The D.C. Circuit on Friday (Nov. 30) upheld the constitutionality of a 2017 law that barred a Russian cybersecurity company with ties to the Kremlin from doing business with U.S. federal agencies. In an opinion by Judge Tatel, the court described Russian cyber-operations as posing perilous risks to American security and concluded that the 2017 ban was a reasonable response to those risks.
The company, Kaspersky Lab, is based in Moscow and sells cybersecurity software all over the world. Its founder, Eugene Kaspersky, allegedly worked for Russian intelligence agencies before starting the company. In early 2017, the company began drawing the ire of U.S. intelligence officials and members of Congress over fears that its software could be used to hack into sensitive U.S. computer systems.
Congress responded by passing a law prohibiting all federal agencies from using any Kaspersky products. In Kaspersky Lab, Inc. v. Department of Homeland Security, Kaspersky sued, arguing that the ban is unconstitutional because it unfairly singles out one specific company.
Kaspersky tried to show that, by imposing the ban, Congress enacted an impermissible legislative punishment, referred to as a bill of attainder. For those who are not constitutional scholars, bills of attainder are relics of the British monarchy, and back then the phrase commonly referred to parliamentary acts sentencing specific individuals to death without a trial. Article I of the Constitution forbids Congress from passing bills of attainder.
To determine whether the Kaspersky ban qualified, the D.C. Circuit panel (which consisted of Judges Edwards and Ginsburg alongside Tatel) examined three things: (1) whether the ban serves a non-punitive purpose, (2) whether the ban fits with the historical understanding of legislative punishment a la pre-trial death sentences, and (3) whether there is any evidence of a legislative intent to punish.
The court “easily” found that the ban against Kasperky products served the clear and convincing national security interest of protecting the federal government’s information systems. Unlike President Trump, the court embraced the intelligence community’s assessment of Russia as having attempted to influence the 2016 election and as continuing to pose a major cybersecurity threat. Tatel, in his opinion for the unanimous panel, noted that while “cyber-threats emanate from all over the world, Russia might well top the list.”
Kaspersky argued that it was unfairly singled out because the ban applied only to one company rather than to Russian cybersecurity firms more broadly. The court didn’t buy it—and in doing so, it relied on a landmark Supreme Court case from the aftermath of the Nixon impeachment.
In Nixon v. Administrator of General Services, former President Nixon challenged a statute that directed government archivists to take custody of his presidential papers and tape recordings. Nixon argued that the statute’s specificity—it was aimed at just his materials—showed a punitive intent. The Supreme Court rejected Nixon’s claim and held that Congress had been legitimately specific because only Nixon’s materials demanded immediate attention at the time.
The same is true here, Tatel wrote. “The Bill of Attainder Clause does not make perfect the enemy of the good,” he wrote, meaning it is good enough for Congress to try to stop the threat of one cybersecurity firm without having to go after all of them at once.
Tatel continued: “Given the not insignificant probability that Kaspersky’s products could have compromised federal systems and the magnitude of the harm such an intrusion could have wrought, Congress’s decision to remove Kaspersky from federal networks represents a reasonable and balanced response.” The ban “is prophylactic, not punitive.”
The court then looked at whether the Kaspersky ban was similar to any other ban the court had found to be unconstitutional throughout history. In short, it is not. Kaspersky could not point to anything similar in the past.
Finally, the court examined the congressional record that Kaspersky submitted to argue that Congress was simply out to get the company. Kaspersky provided minimal evidence on this front and was only able to point to a few statements by Sen. Jeanne Shaheen (D-NH) warning that ties between Kaspersky and the Kremlin were “alarming.” The court reasoned that Shaheen’s statements showed no punitive intent; on the contrary, they reinforced the non-punitive objective of securing the government’s information systems.
In addition to the bill of attainder issue, Kaspersky also sued the Department of Homeland Security under the Administrative Procedure Act for a directive it issued that is similar to the congressional ban, although the congressional ban sweeps more broadly. The court briefly addressed that aspect of the case and affirmed a district judge’s dismissal for lack of standing because invalidating the directive would not redress Kaspersky’s alleged injury while the congressional ban remains in effect.
Eugene Kaspersky released a statement Friday expressing disappointment in the court’s ruling and saying the company would continue selling software to customers in the United States. “Kaspersky Lab reaffirms that is has never, nor will ever, engage in cyber offensive activities, and the Court’s decision does not conclude otherwise,” the company said.