The government’s Kaspersky bans “may very well have adverse consequences” for the company, Judge Colleen Kollar-Kotelly wrote, “but that does not make them unconstitutional.”
Kaspersky said in a statement the company was “disappointed with the court’s decisions” and will “vigorously pursue our appeal rights.”
“Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact-finding,” the company said.
Both government Kaspersky bans were based on concerns the Moscow-based company could be used as a hacking tool by Russian intelligence services interested in stealing U.S. government secrets.
U.S. officials were also concerned that Russian laws might allow the Kremlin to compel Kaspersky’s aid in data theft operations.
Kaspersky has repeatedly said that it does not cooperate with the Kremlin or any other government and that U.S. officials have misinterpreted its duties under the Russian law.
The judge’s ruling comes as the House and Senate armed services committees are contemplating some level of government ban for the Chinese telecoms Huawei and ZTE. The ruling could give Congress a clearer path to implementing those bans, said Edward McAndrew, a former federal cybercrime prosecutor who’s a co-leader of the Ballard Spahr law firm’s privacy and data security group.
The ruling might also disincentivize the Chinese telecoms from challenging those bans in U.S. courts, McAndrew said.
The Homeland Security Department initiated the first ban in October and gave civilian federal agencies until December to begin removing Kaspersky from their systems. At that point, the company’s software was already absent from major national security systems, according to officials’ testimony.
The second ban was included in the 2018 National Defense Authorization Act, an annual defense policy bill that became law in December. That ban included both civilian and military agencies and federal contractors.
Homeland Security has verified that Kaspersky is removed from government systems but some contractors are still using the anti-virus, officials have said.
Kaspersky argued that the legislative ban, which officially takes effect in October, amounted to a “bill of attainder”—essentially when Congress unfairly singles out a particular organization for punishment without any judicial process.
Judge Kollar-Kotelly didn’t buy that argument.
“The NDAA does not inflict ‘punishment’ on Kaspersky Lab,” the judge wrote. “It eliminates a perceived risk to the Nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation.”
The judge declined to address Kaspersky’s arguments against the Homeland Security ban, saying the company did not have legal standing to file the suit.
Because Kaspersky software is already off government systems and will soon be legislatively banned, there would be no benefit for Kaspersky in challenging the Homeland Security ban even if it prevailed, the judge wrote.
The Homeland Security Department also did not immediately respond to a comment request.
McAndrew, the former federal prosecutor, said he was unsurprised by the ruling because the government typically has broad latitude when protecting national security.
McAndrew noted that Judge Kollar-Kotelly previously served on the Foreign Intelligence Surveillance Court so “more than many other federal judges has a keen base knowledge around national security cyber threats.”
Editor's Note: This article was updated with a comment from Kaspersky Lab.