Science Committee, sent a letter to various federal agencies requesting information about their
use of Kaspersky Lab software and expressing concern that the company’s products were
“susceptible to manipulation by the Russian government.” AR0557-58. Also in July 2017, the
General Services Administration (“GSA”) removed Kaspersky Lab as a pre-approved vendor for
contracts. AR0017.
D. Communications Between Kaspersky Lab and DHS Prior to BOD 17-01
On July 18, 2017, amidst this growing consensus that the use of Kaspersky Lab products
to defend federal systems posed national security risks, Eugene Kaspersky wrote then-Secretary
of Homeland Security John F. Kelly a letter “offer[ing] any information or assistance we can
provide with regard to any Department investigation regarding the company, its operations, or its
products.” AR0749. The letter generally extolled Kaspersky Lab’s integrity and sought to
assure Secretary Kelly that the company had no ties with the Russian government and has not,
and would not, assist any government with cyber-espionage efforts. Id. Mr. Kaspersky offered
to make himself available to DHS, the Senate Select Committee on Intelligence, or any other
committees or agencies conducting any relevant investigations. Id.
8
DHS responded by letter on August 14, 2017, thanking Mr. Kaspersky for offering to
provide information, stating that DHS looked forward to communicating with him further, and
indicating that DHS “will be in touch again shortly.” AR0940.
E. BOD 17-01
Much to Plaintiffs’ dismay, the next they heard from DHS was on September 13, 2017,
when, pursuant to her authority under FISMA, Acting DHS Secretary Elaine C. Duke issued
BOD 17-01, entitled “Removal of Kaspersky-Branded Products.” AR0633-35.
A very brief explanation of BODs generally is necessary here. Pursuant to FISMA,
federal agencies are required, under the supervision of the Director of the Office of Management
and Budget and the Secretary of Homeland Security, to establish and implement their own
policies, principles, standards and guidelines on information security. 44 U.S.C. § 3554(b)
(“Each agency shall develop, document, and implement an agency-wide information security
program to provide information security for the information and information systems that
support the operations and assets of the agency.”). As particularly relevant to this case, FISMA
provides that “[t]he Secretary, in consultation with the Director, shall administer the
implementation of agency information security policies and practices for information systems,”
including by “developing and overseeing the implementation of binding operational directives to
agencies.” 44 U.S.C. § 3553(b)(2). A binding operational directive, or BOD, is “a compulsory
direction to an agency that (A) is for purposes of safeguarding Federal information and
information systems from a known or reasonably suspected information security threat,
vulnerability, or risk; (B) shall be in accordance with policies, principles, standards, and
guidelines issued by the Director; and (C) may be revised or repealed by the Director if the
direction issued on behalf of the Director is not in accordance with policies and principles
9
developed by the Director.” Id. § 3552(b)(1). In other words, BODs are used to address
suspected threats, vulnerabilities, or risks to federal information systems. In this way, the BOD
is a tool that gives the DHS Secretary the ability to take swift action based on predictive
judgments to address constantly evolving cyber-threats.
BOD 17-01 in particular required all federal departments and agencies to take three
actions: (1) within 30 days of the issuance of the BOD (October 13, 2017), all agencies were
required to identify the use or presence of Kaspersky-branded products on all federal information
systems and report this information to DHS; (2) within 60 days (November 12, 2017), all
agencies were required to develop and provide to DHS a plan for removing and discontinuing
present and future use of all Kaspersky-branded products beginning 90 days after the issuance of
the BOD; and (3) within 90 days (December 12, 2017), unless otherwise directed, all agencies
were required to begin implementing their plan and provide DHS a status report on that
implementation every 30 days thereafter until full removal and discontinuance of Kaspersky-
branded products was achieved. AR0634-35. “Kaspersky-branded products” were defined as
“information security products, solutions, and services supplied, directly or indirectly, by AO
Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.”
AR0634. BOD 17-01 exempted from its scope “national security systems” and certain other
systems operated by the Department of Defense and the intelligence community. AR0633.
The BOD itself stated that “DHS, in consultation with interagency partners, ha[d]
determined that the risks presented by Kaspersky-branded products justif[ied] the issuance of”
the BOD, AR0633, and a “Decision Memorandum” accompanying the BOD explained the
reasoning underlying that determination. The Acting Secretary stated that she had issued the
BOD because, based on the evidence presented to her by the Assistant Secretary for Cyber
10
Security and Communications, she had concluded that Kaspersky-branded products on federal
information systems presented a known or reasonably suspected information security threat,
vulnerability, and risk to federal information and information systems. AR0628-29. That
conclusion was based primarily on the following factors: (1) Kaspersky-branded products were
currently being used by federal agencies, and Kaspersky Lab intended to expand its sale of those
products to federal agencies in the near future; (2) anti-virus products like Kaspersky Lab’s enjoy
broad access to files and elevated privileges on the systems on which they are used that can be
exploited by malicious cyber-actors; (3) data of those using Kaspersky Lab products is
transferred automatically from their computers to Kaspersky Lab servers (which are either
located in Russia or accessible from Russia); (4) Russia has engaged in, and will likely continue
to engage in, malicious cyber-activities against United States government information systems;
(5) Kaspersky Lab and Kaspersky Lab officials have ties to the Russian government, and
specifically to its intelligence services; and (6) Russian legal provisions allow Russian
intelligence services to request or compel assistance from companies like Kaspersky Lab and to
intercept communications transiting Russian networks. AR0629-30.
The BOD was not based on a determination that Kaspersky Lab was disloyal or guilty of
any wrongdoing. Acting Secretary Duke explained that the “crux” of the threat addressed by the
BOD was “the ability of the Russian government, whether acting on its own or through
Kaspersky, to capitalize on access to federal information and information systems provided by
Kaspersky-branded products.” AR0629. “These risks,” she noted, “exist regardless of whether
Kaspersky-branded products already have been used by Kaspersky or the Russian Government
for malicious purposes.” Id. Her determination was supported by the unclassified information
11
presented to her, although she noted that she had reviewed classified information as well that
provided further support for her action. AR0631.
BOD 17-01 was supported by a considerable administrative record. Most relevant for the
purposes of this Opinion is a September 1, 2017, memorandum prepared for Acting Secretary
Duke by the Assistant Secretary for Cyber Security and Communications, Jeanette Manfra,
which outlined much of the publically available information underlying concerns about
Kaspersky Lab products. AR0003-23. The memo stated that “DHS cybersecurity experts in the
National Protection and Programs Directorate, in consultation with interagency partners, agree
that Kaspersky-branded products present known or reasonably suspected information security
risks to federal information and information systems.” AR0004. More specifically, the memo
stated that:
BOD 17-01 is based on expert judgment about threats to U.S.
national security. The danger stems in part from the inherent
properties of anti-virus software, which operates with broad file
access and elevated privileges. Such access and privileges can be
exploited by a malicious cyber actor such as Russia, which has
demonstrated the intent to target the U.S. government and the
capability to exploit vulnerabilities in federal information systems.
Kaspersky or the Russian government could use this software to
engage in a wide range of malicious cyber activities against federal
information and information systems, including exfiltrating files,
modifying data, or installing malicious code, with potentially grave
consequences for U.S. national security. These actions could take
place because of a range of factors, including Russian laws that
authorize the Russian Federal Security Service (“FSB”) to compel
Russian enterprises to assist the FSB in the execution of FSB duties,
to second FSB agents to Russian enterprises (with the enterprise’s
consent), and to require Russian companies to include hardware or
software needed by the FSB to engage in “operational/technical
measures.” Kaspersky also relies on the FSB for needed business
licenses and certificates, and the FSB could condition the granting
of such approvals on Kaspersky’s cooperation. Finally, Russian law
allows the FSB to intercept all communications transiting Russian
telecommunications and Internet Service Provider networks, which
presumably includes data transmissions between Kaspersky and its
12
U.S. government customers. Because of these known or reasonably
suspected risks to federal information and information systems,
which directly implicate U.S. national security, this memorandum
recommends that you exercise your authority to issue BOD 17-01.
Id. The Assistant Secretary’s memo goes on to explain these concerns in far more detail than the
Court will recount in this Opinion. However, certain of her findings warrant emphasis. First,
according to a report prepared by the National Cybersecurity and Communications Integration
Center (“NCCIC”), anti-virus products generally, and Kaspersky Lab products specifically,
present unique security risks. AR0007. Because these products are intended to defend against
cyber-threats, they require the highest level of privileges and access on the systems on which
they are installed. Id. Those privileges may allow them to extract files and send them to
company servers and may permit the interception of otherwise-encrypted communications. Id.
Moreover, because these products are themselves supposed to defend the systems on which they
are installed from malicious activities, they can be modified to intentionally not identify
malicious files. Id. They can also be used to install malicious code under the guise of a security
update, extract a file of interest under the pretext that it needs to be inspected for malware, or
simply decline to install security updates that are needed. AR0008. In other words, if
compromised, cybersecurity products like Kaspersky Lab’s could end up being the proverbial
fox guarding the hen house.
Also warranting brief mention here is the memorandum’s analysis of Kaspersky Lab’s
ties to the Russian government and intelligence agencies (including Eugene Kaspersky’s
personal ties). These include, among other things, reports that Kaspersky Lab has certificates
and licenses from the Federal Security Service (“FSB”), a Russian intelligence service, that
suggest a close relationship between Kaspersky Lab and that organization, as well as reports that
Eugene Kaspersky, who graduated from an institute that was sponsored by the KGB and
13
previously worked for the Russian Ministry of Defense, maintains close personal ties with
Russian intelligence officers. AR0011-13. Other Kaspersky Lab leaders have similar pedigrees.
AR0013.
In addition to citing the above facts as her basis for concern that Kaspersky Lab products
posed a cybersecurity risk on federal systems, Acting Secretary Duke also explained her
reasoning for using a BOD to address this risk as opposed to a “debarment” process under the
Federal Acquisition Regulation (“FAR”). AR0631. She concluded that debarment would not be
effective because “debarment would affect only future contracts for a finite period; it would not
require federal agencies to remove products previously purchased and installed on federal
networks, and thus would not address current information security risks to federal information
systems.” Id. Debarment also would allow third parties to continue selling Kaspersky Lab
products to the federal government, and would allow agencies to continue contracts in existence
at the time the contractor was debarred. Id. For those reasons, the Acting Secretary determined
that debarment would not remove the threat DHS (and others) had identified because it would
not completely remove Kaspersky Lab products from federal information systems. Id. 3
The BOD established an administrative process for the submission and consideration of
comments on the removal of Kaspersky-branded products before that removal took place 90 days
thereafter. AR0630. On the same day that BOD 17-01 was issued, Acting Secretary Duke also
sent Eugene Kaspersky a letter informing him of the BOD and providing him “an opportunity to
provide [DHS] with any information that [he thought was] relevant to [her] ongoing
3
Both the Acting Secretary’s Decision Memorandum and the Assistant Secretary’s
memorandum addressed “contrary evidence” or arguments that Kaspersky Lab had publicly
made regarding the integrity of its products, and explained why those arguments were not
persuasive. AR0630; AR0019-23.
14
deliberations concerning [Kaspersky Lab’s] products and services.” AR0637-38. The letter
informed Mr. Kaspersky that he could initiate a review by DHS by providing the Department
with a written response to the BOD and supporting evidence. Id. DHS also published a notice in
the Federal Register that explained the actions required by BOD 17-01, and gave any entity
whose commercial interests were directly impacted by the BOD an opportunity to respond,
provide additional information, and initiate a review by DHS. AR0639-46. Mr. Kaspersky and
other entities that wanted to respond were given 45 days to do so, and informed that a decision
by the Secretary regarding their responses would be communicated to them in 85 days. AR0639,
646.
F. Congressional Scrutiny of Kaspersky Lab Continues
In the meantime, Congress continued to deliberate about the risks presented by the
reliance on Kaspersky Lab products to defend federal systems. In October 2017, the House
Science Committee held investigative hearings on the federal government’s use of Kaspersky
Lab products, and the implementation of BOD 17-01. See, e.g., Bolstering the Government’s
Cybersecurity: Assessing the Risks of Kaspersky Lab Products to the Federal Government
Before the H. Comm. on Science, Space, and Technology, 115th Cong. 33 (Oct. 25, 2017). The
BOD itself was discussed, as were the major issues raised by DHS about Kaspersky Lab
products in the BOD proceedings, including, among other things, Kaspersky Lab and Eugene
Kaspersky’s ties to Russia and their susceptibility to exploitation by the Russian government.
On October 31, 2017, the House Science Committee issued a report about the risks presented by
the presence of Kaspersky Lab products on federal government systems and concluded that
“Congress must take aggressive actions to support and assure a fundamentally different approach
to cybersecurity that addresses the magnitude and nature of growing threats.” H.R. Rep. No.
15
115-376, at 4 (Oct. 31, 2017); see also Decl. of Ryan P. Fayhee, ECF No. 19-4 (“Fayhee Decl.”),
Ex. D (transcript from November 2017 House Subcommittee on Oversight hearing regarding the
implementation of BOD 17-01).
G. Kaspersky Lab Responds to the BOD
Kaspersky submitted a lengthy response to BOD 17-01 on November 10, 2017.
AR0647-745; see also AR0746-48 (granting Kaspersky Lab a one-week extension of time to
submit their response). According to Plaintiffs, the submission “rebutted at length the legal
arguments and factual allegations levied against Plaintiffs, corrected many misunderstandings
apparently held by DHS and perpetuated by the cited news reports, and highlighted the
deficiencies in the administrative process offered by DHS.” Pls.’ Mem. at 9. The submission
argued, among other things, that Kaspersky Lab had no improper relationship with the Russian
government; that there was no evidence that Kaspersky Lab had engaged in any wrongdoing or
posed any more risk than similarly situated companies; that the BOD was based on
uncorroborated and anonymous sources; that the administrative procedure surrounding the
issuance of the BOD and for responding to the BOD was insufficient; and that the BOD violated
Kaspersky Lab’s equal protection and due process rights. Id. No other entity submitted a
response to the BOD. AR0755.
On November 29, 2017, Kaspersky Lab officials and their counsel met with DHS
officials to discuss BOD 17-01. See Fayhee Decl. ¶ 6. DHS officials had declined to meet with
Kaspersky Lab until after their written response to the BOD was submitted. AR0746-68. At the
November 29, 2017 meeting, “Plaintiffs responded to a number [of] questions from DHS
attorneys regarding the Kaspersky Lab Submission.” Fayhee Decl. ¶ 6. The meeting included a
discussion of the company’s submission and numerous related topics, including “Kaspersky’s
16
corporate structure,” “the alleged effects to the company’s business,” “the NDAA,”
“Kaspersky’s intention not to target federal business,” and “mitigation proposals.” AR0755.
H. Final Decision on BOD 17-01
On December 6, 2017, Acting Secretary Duke issued a “Final Decision” on BOD 17-01.
AR0934-37. She stated that the Department had “closely reviewed the Kaspersky Submission,”
“met with Kaspersky and its counsel,” “identified additional statements made by Kaspersky from
public sources, obtained information from agencies pursuant to the BOD 17-01 reporting
requirements, and received a report on relevant provisions of Russian law prepared by Professor
Peter Maggs of the University of Illinois College of Law, as well as a supplemental Assessment
from the [NCCIC].” AR0935. Secretary Duke stated that “the information obtained by DHS
since issuance of the BOD [did] not meaningfully impact, and indeed further support[ed], the
information security and national security determination that [she] made in issuing the BOD.”
AR0934. Accordingly—relying on the reasons explained in the preceding DHS memoranda—
the Acting Secretary stated that her determination that Kaspersky-branded products presented a
known or reasonably suspected information security threat, vulnerability, or risk to federal
information and information systems remained unchanged, and that she maintained BOD 17-01
without modification. AR0935. Acting Secretary Duke sent a letter to Mr. Kaspersky notifying
him of her decision the day it was issued. AR0938.
The reasoning underlying the Final Decision was explained further in a memorandum
from Assistant Secretary Manfra. AR0752-76. That memorandum indicated that fourteen
federal government agencies had reported identifying Kaspersky-branded products on their
information systems. AR0756. Some of those agencies had, on their own initiative, already
removed those products prior to the 90-day deadline under BOD 17-01. Id. This was done of
17
the agencies’ own accord, pursuant to their own agency risk management responsibilities under
FISMA. Id. DHS did not advise those agencies to remove the products before the BOD’s 90-
day deadline. Id. All other agencies had submitted plans to remove Kaspersky Lab products, but
had not yet implemented them. Id.
This memorandum also discussed the report on Russian law prepared by Professor Peter
Maggs. AR0756; see also AR0777-821 (Report of Peter B. Maggs). Professor Maggs had
prepared a report that, the memorandum indicated, supported DHS’s view of Russian law and
provided additional support for DHS’s Russian law-related concerns (i.e., that under Russian
law, the FSB could use companies like Kaspersky Lab with or without their consent). Id. The
memorandum also contained approximately 18 pages of detailed responses to the arguments in
Kaspersky Lab’s response to BOD 17-01, explaining why those arguments were not persuasive
to DHS. AR0757-75. In conclusion, the Assistant Secretary stated that, “the totality of the
administrative record,” including Kaspersky Lab’s submission, “presents a compelling picture of
the various ways that the Russian Government, and particularly the FSB intelligence agency, can
compel, request, and otherwise exploit the access provided by Kaspersky-branded products to the
information and information systems of Kaspersky customers, including U.S. government
customers.” AR0775.
I. The National Defense Authorization Act for Fiscal Year 2018
Almost immediately after the BOD was finalized, it was effectively superseded by an act
of Congress. On the heels of DHS’s proceedings, Congress passed, and President Donald J.
Trump signed into law, the NDAA. See PL 115-91, 2017 HR 2810, PL 115-91, December 12,
2017, 131 Stat 1283. In very summary terms, the NDAA is a law that authorizes appropriations
and sets policies for Department of Defense programs and activities.
18
The relevant portion of the NDAA for the purposes of this Opinion is Section 1634.
Section 1634 falls within Subtitle C of the Act, entitled “Cyberspace-Related Matters.” Section
1634(c) requires the Secretary of Defense, in consultation with other agencies, to conduct a
review of procedures for removing suspect products and services from federal information
technology networks and to submit a report to Congress on the same. Section 1634(a) focuses
on Kaspersky Lab products. It states that “[n]o department, agency, organization, or other
element of the Federal Government may use, whether directly or through work with or on behalf
of another department, agency, organization, or element of the Federal Government, any
hardware, software, or services developed or provided, in whole or in part, by—(1) Kaspersky
Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common
control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership.”
Id. § 1634(a). Section 1634(b) sets October 1, 2018, as the effective date for the prohibition. Id.
§ 1634(b).
This prohibition is broader in scope than BOD 17-01 in two ways. First, it applies to all
Kaspersky Lab products (hardware, software, and services), whereas the BOD only applied to a
smaller subset of “Kaspersky-branded products.” Second, unlike BOD 17-01, the NDAA does
not have any carve outs or exceptions for national security systems or other systems used by the
Department of Defense or the intelligence community.
As initially introduced, the NDAA did not contain a provision regarding Kaspersky Lab
products. An amendment to the Act adding a prohibition on the use of Kaspersky Lab products
was first introduced by Senator Jeanne Shaheen of New Hampshire. A Senate Armed Services
Committee executive summary described the amendment as a response to “reports that the
19
Moscow-based company might be vulnerable to Russian government influence.” NDAA FY
2018, U.S. Senate Armed Services Committee, at 10, https://www.armed-services.senate.
gov/imo/media/doc/FY18%20NDAA%20Summary6.pdf. Senator Shaheen’s proposed
prohibition appears to have attracted bipartisan support in Congress and grown broader before it
was eventually passed into law as Section 1634.
Plaintiffs’ lawsuits cite certain statements Senator Shaheen made to the public regarding
the proposed prohibition and Kaspersky Lab generally around the time that the amendment was
introduced and adopted. On September 4, 2017, the New York Times published an editorial
authored by Senator Shaheen, in which she asserted that the use of Kaspersky Lab products by
federal agencies created a “threat” of Russian cyber-interference, and that she was proposing an
amendment to bar federal government use of those products “to close this alarming national
security vulnerability.” See Compl., Ex. C, NDAA ECF No. 1-3. In addition, in a September 18,
2017, press release, issued after an amendment to the NDAA barring the use of Kaspersky Lab
products passed in the Senate, Senator Shaheen stated that “[t]he case against Kaspersky Lab is
overwhelming.” See Compl., Ex. E, NDAA ECF No. 1-5. She continued:
The strong ties between Kaspersky Lab and the Kremlin are
alarming and well-documented. I’m very pleased that the Senate has
acted in a bipartisan way on my amendment that removes a real
vulnerability to our national security. I applaud the Trump
administration for heeding my call to remove Kaspersky Lab
software from all federal computers. It’s important that this
prohibition also be a part of statute and be expanded to the entire
federal government, as my amendment would do. Considering the
20
strong bipartisan, bicameral support for this proposal, I’m optimistic
this will soon be signed into law.
J. Plaintiffs’ Lawsuits and Procedural History
Plaintiffs Kaspersky Lab Inc. and Kaspersky Labs Limited have filed two related but
separate lawsuits. One, the BOD Lawsuit, was filed on December 18, 2017, shortly after the
BOD was finalized and the NDAA was signed into law. See Compl., BOD ECF No. 1.
Plaintiffs allege in that suit that the BOD and the Final Decision confirming the BOD violate the
APA and Plaintiffs’ Fifth Amendment right to due process. Id. ¶¶ 1, 20. The lawsuit does not
challenge the NDAA.
On January 17, 2018, Plaintiffs filed an Application for Preliminary Injunction in the
BOD Lawsuit. See Pls.’ App. for Preliminary Injunction, BOD ECF No. 10. Upon receipt of
that Application, the Court immediately held a teleconference on the record with the parties to
set a briefing schedule. Defendants then filed an opposition to that Application wherein they
argued, in part, that Plaintiffs lacked standing. See Defs.’ Mem. in Opp’n to Pls.’ App. for
Prelim. Inj., BOD ECF No. 13, at 14-27. Because the BOD Lawsuit left the NDAA’s complete
prohibition of Kaspersky Lab products unchallenged, Defendants argued that even if Plaintiffs
were successful in obtaining the rescission of BOD 17-01, their alleged harms would not be
redressed. Id.
In an apparent effort to rebut this argument, on the same day that Plaintiffs filed their
reply in support of their Application for Preliminary Injunction in the BOD Lawsuit, they also
filed the NDAA Lawsuit. See Compl., NDAA ECF No. 1. That suit claims that Sections
1634(a) and (b) of the NDAA constitute an unconstitutional bill of attainder. Id. ¶ 4.
After these filings, the Court issued a Minute Order giving Defendants in the BOD
Lawsuit an opportunity to file a sur-reply addressing the legal relevance of the newly-filed
21
NDAA lawsuit to Plaintiffs’ request for a preliminary injunction in the BOD Lawsuit. See Feb.
13, 2018 Min. Order. The Court also gave Plaintiffs an opportunity to withdraw their
preliminary injunction application in lieu of pursuing an expedited summary judgment briefing
schedule. 4 Id. Plaintiffs subsequently did withdraw their application. See Pls.’ Notice of
Withdrawal, BOD ECF No. 16. The Court then consolidated the BOD Lawsuit and the NDAA
Lawsuit “solely for the purpose of briefing an upcoming round of dispositive motions,” including
cross-motions for summary judgment and a motion to dismiss in the BOD Lawsuit and a motion
to dismiss in the NDAA Lawsuit.” See Feb. 16, 2018 Order, BOD ECF No. 17, NDAA ECF No.
7. Those motions have now been fully briefed and are ripe for resolution.
II. LEGAL STANDARDS
A. Motion to Dismiss for Lack of Jurisdiction
When a motion to dismiss a complaint under Federal Rule of Civil Procedure 12(b)(1) is
filed, a federal court is required to ensure that it has “the ‘statutory or constitutional power to
adjudicate [the] case[.]’” Morrow v. United States, 723 F. Supp. 2d 71, 77 (D.D.C. 2010)
(emphasis omitted) (quoting Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83, 89 (1998)).
“Federal courts are courts of limited jurisdiction” and can adjudicate only those cases or
controversies entrusted to them by the Constitution or an act of Congress. Kokkonen v.
4
As the Court discussed with the parties, there is a troubling trend in APA cases whereby
plaintiffs are routinely filing preliminary injunction motions simply to “jump the queue” and
have the Court consider the merits of their claims immediately. There are certainly instances
where such motions are necessary and appropriate to prevent an impending injury, but
increasingly these “emergency” motions are being filed simply because the plaintiff is aggrieved
by an agency decision and wants the Court to focus its attention on its claims immediately, at the
expense of the claims of other litigants. This practice is strongly discouraged. See Am.
Bioscience, Inc. v. Thompson, 269 F.3d 1077, 1084 n.8 (D.C. Cir. 2001) (warning against the use
of preliminary injunction motions in APA cases); Emily’s List v. Fed. Election Comm’n, 362 F.
Supp. 2d 43, 53 (D.D.C.), aff’d, 170 F. App’x 719 (D.C. Cir. 2005) (“the preliminary injunction
stage is not the appropriate time to consider the merits of Plaintiff’s substantive APA claims.”).
22
Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994). In determining whether there is
jurisdiction on a motion to dismiss, the Court may “consider the complaint supplemented by
undisputed facts evidenced in the record, or the complaint supplemented by undisputed facts plus
the court’s resolution of disputed facts.” Coal. for Underground Expansion v. Mineta, 333 F.3d
193, 198 (D.C. Cir. 2003) (citations omitted). “Although a court must accept as true all factual
allegations contained in the complaint when reviewing a motion to dismiss pursuant to Rule
12(b)(1),” the factual allegations in the complaint “will bear closer scrutiny in resolving a
12(b)(1) motion than in resolving a 12(b)(6) motion for failure to state a claim.” Wright v.
Foreign Serv. Grievance Bd., 503 F. Supp. 2d 163, 170 (D.D.C. 2007) (citations omitted).
B. Motion to Dismiss for Failure to State a Claim
Under Rule 12(b)(6), a party may move to dismiss a pleading on the grounds that it
“fail[s] to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). “[A]
complaint [does not] suffice if it tenders ‘naked assertion[s]’ devoid of ‘further factual
enhancement.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly,
550 U.S. 544, 557 (2007)). Rather, a complaint must contain sufficient factual allegations that, if
accepted as true, “state a claim to relief that is plausible on its face.” Twombly, 550 U.S. at 570.
“A claim has facial plausibility when the plaintiff pleads factual content that allows the court to
draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556
U.S. at 678. “In determining whether a complaint fails to state a claim, [the Court] may consider
only the facts alleged in the complaint, any documents either attached to or incorporated in the
complaint and matters of which [the Court] may take judicial notice,” such as facts in the public
record. E.E.O.C. v. St. Francis Xavier Parochial Sch., 117 F.3d 621, 624 (D.C. Cir. 1997). 5
5
The Court has taken judicial notice of all of the public records discussed in this Opinion.
23
III. DISCUSSION
The Court’s Opinion will be divided into two parts. The first part addresses Defendant’s
motion to dismiss the NDAA Lawsuit on the grounds that Sections 1634(a) and (b) of the NDAA
do not constitute legislative punishment, and therefore are not a bill of attainder. The second part
of the Court’s Opinion addresses Defendants’ motion to dismiss the BOD Lawsuit on the
grounds that Plaintiffs lack standing to challenge BOD 17-01. Defendants argue that the harms
that this agency action allegedly causes Plaintiffs are independently caused by the NDAA, which
will remain “on the books” even if the BOD is rescinded, rendering the outcome of the BOD
Lawsuit meaningless. The Court agrees with Defendants and will dismiss both lawsuits. It
accordingly need not reach the parties’ cross-motions for summary judgment in the BOD
Lawsuit.
A. The NDAA Lawsuit
Plaintiffs claim that Sections 1634(a) and (b) of the NDAA constitute a bill of attainder in
violation of Section 9 of Article I of the United States Constitution. That Section states that
“[n]o Bill of Attainder or ex post facto Law shall be passed.” U.S. Const. art. I, § 9, cl. 3 (the
“Bill of Attainder Clause”). A bill of attainder is “a law that legislatively determines guilt and
inflicts punishment upon an identifiable individual without provision of the protections of a
judicial trial.” Nixon, 433 U.S. at 468. “Under the now prevailing case law, a law is prohibited
under the bill of attainder clause ‘if it (1) applies with specificity, and (2) imposes punishment.’”
Foretich v. United States, 351 F.3d 1198, 1217 (D.C. Cir. 2003) (quoting BellSouth Corp. v.
F.C.C., 162 F.3d 678, 683 (D.C. Cir. 1998) (“BellSouth II”)); see also United States v. Brown,
381 U.S. 437, 447 (1965) (explaining that the Bill of Attainder Clause bars “legislative
punishment, of any form or severity, of specifically designated persons or groups”). “Both
24
‘specificity’ and ‘punishment’ must be shown before a law is condemned as a bill of attainder.”
Foretich, 351 F.3d at 1217. Defendant appears to concede the specificity element—the heart of
the parties’ dispute is about punishment.
1. Specificity
The first requirement of any bill of attainder is that it be specific. That is, the law must
apply with specificity to only a designated person or group. “The element of specificity may be
satisfied if the statute singles out a person or class by name or applies to ‘easily ascertainable
members of a group.’” Hettinga v. United States, 677 F.3d 471, 477 (D.C. Cir. 2012)
(quoting Foretich, 351 F.3d at 1217).
Defendant does not contend in its Motion to Dismiss that Sections 1634(a) and (b) lack
the requisite specificity. See Def.’s Mem. at 11 (“Even assuming Kaspersky can demonstrate
that Section 1634 satisfies the specificity requirement . . . ”). Accordingly, for the purposes of
this Opinion, the Court will assume that the specificity requirement is satisfied. Given that the
NDAA expressly singles out Kaspersky Lab by name, this assumption appears to be a sound one.
2. Punishment
Specificity alone, however, “does not render a statute an unconstitutional bill of
attainder.” Foretich, 351 F.3d at 1217. The law must also inflict “punishment.” Id. Many laws
apply with specificity. It is the inflicting of “punishment” that is the “principal touchstone” of a
bill of attainder. Id. at 1218.
“In deciding whether a statute inflicts forbidden punishment,” the Supreme Court has
“recognized three necessary inquiries: (1) whether the challenged statute falls within the
historical meaning of legislative punishment [the “Historical Test”]; (2) whether the statute,
‘viewed in terms of the type and severity of burdens imposed, reasonably can be said to further
25
nonpunitive legislative purposes’ [the “Functional Test”]; and (3) whether the legislative record
‘evinces a congressional intent to punish’ [the “Motivational Test”].” Selective Serv. Sys. v.
Minnesota Pub. Interest Research Grp., 468 U.S. 841, 852 (1984) (quoting Nixon, 433 U.S. at
473, 475-76, 478). These three tests are each “independent—though not necessarily decisive—
indicator[s] of punitiveness.” Foretich, 351 F.3d at 1218. They “are considered independently,
and are weighed together to resolve a bill of attainder claim.” Patchak v. Jewell, 828 F.3d 995,
1006 (D.C. Cir. 2016). That being said, the D.C. Circuit has noted on multiple occasions that the
Functional Test is the most important of the three, see, e.g., BellSouth II, 162 F.3d at 684, and
indeed that “compelling proof” under this test may even “be determinative,” Foretich, 351 F.3d
at 1218.
All three tests lead to the same conclusion in this case: the challenged provisions of the
NDAA are not punishment. Sections 1634(a) and (b) of the NDAA do not fall within the
historical meaning of legislative punishment and reasonably further the nonpunitive legislative
purpose of safeguarding the Nation’s infrastructure from the risk of Russian cyber-attacks.
Moreover, there is nothing in the record that indicates a congressional intent to punish Kaspersky
Lab.
a. The Historical Test
First, the NDAA does not qualify as a bill of attainder under the Historical Test. The
Historical Test asks if the challenged legislation constitutes one of a “checklist of deprivations
and disabilities” that have been historically associated with bills of attainder. Foretich, 351 F.3d
at 1218. This checklist includes death, “imprisonment, banishment, . . . the punitive confiscation
of property by the sovereign,” and “legislative enactment[s] barring designated individuals or
groups from participation in specified employments or vocations.” Nixon, 433 U.S. at 474.
These “deprivations and disabilities” have been said to be “so disproportionately severe and so
26
inappropriate to nonpunitive ends that they unquestionably have been held to fall within the
proscription of Art. I, s 9.” Id. at 473.
Little need be said about most of these historical forms of legislative punishment.
Sections 1634(a) and (b) of the NDAA bar federal government agencies from using the products
of a particular cybersecurity vendor. They do not order anyone’s execution, imprisonment, or
banishment, nor do they confiscate anyone’s property. Plaintiffs do not seem to seriously
contend otherwise. 6
Instead, Plaintiffs’ principal argument with respect to the Historical Test is that the
NDAA “falls within the scope of the historic work and employment bans.” Pls.’ Opp’n at 8.
This argument is untenable.
There is no doubt that legislation barring specific individuals or groups of individuals
from certain types of employment, or preventing them from pursuing certain vocations,
constitutes “punishment” as that term has been historically understood. In fact, “the [Supreme]
Court’s four major decisions invalidating statutes on Bill of Attainder Clause grounds have all
involved legislation preventing specific classes of persons from pursuing certain occupations.”
BellSouth Corp. v. F.C.C., 144 F.3d 58, 64 (D.C. Cir. 1998) (“BellSouth I”). These decisions
(hereinafter, the “Employment Ban Cases”) include United States v. Brown, 381 U.S. 437
(1965), in which the Supreme Court invalidated a law that made it a crime for a member of the
6
In a footnote, Plaintiffs make a cursory argument that the NDAA is a “punitive
confiscation of property” because it will “diminish the value of the corporation” “if sold to a new
owner.” Pls.’ Opp’n at 11 n.6. As an initial matter, Plaintiffs have no property interest in
discretionary contracts that they may or may not have received from the federal government in
the future. Regardless, the Court rejects the notion that any attenuated effect on a hypothetical
future sale of Plaintiffs’ corporation is the type of punitive “confiscation of property by the
sovereign” that has historically been associated with bills of attainder. Plaintiffs cite nothing in
support of that argument.
27
Communist Party to serve as an officer of a labor union, United States v. Lovett, 328 U.S. 303
(1946), in which the Court invalidated a law that prohibited payment of salary to three named
federal employees who were members of the Communist Party, and Cummings v. Missouri, 71
U.S. 277 (1866) and Ex parte Garland, 71 U.S. 333 (1866), in which the Court struck down laws
effectively preventing individuals who sympathized with the rebellion against the Union from
engaging in certain professions.
The NDAA, however, is nothing like the legislation in these Employment Ban Cases.
Sections 1634(a) and (b) of the NDAA have nothing to do with anyone’s employment. They do
not bar any individual from pursuing their livelihood or from engaging in any vocation. In fact,
unlike the legislation in the Employment Ban Cases, these sections of the NDAA do not apply to
any “flesh-and-blood” individuals at all. They apply to the products of a multinational
corporation. Even assuming that the Bill of Attainder Clause applies to corporations in the
abstract, 7 the fact that the legislation at issue here targets the products of a multinational
corporation, instead of an individual, certainly distinguishes it from the “historic work and
employment bans.” See BellSouth II, 162 F.3d at 684 (“[I]t is obvious that there are differences
between a corporation and an individual under the law,” and “[t]hus, any analogy between prior
cases that have involved individuals and this case, which involves a corporation, must
necessarily take into account this difference.”); ACORN v. United States, 618 F.3d 125, 137 (2d
Cir. 2010) (“‘[T]here may well be actions that would be considered punitive if taken against an
individual, but not if taken against a corporation.’”) (quoting Consol. Edison Co. of New York,
7
BellSouth I, 144 F.3d at 63 (“We assume, as do the parties, that the Bill of Attainder
Clause protects corporations as well as individuals.”); Consol. Edison Co. of New York v. Pataki,
292 F.3d 338, 346-49 (2d Cir. 2002) (holding that the Bill of Attainder Clause applies to
legislation that targets corporations as well as natural persons).
28
292 F.3d at 354). This distinction is an important one, because “[w]hen the [Supreme] Court
extended ‘punishment’ to include employment bars, it did so because it was concerned that the
government had imposed restrictions that violated the fundamental guarantees of political and
religious freedom.” BellSouth II, 162 F.3d at 686. That concern simply is not implicated here.
A statute that does not apply to any individual but instead deprives a large multinational
corporation of one of its many sources of revenue does not threaten anyone’s personal rights or
freedoms.
Moreover, even if there could be a case where depriving a corporation of a source of
revenue had such a profound impact on its business that the deprivation effectively rose to the
level of a work or employment ban, this is not that case. The effect on Kaspersky Lab of losing
the United States federal government as a customer does not begin to compare to the effect of
historically recognized “employment bans” on the targeted individuals. Those historically
recognized bans have completely prevented individuals from being employed in certain positions
or pursuing certain types of vocations. Kaspersky Lab is not prevented from operating as a
cybersecurity business. 8 It is prevented from seeking discretionary contracts from the United
States federal government. The company may still operate and derive revenue throughout the
world, including in the United States, by selling its products to individuals, private companies,
and other governments.
This is no meaningless concession. Kaspersky Lab concedes that sales to the United
States federal government make up a tiny fraction of the company’s overall business. In
Kaspersky Lab’s own words, “[o]ver 400 million users—from governments to private
8
The Court rejects Plaintiffs’ attempt to characterize their “vocation” as “direct and
indirect federal government contracting.” Pls.’ Opp’n at 10. That is not a vocation.
29
individuals, commercial enterprise to critical infrastructure owners and operators alike—utilize
Kaspersky Lab technologies.” Gentile Decl. ¶ 9. “Active licenses held by federal agencies in
September 2017 had a total value (to Kaspersky Lab, Inc. and the Company as a whole) of less
than $54,000—approximately 0.03% of Kaspersky Lab, Inc.’s annual U.S. sales at the time.” Id.
There is simply no plausible way that the NDAA’s prohibition on the federal government’s use
of Kaspersky Lab products—depriving that corporation of less than one percent of its revenue
from sales in one country within which it operates—can be compared to the individual
employment bans that have been struck down by the Supreme Court.
The D.C. Circuit has rejected the argument that regulations limiting the types of business
which a company may engage in, or the products it may sell, thereby depriving that company of
some revenue, are akin to a historical employment ban. In BellSouth I, the D.C. Circuit held that
a line-of-business restriction “imposing structural separations on corporations seeking to engage
in specific types of commercial activity” was not the same as “traditional employment
debarments.” 144 F.3d at 64-65. That court explained that such a restriction could not be fairly
compared to employment bans because it left its subjects “free to pursue their” business goals,
simply subject to requirements that, despite being “hardly costless,” did not “remotely approach
the disabilities that have traditionally marked forbidden attainders.” Id. at 65; see also Navegar,
Inc. v. United States, 192 F.3d 1050, 1066-67 (D.C. Cir. 1999) (holding that law preventing a
company from selling particular products was not equivalent to historical employment bans).
Plaintiffs here too are free to pursue their business goals. Their products simply will not be used
by the federal government of the United States. While not costless, this restriction does not
approach the degree of disability historically associated with bills of attainder.
30
Perhaps the weakness of Plaintiffs’ argument on this point is best indicated by the
caselaw that they are able to marshal in its support. Plaintiffs cite three out-of-circuit district
court opinions, one of which is unpublished. These authorities are of course not binding and, in
any event, do not discuss Plaintiffs’ argument in depth. More importantly, all three opinions are
clearly distinguishable. In all of them, unlike in this case, the legislation challenged had the
effect of shutting down the businesses of, and/or laying off or terminating, actual “flesh-and-
blood” people. In Florida Youth Conservation Corps., Inc. v. Stutler, No. 4:06CV275-RH/WCS,
2006 WL 1835967, at *1 (N.D. Fla. June 30, 2006), the court held (in an unpublished opinion at
the preliminary injunction stage with six sentences addressing the bill of attainder issue) that a
law barring a not-for-profit corporation from state contracting was “very much akin to the
enactments that prompted the framers to include in the Constitution a prohibition on bills of
attainder.” That ruling, however, was in part based on the court’s finding that the effect of the
law “would be to put plaintiff out of business, or at least to put plaintiff out of the business in
which it has been engaged to date.” Id. In Planned Parenthood of Central North Carolina v.
Cansler, 877 F. Supp. 2d 310, 324 (M.D.N.C. 2012), the court held (relying primarily on Florida
Youth Conservation Corps.) that a law that prevented Planned Parenthood from any opportunity
to apply for or receive government grants or contracts was “analogous to legislation that
prohibits a person or entity from engaging in certain employment, which courts have historically
found to be associated with punishment.” That ruling, however, came after the court had
determined in a previous opinion that the law at issue would require plaintiff to “close facilities”
and “lay-off employees.” Planned Parenthood of Cent. N. Carolina v. Cansler, 804 F. Supp. 2d
482, 498 (M.D.N.C. 2011). Finally, in Mendelsohn v. Meese, 695 F. Supp. 1474, 1486-89
(S.D.N.Y. 1988), the court held that the Anti-Terrorism Act was akin to historical forms of
31
punishment, but it did so because the law penalized a group of “employees”—i.e., flesh-and-
blood people—“by closing their offices and effectively terminating their activities in the United
States.” In sum, even if the Court found the analysis in these non-binding district court opinions
persuasive, they nevertheless would not prove Plaintiffs’ point because, in each of them,
individual people were prevented from pursuing their employment. They do not stand for the
proposition that depriving a large multinational corporation like Kaspersky Lab of one tiny
source of revenue is a historically recognized form of legislative punishment.
Finally, another reason that the challenged provisions of the NDAA are unlike the
legislation in the Employment Ban Cases is that they do not brand Kaspersky Lab as disloyal, or
express any determination that Kaspersky Lab is guilty of any wrongdoing. The decisions of the
Supreme Court that have determined that employment bans are legislative punishment have done
so “where the employment bans were imposed as a brand of disloyalty.” Foretich, 351 F.3d at
1217. And, more generally, “[a] familiar theme in the[ ] classic examples of punishment is the
initial determination by the legislature of ‘guilt.’” ACORN, 618 F.3d at 136. The NDAA lacks
these characteristics. As Plaintiffs repeatedly emphasize, the law appears to have nothing to do
with any finding that Kaspersky Lab has done anything wrong or disloyal. Instead, it is premised
on the determination that the use of that company’s products to defend federal government
networks and computer systems presents a national security vulnerability because they could be
used (whether with or without Kaspersky Lab’s knowledge or consent) by the Russian
government. The law does not assume any guilt, disloyalty, or wrongdoing on the part of
Kaspersky Lab. 9
9
Plaintiffs attempt to demonstrate that the law brands them as disloyal by pointing to
Senator Jeanne Shaheen’s public statements. The Court is not convinced. As discussed further
32
In sum, the Court finds that Plaintiffs have not plausibly alleged that the challenged
provisions of the NDAA are legislative punishment under the Historical Test. Plaintiffs, perhaps
foreseeing this result, have argued that the Court should nonetheless consider that the NDAA is
not entirely incongruous with historical notions of punishment when weighing all three
punishment tests together. Pls.’ Opp’n at 8. The Court does consider the results of all three tests
in their totality, but this does not help Plaintiffs. The next two tests clearly weigh against them.
b. The Functional Test
“[W]here an enactment falls outside the historical definition of punishment, therefore
failing to satisfy the first test, the legislation may still be a bill of attainder under the functional
test if no legitimate nonpunitive purpose appears.” Foretich, 351 F.3d at 1218. The Court
accordingly moves on to the Functional Test. 10
The principal question under the Functional Test is “whether the law under challenge,
viewed in terms of the type and severity of burdens imposed, reasonably can be said to further
nonpunitive legislative purposes.” Nixon, 433 U.S. at 475-76. “Under this functional test, the
nonpunitive aims must be ‘sufficiently clear and convincing’ before a court will uphold a
below in the Court’s analysis of the Motivational Test, the thrust of Senator Shaheen’s
statements demonstrates a purpose of preventing Russia from exploiting Kaspersky Lab
products, not of punishing Kaspersky Lab for being disloyal. To the extent one could interpret
some aspects of Senator Shaheen’s statements differently, one-off statements by a single Senator
to the media do not control the meaning or effect of a statute.
10
Plaintiffs cite a Second Circuit opinion, Consol. Edison Co. of New York v. Pataki, 292
F.3d 338 (2d Cir. 2002), for the proposition that a statute that imposes a burden that falls within
the historical meaning of legislative punishment is “per se” a bill of attainder. See Pls.’ Opp’n at
8. This would appear to conflict with the statement of the D.C. Circuit that “‘[e]ven measures
historically associated with punishment—such as permanent exclusion from an occupation—
have been otherwise regarded when the nonpunitive aims of an apparently prophylactic measure
have seemed sufficiently clear and convincing.’” BellSouth I, 144 F.3d at 65 (quoting Laurence
H. Tribe, American Constitutional Law, § 10–5, at 655 (2d ed.1988)). The Court notes this
apparent discrepancy but need not resolve it because it finds that Sections 1634(a) and (b) do not
fall within any historic meaning of legislative punishment.
33
disputed statute against a bill of attainder challenge.” Foretich, 351 F.3d at 1221. “Courts have
conducted this inquiry by examining both the purported ends of contested legislation and the
means employed to achieve those ends.” Id. The D.C. Circuit has emphasized that there must be
“a rational connection between the burden imposed and nonpunitive purposes of the legislation.”
Id. “In other words, the means employed by the statute must be rationally designed to meet its
legitimate nonpunitive goals.” Patchak, 828 F.3d at 1006. “[T]here must be a nexus between
the legislative means and legitimate nonpunitive ends.” Foretich, 351 F.3d at 1221. “[W]here
there exists a significant imbalance between the magnitude of the burden imposed and a
purported nonpunitive purpose, the statute cannot reasonably be said to further nonpunitive
purposes.” Id.
Sections 1634(a) and (b) of the NDAA do not constitute legislative punishment under the
Functional Test. These provisions of the NDAA serve a legitimate and eminently reasonable
nonpunitive function: protecting the United States government’s information systems from the
threat of Russian cyber-intrusion. This is a prospective, risk-prevention function that is distinct
from punishment.
Moreover, the challenged provisions of the NDAA are rationally related to this
nonpunitive goal—that is, there is a nexus between the means Congress used and the nonpunitive
end it sought to achieve. 11 As discussed in more detail above, Congress was presented with at
11
Plaintiffs argue that the D.C. Circuit in Foretich instructed courts to consider “whether
there is a ‘coherent and reasonable nexus between the burden imposed and the benefit to be
gained’” as part of the Historical Test. Pls.’ Opp’n at 12-13. The Court actually understands the
Foretich opinion to mean that this consideration is, under modern precedent, considered as part
of the “Functional Test.” Foretich, 351 F.3d at 1219 (“These early decisions foreshadowed the
development of the functional test and reinforce the necessity of a coherent and reasonable nexus
between the burden imposed and the benefit to be gained.”). The Court has considered this
factor, but has addressed it as part of its Functional Test analysis.
34
least the following set of facts: Russia had committed, and will likely continue to commit,
malicious cyber-activities against the United States; the United States’ federal government
computer systems relied on Kaspersky Lab products to protect them from malicious cyber-
activity; those products can be misused to exploit or harm the systems on which they are
installed; Kaspersky Lab is headquartered in Russia and subject to Russian laws; and both
Kaspersky Lab and its founder and CEO have connections to the Russian government and
intelligence services.
It is not Plaintiffs’ or this Court’s role to determine de novo what precise actions should
have been taken in light of this information to protect the nation’s cyber-security. That function
was reserved for the political branches. It is sufficient for this Court to say that it was rational
for Congress to conclude on the basis of this information that barring the federal government’s
use of Kaspersky Lab products would help prevent further Russian cyber-attacks. See Patchak,
828 F.3d at 1006 (“[T]he means employed by the statute must be rationally designed to meet its
legitimate nonpunitive goals.”). In other words, this is not a case where Congress barred
Plaintiff from an activity based on characteristics (e.g., holding an unpopular political view) that
had no rational connection with its suitability for that activity. Such a disconnect, which could
suggest a punitive purpose, is absent here. Information suggesting that a company’s products
could be used by a foreign power known to be regularly attempting cyber-attacks on the United
States rationally bears on that company’s suitability to provide cyber-security products to the
federal government. See Flemming, 363 U.S. at 614 (“Where the source of legislative concern
can be thought to be the activity or status from which the individual is barred, the
disqualification is not punishment even though it may bear harshly upon one affected. The
contrary is the case where the statute in question is evidently aimed at the person or class of
35
persons disqualified.”); Siegel v. Lyng, 851 F.2d 412, 418 (D.C. Cir. 1988) (finding that bar from
employment in agricultural industry was not punishment because it was based on “legitimate
justifications”—connection to an entity that had previously violated agricultural laws).
Congress’ non-punitive purpose was also not out of balance with the burden that the
NDAA places on Kaspersky Lab. “[M]erely because a regulation is burdensome does not mean
that it constitutes punishment.” Navegar, 192 F.3d at 1067. The Court must ask whether that
burden, however great, is out of balance with the purpose of the regulation. Here, that is clearly
not the case. On the one side of the scale in this case is Congress’ goal of securing our Nation’s
networks and computer systems from malicious cyber-threats. The importance of this goal in
today’s world can hardly be overstated.
On the other side of the scale is the burden to Kaspersky Lab which, while real, is
exaggerated by Plaintiffs. The NDAA deprives Kaspersky Lab of one of its revenue streams.
But, as discussed above, that revenue stream represents a tiny portion of the company’s overall
business. And, although the prohibition also may have a negative effect on Kaspersky Lab’s
reputation in the cybersecurity field, that reputational harm is not as great as Plaintiffs suggest.
Plaintiffs compare this case to Foretich, but the comparison is a stretch. The reputational burden
the D.C. Circuit addressed in Foretich derived from Congress having effectively labeled a
particular individual as a child molester who had sexually abused his own daughter. See
Foretich, 351 F.3d at 1223. The Act “memorialize[d] a judgment by the United States Congress
that [the plaintiff] was guilty of horrific crimes.” Id.
The reputational burden in this case is not as severe. Through the NDAA, Congress has
effectively declared that the use of Kaspersky Lab products by federal government agencies
presents a security risk because those products could be used—whether with or without
36
Kaspersky Lab’s knowledge or consent—by the Russian government. This understandably will
affect Kaspersky Lab’s reputation as a cybersecurity business, but it does not, as Plaintiffs
repeatedly argue, label them as disloyal or adjudge them guilty of any “horrific crime.” In sum,
even considering the reduction in revenue and harm to reputation Plaintiffs allegedly suffered,
this is not a case where “[a] grave imbalance or disproportion between the burden and the
purported nonpunitive purpose suggests punitiveness.” Id. at 1222. The burdens placed on
Kaspersky Lab by the challenged provisions of the NDAA, although perhaps not trivial in
absolute terms, are not out of balance with Congress’ goal of protecting the Nation’s cyber-
security.
Plaintiffs argue that various aspects of Sections 1634(a) and (b) reveal that its actual
function is punitive. First, Plaintiffs argue that the punitive nature of the NDAA is demonstrated
by the fact that it singles out Kaspersky Lab and no other cybersecurity vendors. Indeed,
Plaintiffs at times go so far as to imply that the law is inherently a bill of attainder because it is
not one of general applicability. See, e.g., Pls.’ Opp’n at 22-23. This argument is not persuasive.
It is true that the specificity of a law is one factor that the Court may consider when determining
whether a law is punitive. See Foretich, 351 F.3d at 1222. However, it is also true that
specificity alone is not sufficient to establish that a law has a punitive function. See Nixon, 433
U.S. at 470-71 (rejecting notion that a law was a bill of attainder simply because it “impose[d]
undesired consequences on an individual or on a class that is not defined at a proper level of
generality” because this notion, if accepted, would “cripple the very process of legislating, for
any individual or group that is made the subject of adverse legislation [could] complain that the
lawmakers could and should have defined the relevant affected class at a greater level of
generality.”); ACORN, 618 F.3d at 138-39 (explaining that specificity is relevant to assessing an
37
alleged punitive purpose but “does not create a presumption of unconstitutionality”). Where a
law targets a particular individual (or corporation) because there is a legitimate nonpunitive
reason to take such targeted action, specificity is not improper and does not evince punishment.
See Nixon, 433 U.S. at 472 (holding that law was not objectionable solely because it singled out
President Richard Nixon, because Congress had reason to conclude that action against President
Nixon specifically “demanded immediate attention”); SeaRiver Mar. Fin. Holdings, Inc. v.
Mineta, 309 F.3d 662, 676 (9th Cir. 2002) (holding that focus on removing a particular tank
vessel from the Prince William Sound did not evince a punitive purpose because it was
reasonable to conclude that prompt action with respect to that vessel in particular was necessary).
That was the case here. Grappling with a real-time need to take action to protect the
government’s networks and computer systems from cyber-attacks, Congress opted to pass a law
of general applicability that ordered the review of procedures for removing suspect products and
services from federal systems going forward (Section 1634(c)), and also immediately took action
to stem a perceived risk caused by the government’s use of one company’s products in particular
based on facts already known (Sections 1634(a) and (b)). There was nothing improper about this
course of action. The record indicates that no other cybersecurity vendor had the same set of
characteristics that had caused concerns about Kaspersky Lab. AR770. It was therefore
reasonable for Congress to act only with respect to that company.
Plaintiffs also argue that Sections 1634(a) and (b) of the NDAA do not have a legitimate
nonpunitive function because Congress could have employed less burdensome alternatives and
because the statute lacks “safeguards” for Kaspersky Lab’s rights. Plaintiffs’ considerable
reliance on these points is misplaced. These are merely factors the Court may consider when
determining whether a law had a nonpunitive purpose. They are not requirements. Neither the
38
Supreme Court nor the D.C. Circuit has held that the Court may invalidate a law with a clear
nonpunitive purpose that is rationally designed to further that purpose simply because it lacks
“safeguards” for a class that is burdened by the law. Nor have those courts held that it is
necessary, or appropriate, for the Court to apply a “least restrictive means test” to laws
challenged as bills of attainder.
Additionally, the principal “less burdensome alternative” proffered by Plaintiffs—
“refer[ing] the matter to the executive branch to consider” proceedings to debar Kaspersky Lab
under the FAR, Pls.’ Opp’n at 29—would not have accomplished Congress’ nonpunitive goal.
Debarment would have only applied to future transactions between Kaspersky Lab and the
government—it would not have required federal agencies to remove Kaspersky Lab products
they had previously purchased and installed. AR0631. Nor would debarment have prohibited
third parties from selling Kaspersky Lab products to federal agencies. Id. Accordingly,
debarment would not have prevented agencies from using Kaspersky Lab products.
To the extent Plaintiffs argue that the prohibition could have been limited to only
Kaspersky Lab software (not hardware or services), or should have provided Kaspersky Lab a
means to “extricate itself from the ban,” Pls.’ Opp’n at 27, the Court is not convinced that these
characteristics of the NDAA cast any doubt on its nonpunitive function. Considering the
extensive record regarding Kaspersky Lab that was before Congress, it was reasonable for
Congress to conclude that a broad and permanent ban was necessary to prevent the sort of cyber-
attacks about which Congress was concerned. Plaintiffs believe that the law could have been
designed better but, as already stated, it is not the Court’s role to review de novo the technical
decisions Congress makes to protect the Nation’s cyber-security. It is enough that a “rational
and fairminded Congress” could have determined that the approaches urged by Plaintiffs would
39
not have accomplished its nonpunitive goals. Nixon, 433 U.S. at 483. The Court easily
concludes that that is the case here.
For the foregoing reasons, Sections 1634(a) and (b) of the NDAA have a clear
nonpunitive function. The means Congress employed to accomplish that function are rational,
and the burdens imposed by the NDAA are not out of balance with the importance of its
nonpunitive goal. Therefore, the Functional Test shows that the law does not constitute
punishment.
c. The Motivational Test
“The final test of legislative punishment is ‘strictly a motivational one: inquiring whether
the legislative record evinces a congressional intent to punish.’” Foretich, 351 F.3d at 1225
(quoting Nixon, 433 U.S. at 478). “Under this prong, a court must inspect legislation for a
congressional purpose to ‘encroach[ ] on the judicial function of punishing an individual for
blameworthy offenses.’” Id. (quoting Nixon, 433 U.S. at 479). “Courts conduct this inquiry by
reference to legislative history, the context or timing of the legislation, or specific aspects of the
text or structure of the disputed legislation.” Id.
The Motivational Test “by itself is not determinative in the absence of ‘unmistakable
evidence of punitive intent.’” Id. (quoting Selective Serv. Sys., 468 U.S. at 856 n.15). The Court
approaches the Motivational Test with caution, because “[j]udicial inquiries into Congressional
motives are at best a hazardous matter.” Flemming, 363 U.S. at 617. When a law is claimed to
impose legislative punishment on the basis of such an inquiry, “only the clearest proof could
suffice to establish the unconstitutionality of [the] statute.” Id.; see also ACORN, 618 F.3d at
141 (“The legislative record by itself is insufficient evidence for classifying a statute as a bill of
attainder unless the record reflects overwhelmingly a clear legislative intent to punish.”).
40
Presumably in light of this daunting standard, Plaintiffs disavow any argument that
Sections 1634(a) and (b) of the NDAA constitute a bill of attainder on the basis of the
Motivational Test alone. See Pls.’ Opp’n at 30 (“Plaintiffs are not challenging the
constitutionality of the NDAA on ‘this prong itself.’”). They contend only that this test
“bolsters” their showing that the NDAA is punishment. Id. Even this modest claim, however, is
wrong. The Motivational Test does not “bolster” Plaintiffs’ argument. If anything, it weakens it.
Plaintiffs’ primary argument under the Motivational Test is that the record related to
Congress’ decision to prohibit the use of Kaspersky Lab products is “silent.” Pls.’ Opp’n at 3.
There are two major flaws with this argument. The first is that, even if it was accurate, it would
defeat Plaintiffs’ claim. Statutes are presumed constitutional. See Flemming, 363 U.S. at 617
(“[T]he presumption of constitutionality with which this enactment, like any other, comes to us
forbids us lightly to choose that reading of the statute’s setting which will invalidate it over that
which will save it.”). It is Plaintiffs’ burden under the Motivational Test to demonstrate that
Congress was motivated to punish Kaspersky Lab. See BellSouth I, 144 F.3d at 67 (finding that
law was not punishment under the Motivational Test where plaintiff had not “come forward” and
“provided” any evidence on Congress’ purpose). If the record was in fact “silent,” Plaintiffs
could not do so. See SeaRiver, 309 F.3d at 677 (“The congressional silence surrounding § 2737
impedes SeaRiver in successfully carrying its burden on this factor.”). Congress’ silence, even
when coupled with an awareness that its actions will harm a particular individual or company, is
not sufficient to demonstrate punitive intent. See Patchak, 828 F.3d at 1007 (“While it may be
true that Mr. Patchak was adversely affected as a result of the legislation, the record does not
show that Congress acted with any punitive or retaliatory intent.”); SeaRiver, 309 F.3d at 674
41
(“Although Congress was aware when it passed § 2737 that it would impose a cost on SeaRiver,
this awareness does not translate into a suggestion that Congress’s intent was to punish”).
The second problem with Plaintiffs’ “silence” argument is that it is incorrect as a matter
of fact. As the Court described at length in the Background section of this Opinion, the NDAA
was passed after months of congressional inquiries into the risk of Russian cyber-attacks created
by the federal government’s use of Kaspersky Lab products. The Court will not repeat that
entire history here, but notes that concerns were raised at various committee hearings, and six
United States intelligence directors, including the directors of the CIA and the NSA, told the
Senate Select Committee on Intelligence that they would not be comfortable using Kaspersky
Lab products on their computers. In addition, a Senate Armed Services Committee report
discussing the prohibition on Kaspersky Lab products stated that the prohibition was a response
to “reports that the Moscow-based company might be vulnerable to Russian government
influence.” NDAA FY 2018, U.S. Senate Armed Services Committee, at 10, https://www.
armed-services.senate.gov/imo/media/doc/FY18%20NDAA%20Summary6.pdf. Although
drawing conclusions about Congress’ motivation is a “hazardous” endeavor, Flemming, 363 U.S.
at 617, as a whole, this record suggests a motivation to take preventive action to eliminate a risk
of Russian cyber-attacks, not to punish Kaspersky Lab. 12
Plaintiffs argue that certain statements Senator Jeanne Shaheen made to the media show
that Congress was motivated to punish. As described above, Senator Shaheen stated in a press
12
Plaintiffs argue that most of this history should be ignored because it is not formal
legislative history addressing the exact amendment to the NDAA that resulted in the prohibition
at issue. Plaintiffs take far too narrow a view of the types of material that the Court may
consider when assessing Congress’ motivation under the Motivational Test. As the D.C. Circuit
has held, courts may consider “the context or timing of the legislation.” Foretich, 351 F.3d at
1225. This congressional activity provides helpful context that informs the Court’s
understanding of Congress’ motivation.
42
release that “[t]he case against Kaspersky Lab is overwhelming.” See Compl., Ex. E, NDAA
ECF No. 1-5. She elaborated that:
The strong ties between Kaspersky Lab and the Kremlin are
alarming and well-documented. I’m very pleased that the Senate has
acted in a bipartisan way on my amendment that removes a real
vulnerability to our national security. I applaud the Trump
administration for heeding my call to remove Kaspersky Lab
software from all federal computers. It’s important that this
prohibition also be a part of statute and be expanded to the entire
federal government, as my amendment would do. Considering the
strong bipartisan, bicameral support for this proposal, I’m optimistic
this will soon be signed into law.
Id. Additionally, in an editorial authored for the New York Times, Senator Shaheen wrote that
the presence of Kaspersky Lab products on federal systems created a “threat” of Russian cyber-
interference, and that she was proposing to bar federal government use of those products “to
close this alarming national security vulnerability.” See Compl., Ex. C, NDAA ECF No. 1-3.
These statements do not indicate that Congress’ motivation was to punish Kaspersky Lab.
As an initial matter, the overall emphasis of Senator Shaheen’s statements was not that Congress
should punish Kaspersky Lab for anything, but instead that the use of Kaspersky Lab products to
defend federal government systems created a risk of Russian cyber-interference, and that action
needed to be taken swiftly to address this vulnerability. It was the “case” for such action,
according to Senator Shaheen, that was “overwhelming.”
Additionally, even if these statements could be interpreted as indicating that Senator
Shaheen was motivated to punish Kaspersky Lab—and the Court does not interpret them that
way—isolated statements of one legislator are not sufficient under the Motivational Test to
demonstrate a punitive motivation. “‘Several isolated statements’ are not sufficient to evince
punitive intent.” BellSouth II, 162 F.3d at 690 (quoting Selective Serv. Sys., 468 U.S. at 856
43
n.15); Navegar, 192 F.3d at 1067 (holding that “isolated statements are not sufficient to show a
punitive intent”); ACORN, 618 F.3d at 142 (holding that “smattering” of legislators’ opinions
regarding plaintiff’s guilt of fraud was insufficient to demonstrate motivation to punish). In
other words, even if Senator Shaheen’s intention in passing the NDAA’s prohibition on
Kaspersky Lab products was to punish that company, as opposed to merely limit the risk of
future Russian cyber-attacks, that intention of a sole senator is not sufficient to demonstrate that
Congress as a whole was motivated to punish.
Also relevant to the Court’s Motivational Test inquiry is that the NDAA was passed on
the heels of actions by the Executive Branch addressing similar concerns about Kaspersky Lab
products. Most importantly, Congress was considering the NDAA’s prohibition on Kaspersky
Lab products at the same time that DHS was in the midst of its BOD 17-01 proceedings.
Congress even held hearings about those proceedings. By statute, BODs are used “for purposes
of safeguarding Federal information and information systems from a known or reasonably
suspected information security threat, vulnerability, or risk”—not to impose punishment based
on any wrongdoing. 44 U.S.C. § 3552(b)(1). The purpose of BOD 17-01 in particular was to
stem the risk of Russian cyber-attacks, and DHS made clear that the action was not based on any
assumption that Kaspersky Lab had done, or would do, anything wrong or worthy of
punishment. AR0629. It is reasonable to assume that Congress had a similar motivation when,
after overseeing the implementation of BOD 17-01, it passed a prohibition very similar to that
BOD just days after it was finalized.
Additionally, “specific aspects of the text or structure” of Section 1634, such as the
provision’s placement within the NDAA, indicate Congress’ nonpunitive motivation. See
Foretich, 351 F.3d at 1225; see also BellSouth I, 144 F.3d at 66 (noting that a claim of punitive
44
purpose can be undermined by a provision’s placement within an Act). Section 1634 falls under
a subtitle of the NDAA entitled “Cyberspace-Related Matters.” This section of the NDAA does
not dole out punishments. It provides authorizations, sets policies, and requires reporting on
various cyber-security issues. Section 1634(c), which follows immediately after the challenged
sections, is one example: it requires agencies to conduct reviews of their procedures for
removing suspect products or services from the information technology networks of the federal
government. That the prohibition on Kaspersky Lab products falls within this section of the
NDAA indicates that Congress viewed it as a similar cyber-security measure, not punishment.
The text and effect of the statutory sections themselves also indicate Congress’
nonpunitive motivation. The statute does not prohibit purchases from Kaspersky Lab, but
instead the use of Kaspersky Lab products. This required the government to undergo a time-
intensive and costly process of identifying and discontinuing the “use” of Kaspersky Lab
products throughout the government. If Congress’ purpose was simply to punish Kaspersky Lab
for something, it could have accomplished that goal in a far easier and cheaper manner by simply
barring any future purchases from that company. The fact that it declined that option and instead
ordered that all “use” of Kaspersky Lab products be halted, and incurred the considerable cost to
do so, 13 suggests that the function of the law was to protect against prospective Russian cyber-
threats, not to punish Kaspersky Lab.
In sum, it was Plaintiffs’ burden to plausibly allege facts that would suggest that Sections
1634(a) and (b) were punishment under the Motivational Test. Their inability to do so defeats
their claim. In addition, the record—including congressional activity, administrative activity,
13
The Government also points out that if Congress had intended to punish Kaspersky
Lab, it might have required the company to bear the cost of removing its own products, but
Congress opted not to do so.
45
and the nature of the statute itself—affirmatively indicates a nonpunitive motivation.
Accordingly, the Court concludes that Plaintiffs cannot plausibly establish that the challenged
provisions constitute legislative punishment under the Motivational Test.
***
Weighing all three tests for punishment together, the Court concludes that Sections
1634(a) and (b) of the NDAA clearly do not inflict punishment on Plaintiffs. The law does not
impose any form of historically recognized legislative punishment. It has an obvious and
eminently reasonable nonpunitive purpose and, although the law has negative effects on
Plaintiffs, those effects are not out of balance with the goal of protecting the Nation’s cyber-
security. Finally, there is no evidence that Congress acted with any motivation to punish
Plaintiffs.
The Court emphasizes that “[i]n order to decide whether a statute impermissibly inflicts
punishment, [the Court] consider[s] each case in ‘its own highly particularized context.’”
Patchak, 828 F.3d at 1006 (quoting Selective Serv. Sys., 468 U.S. at 852); see also Flemming,
363 U.S. at 616 (“[E]ach case [ ] turn[s] on its own highly particularized context.”). The context
of this case—Congress’ real-time attempt to address cutting edge and constantly evolving cyber-
threats to some of our Nation’s most sensitive strategic assets—is extremely unique. Viewed in
this unique context, for the reasons explained above, the challenged provisions of the NDAA
cannot plausibly be said to be a bill of attainder. Plaintiffs’ NDAA Lawsuit will accordingly be
dismissed.
B. The BOD Lawsuit
Plaintiffs’ BOD Lawsuit will also dismissed, but for a different reason. Article III of the
Constitution limits the jurisdiction of this Court to the adjudication of “Cases” and
46
“Controversies.” U.S. Const., Art. III, § 2. “In an attempt to give meaning to Article III’s case-
or-controversy requirement, the courts have developed a series of principles termed ‘justiciability
doctrines,’ among which [is] standing.” Nat’l Treasury Emps. Union v. United States, 101 F.3d
1423, 1427 (D.C. Cir. 1996) (citing Allen v. Wright, 468 U.S. 737, 750 (1984)). Standing
requires, in essence, that a plaintiff have “a personal stake in the outcome of the
controversy . . . .” Warth v. Seldin, 422 U.S. 490, 498 (1975). The familiar requirements of
Article III standing are:
(1) that the plaintiff have suffered an “injury in fact”—an invasion
of a judicially cognizable interest which is (a) concrete and
particularized and (b) actual or imminent, not conjectural or
hypothetical; (2) that there be a causal connection between the injury
and the conduct complained of—the injury must be fairly traceable
to the challenged action of the defendant, and not the result of the
independent action of some third party not before the court; and (3)
that it be likely, as opposed to merely speculative, that the injury will
be redressed by a favorable decision.
Bennett v. Spear, 520 U.S. 154, 167 (1997) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-
61 (1992)); see also Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).
Plaintiffs cannot satisfy these requirements in the BOD Lawsuit. Plaintiffs assert that
they have standing to challenge BOD 17-01 because it causes them two types of injury: it
prevents them from selling to the United States federal government, and it damages their
reputation. To establish standing in the BOD Lawsuit, Plaintiffs must show “‘that it [is] likely,
as opposed to merely speculative, that the[se] injur[ies] will be redressed by a favorable
decision’” in that suit. Chamber of Commerce of U.S. v. E.P.A., 642 F.3d 192, 200 (D.C. Cir.
2011) (quoting Bennett, 520 U.S. at 167). Plaintiffs cannot make that showing. After BOD 17-
01 was finalized, Congress separately passed an even broader prohibition on Kaspersky Lab
products: Sections 1634(a) and (b) of the NDAA. Regardless of the outcome of the BOD
47
Lawsuit, those provisions of the NDAA will be the law. Sections 1634(a) and (b) of that law
cause, at least, the same alleged harms as BOD 17-01. Therefore, even if Plaintiffs were
successful and the Court were to order the rescission of the BOD, their harms would not be
redressed. The Court has no jurisdiction to proceed to the merits of a lawsuit where its ultimate
decision will have no real effect.
The NDAA has never been challenged as part of the BOD Lawsuit. Plaintiffs did
eventually file a separate lawsuit challenging the NDAA (the NDAA Lawsuit, discussed above),
but the two suits have always been, and remain, separate and distinct. The filing of a separate
lawsuit challenging the NDAA did not have any effect on the Court’s consideration of standing
in the BOD Lawsuit, given that standing is determined at the time of the commencement of suit,
and the NDAA Lawsuit was filed after the BOD suit. See Lujan, 504 U.S. at 571 n.5 (“standing
is to be determined as of the commencement of suit”). Regardless, even assuming that the
NDAA Lawsuit was relevant in any way to Plaintiffs’ standing in the BOD Lawsuit, the NDAA
Lawsuit has been dismissed. Accordingly, the Court assesses Plaintiffs’ standing in the BOD
Lawsuit assuming that, regardless of the outcome of that suit, the NDAA will remain in place.
It is a well-established principle that a plaintiff cannot demonstrate redressability when its
lawsuit challenges only one of two government actions that both independently produce the same
alleged harm. See Delta Const. Co. v. E.P.A., 783 F.3d 1291, 1296 (D.C. Cir. 2015) (holding
that petitioners did not have standing to challenge Environmental Protection Agency standards
that allegedly raised the price of vehicles due to lack of redressability because the National
Highway Traffic Safety Administration had promulgated substantially identical standards that
were not challenged in the lawsuit, and therefore “even were we to vacate the EPA standards, the
NHTSA standards would still increase the price of vehicles”); Texas v. E.P.A., 726 F.3d 180, 198
48
(D.C. Cir. 2013) (dismissing challenge to administrative rules for lack of standing because
vacating those rules “would not redress the State petitioners’ injury,” which was separately
caused by a statute); Renal Physicians Ass’n v. U.S. Dep’t of Health & Human Servs., 489 F.3d
1267, 1277 (D.C. Cir. 2007) (finding that plaintiff challenging a regulatory safe harbor had not
satisfied the redressability prong because “[e]ven if a court invalidated the safe harbor, dialysis
facilities would remain obligated under the Stark Law to pay no more than fair market value for
medical director services”).
This principle applies with full force in this case. Sections 1634(a) and (b) of the NDAA
are not challenged in the BOD Lawsuit and cause both of the injuries Plaintiffs claim to suffer as
a result of BOD 17-01.
First, like BOD 17-01, the NDAA prevents Plaintiffs from selling to the United States
federal government. The NDAA requires that all federal agencies stop using all Kaspersky Lab
products and services. In fact, the prohibition in the NDAA is broader than the prohibition in
BOD 17-01, because it includes all Kaspersky Lab products and services (not just “Kaspersky-
branded” products), and because it does not exempt any national security systems. The fact that
the NDAA’s prohibition does not technically become effective until October 1, 2018, does not
change this analysis. There is no redressability unless a decision in Plaintiffs’ favor would
“produce tangible, meaningful results in the real world.” Common Cause v. Dep’t of Energy,
702 F.2d 245, 254 (D.C. Cir. 1983). No meaningful results would be produced by lifting BOD
17-01’s prohibition on Kaspersky Lab products for the few months before the NDAA’s
prohibition goes into effect. Under the NDAA, federal agencies must have identified and halted
the use of all Kaspersky Lab products by October 1, 2018. This is not contingent on the outcome
of any review process. It is a date certain by which all use must stop. Under these
49
circumstances, it is highly implausible that, upon learning that BOD 17-01 was rescinded, any
federal government agency would purchase a Kaspersky Lab product, obtain the necessary
approval to use that product, install it, and begin using it, only to have to remove it again by
October 1, 2018. To do so would not only defy common sense, it would also likely violate each
federal agency’s obligations under FISMA to reduce the risks to their information systems in a
cost-effective manner.
Defendants have provided the Court with a declaration from the Acting Federal Chief
Information Security Officer at the OMB, Grant Schneider, attesting to these points. Mr.
Schneider’s job is to oversee the development of government-wide cybersecurity policy and
Federal civilian agency implementation of cybersecurity laws and policies. See Decl. of Grant
Schneider, BOD ECF No. 13-1, ¶ 1. In his declaration, he states that “federal agencies are
widely aware of the NDAA prohibition” and that “even if BOD 17-01 were rescinded before
October 1, 2018, no federal agency would be likely to procure, test and install Kaspersky
products, and then remove them, all before the October 1st NDAA effective date.” Id. ¶ 5. He
explains that “each federal agency makes its own independent IT acquisition decisions as long as
the agency complies with applicable law and executive branch policy,” and the personnel
involved in those decisions “are acutely aware of the need to avoid use of IT products that
increase risks to their information and information systems.” Id. ¶ 6. In particular, agencies are
aware of their obligations under FISMA to reduce risks to their information systems in a cost-
effective manner, and are separately required under Executive Order and OMB policy to
implement information security and cybersecurity risk management plans and measures. Id.
“Rescinding the BOD would not eliminate the security concerns underlying the decision
to issue the directive in the first place,” Mr. Schneider attests, which had been raised by other
50
lawmakers and intelligence officials, and which are also memorialized by the NDAA. Id. ¶ 7.
Even if the BOD were rescinded, these agencies would still have to confront these concerns.
They would have to determine that using Kaspersky Lab software in the months before the
NDAA officially takes effect is an acceptable risk to their networks, and that purchasing those
products, acquiring the necessary authorizations to use them and taking the time and resources to
test, install, and deploy them—only to then immediately remove them prior to October 1, 2018—
would be cost-effective and not wasteful. Id. ¶¶ 7-10. Mr. Schneider finds it “highly unlikely”
that any agency’s Chief Information Officer would make these determinations and choose to use
Kaspersky Lab products between now and October 1, 2018, if the BOD was rescinded. Id. ¶ 7.
In fact, according to Mr. Schneider, purchasing these products could open an agency up to
investigation for wasteful procurement. Id. ¶¶ 8, 11.
Plaintiffs do not seriously attempt to dispute these points. Instead, Plaintiffs respond to
Defendants’ standing argument by attempting to recast their alleged injury as being deprived of
the “right to sell to the government” until October 1, 2018. Pls.’ Reply and Opp’n at 5
(emphasis in original). Regardless of whether any United States government agency would
purchase their products, Plaintiffs argue, they stand to win back this “right to sell.”
This asserted “right” is worthless. To “sell” requires another to “buy.” Because no
government agency would buy Plaintiffs’ product in the period before October 1, 2018,
Plaintiffs’ theoretical “right” to sell has no value at all in the real world. The asserted
deprivation of this empty procedural right would not affect any substantive or concrete interest of
the Plaintiffs, and therefore is not sufficient to confer standing. See Summers v. Earth Island
Inst., 555 U.S. 488, 496-97 (2009) (rejecting standing based on a “procedural injury, namely,
that [respondents] have been denied the ability to file comments on some Forest Service
51
actions,” because “deprivation of a procedural right without some concrete interest that is
affected by the deprivation—a procedural right in vacuo—is insufficient to create Article III
standing”); Sierra Club v. E.P.A., 754 F.3d 995, 1002 (D.C. Cir. 2014) (“[B]ecause Petitioners
have failed to establish that they will likely suffer a substantive injury, their claimed procedural
injury—being denied the right to comment on the Memorandum—necessarily fails.”).
Second, the NDAA will continue to cause the same (or worse) harm to Plaintiffs’
reputation as does BOD 17-01, even if the latter is rescinded. Even assuming that Plaintiffs can
demonstrate that BOD 17-01 caused the reputational harms they allege, there are “circumstances
in which governmental action is a substantial contributing factor in bringing about a specific
harm, but the undoing of the governmental action will not undo the harm, because the new status
quo is held in place by other forces.” Renal Physicians Ass’n, 489 F.3d at 1278. That is the case
here. The NDAA would preserve the new status quo with respect to Plaintiffs’ reputation even if
BOD 17-01 was rescinded. As Plaintiffs concede, it is their burden to show that “rescission
likely would redress the discrete harm stemming from the BOD’s labelling of Plaintiffs’ products
as ‘information security risks’ to federal government information systems.’” Pls.’ Reply and
Opp’n at 10. Plaintiffs cannot make this showing. As has been discussed already at length,
BOD 17-01 and Sections 1634(a) and (b) of the NDAA are roughly equivalent prohibitions on
Kaspersky Lab products, based on approximately the same concerns about the company. For
this reason, Plaintiffs allege that the NDAA, like BOD 17-01, causes them “profound
reputational injuries.” Compl., NDAA ECF No. 1, ¶ 45. If anything, the effect of the NDAA on
Plaintiffs’ reputation would be greater than the effect of the BOD, because the NDAA codifies
the prohibition against Plaintiffs’ products into law and is broader than BOD 17-01 (covering all
Kaspersky Lab products and services and all federal information systems).
52
Whatever harm was caused by the BOD labelling Plaintiffs’ products as risks would not
be redressed if the BOD was rescinded, because the NDAA would remain in place, continuing to
label Plaintiffs’ products in exactly the same way. And to the extent there is some distinct
incremental harm that the existence of the BOD could be said to have on Plaintiffs’ reputation
above and beyond the existence of the NDAA, and therefore could be at stake in this lawsuit,
that theoretical harm is simply “too vague and unsubstantiated” to support standing. McBryde v.
Comm. to Review Circuit Council Conduct & Disability Orders of Judicial Conference of the
United States, 264 F.3d 52, 57 (D.C. Cir. 2001) (in discussing standing and mootness based on
incremental effect on reputation of a particular government action, noting that “[a]t some point . .
. claims of reputational injury can be too vague and unsubstantiated to preserve a case from
mootness”); see also Lebron v. Rumsfeld, 670 F.3d 540, 562 (4th Cir. 2012) (where plaintiff
sought order enjoining the government from designating him as an enemy combatant, ruling that
plaintiff did not have standing based on reputational injury because “[i]t is hard to imagine what
‘incremental’ harm it does to Padilla’s reputation to add the label of ‘enemy combatant’ to the
fact of his convictions and the conduct that led to them”).
Plaintiffs argue that their standing is established by the D.C. Circuit’s opinion in
Foretich. The Court disagrees. The Foretich court did find that a plaintiff had standing based on
an injury to his reputation. Moreover, that court did hold that the plaintiff had standing despite
the fact that his reputation was harmed by the challenged law as well as other factors (e.g.,
publicity surrounding an underlying custody dispute and allegations in that dispute). Foretich,
351 F.3d at 1216. However, in Foretich, there was only one government determination that
harmed plaintiff’s reputation. Plaintiff’s “reputational harms resulted directly” from a law that
“embodie[d] a congressional determination that he engaged in criminal acts of child abuse from
53
which his daughter needed protection.” Id. at 1211. The D.C. Circuit found that declaring that
law unconstitutional would have redressed plaintiff’s reputational harm because it would have
“remove[d] the imprimatur of government authority from” that determination. Id. at 1215.
This simply is not the case here. In this case, there are multiple government
determinations about Kaspersky Lab at issue—most importantly BOD 17-01 and the NDAA, but
also apparent determinations by intelligence chiefs and the GSA—that make the same finding
about Kaspersky Lab products that allegedly harms Plaintiffs’ reputation. Accordingly, ordering
the rescission of BOD 17-01 would not “remove the imprimatur of government authority” from
the determination that Kaspersky Lab products present a risk to federal government networks.
The Foretich court was not presented with these facts. See Paracha v. Obama, 194 F. Supp. 3d
7, 10-11 (D.D.C. 2016) aff’d sub nom. Paracha v. Trump, 697 F. App’x 703 (D.C. Cir. 2017)
(finding no causation or redressability in case where petitioner challenged statutes labelling him
a terrorist because, unlike in Foretich, petitioner presented no evidence that his reputational
injury “derive[d] directly” from the challenged statutes, given that “petitioner [would] remain
designated as an enemy combatant and will continue to be detained as such even if the Court
rules in his favor”).
In short, it is simply not plausible, let alone likely, that a favorable decision in the BOD
Lawsuit ordering the rescission of that agency action on APA and procedural grounds would
have any meaningful effect on Plaintiffs’ reputation, where the same determinations about
Kaspersky Lab products expressed by the BOD are codified in the NDAA and have also been
expressed by numerous other government actors.
The Court also notes that, for many of the same reasons discussed above with respect to
the redressability element, Plaintiffs also cannot demonstrate the causation requirement of
54
standing with respect to their alleged reputational harm. “Courts are powerless to confer
standing when the causal link is too tenuous.” Winpisinger v. Watson, 628 F.2d 133, 139 (D.C.
Cir. 1980). As discussed above, BOD 17-01 is but one of a number of congressional and
Executive Branch actions that would presumably have the same type of alleged effects on
Kaspersky Lab’s reputation. Prior to the issuance of BOD 17-01, various congressional
committees were investigating the company, six intelligence directors had told the Senate Select
Committee on Intelligence that they would not be comfortable using Kaspersky Lab products on
their computers, and the GSA had removed the company as a vendor. All of these acts
presumably had negative impacts on Plaintiffs’ reputation. Plaintiffs cannot demonstrate that the
BOD, and not these other acts, caused their reputational injury.
IV. CONCLUSION
For the reasons set out above, the Court will dismiss both Plaintiffs’ NDAA Lawsuit and
their BOD Lawsuit. The NDAA Lawsuit is dismissed for failure to state a claim, because
Plaintiffs have not plausibly alleged that Sections 1634(a) and (b) of the NDAA constitute a bill
of attainder. The BOD Lawsuit is dismissed for lack of standing because, even if Plaintiffs were
to succeed in that lawsuit and the Court were to order the rescission of BOD 17-01, none of
Plaintiffs’ alleged harms would be redressed. They would continue in full force as a result of the
NDAA. Because the BOD Lawsuit is dismissed for lack of standing, the Court need not reach
the parties’ cross-motions for summary judgment. Appropriate Orders accompany this
Memorandum Opinion in each lawsuit.
/s/
COLLEEN KOLLAR-KOTELLY
United States District Judge
55