United States Court of Appeals Rejects Bill-of-Attainder Challenge to Legislative Ban on Government Use of Kaspersky Lab Services

Information-security lawyers and consultants are unaccustomed to hearing the words “cybersecurity” and “constitutional challenge” in the same sentence.  On November 30, however, a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit, in Kaspersky Lab, Inc. v. Department of Homeland Security, unanimously affirmed the dismissal of a claim by Russian-based cybersecurity vendor Kaspersky Lab that a prospective legislative ban on the use of Kaspersky Lab hardware and software by federal departments and agencies constituted a violation of the Bill of Attainder Clause in Article I of the United States Constitution.

The basis for this legislative ban was a series of concerns that a number of executive and legislative branch officials voiced, beginning in 2017, about the risks stemming from Kaspersky’s ties to Russian intelligence and other government officials.  The first response by the U.S. Government was the issuance of a September 2017 directive by the Acting Secretary of Homeland Security (Directive) that required most federal agencies to begin removing “Kaspersky-branded products” from their information systems within 90 days.  Subsequently, after Congressional hearings in which Members of Congress and the Homeland Security Assistant Secretary for Cybersecurity expressed deep concern about Kaspersky’s Russian ties and the susceptibility of Kaspersky software to Russian exploitation, Congress included in the National Defense Authorization Act for Fiscal Year 2018 (NDAA) a section reflecting those concerns.

Section 1634 of the NDAA, as enacted, provided that beginning October 1, 2018,

No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—(1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership.

Kaspersky then filed two actions in the United States District Court for the District of Columbia, separately challenging the Directive as a violation of the Administrative Procedure Act and section 1634 as a violation of the Bill of Attainder Clause, which states simply that “[n]o bill of attainder . . . shall be passed.”  The District Court dismissed the Directive action on the grounds that Kaspersky lacked standing to sue, and dismissed the section 1634 case for failure to state a claim (i.e., that Kaspersky had failed to plausibly allege that section 1634 constitutes a bill of attainder.

In his opinion for the Ninth Circuit panel, Judge David Tatel presented an elaborate analysis of the ban and the applicability of the Bill of Attainder Clause.  At the outset, he did not find that the Bill of Attainder Clause applies to corporations such as Kaspersky, but stated that the Court would continue to assume, as that Court of Appeals had done previously, to assume that it does so apply (slip opinion, p. 9).  As the critical question for all bills of attainder is whether the law imposes punishment, Judge Tatel conducted the three inquiries for Bill of Attainder analysis that the United States Supreme Court articulated in Selective Service System v. Minnesota Public Interest Research Group, 468 U.S. 841, 852 (1984):

1. Whether the statute, “viewed in terms of the type of severity of burdens imposed, reasonably can be said to further nonpunitive legislative purposes.” On this issue, Judge Tatel held that section 1634 satisfied the standard that the nonpunitive aims of an apparently prophylactic measure were sufficiently clear and convincing.  He recognized the security of the federal government’s information systems as “the nonpunitive interest at stake” (p. 15), and stated that “[g]iven the not insignificant probability that Kaspersky’s products could have compromised federal systems and the magnitude of the harm such an intrusion could have wrought, Congress’s decision to remove Kaspersky from federal networks represents a reasonable and balanced response” (p. 17).  Noting that Kaspersky “identifies no cyber-product as vulnerable to malicious exploitation as Kaspersky’s” (p.  19), he concluded that “Congress had ample evidence that Kaspersky posed the most urgent potential threat, and this court  must give Congress “sufficient latitude to choose among competing policy alternatives,” lest “our bill of attainder analysis . . . ‘cripple the very process of legislating’” (p. 20, quoting Foretich v. United States, 351 F.3d 1198, 1222–23 (D.C. Cir. 2003)).  He concluded that section 1634 satisfied the reasonableness test.
2. Whether the challenged statute falls within the historical meaning of legislative punishment. On this issue, Judge Tatel took note of Kaspersky’s admission that the burden that section 1634 imposed was “not precisely identical to any of the burdens historically recognized as punishment” (p. 22).  He stated that “a wide valley separates section 1634 from the small handful of statutes that courts have found to be unconstitutional bills of attainder,” adding that “section 1634 represents no more than a customer’s decision to take its business elsewhere” (p. 27).
3. Whether the legislative record “evinces a congressional intent to punish.” On this issue, Judge Tatel concluded that Kaspersky had offered no evidence of punitive intent, and that this test did nothing to support Kaspersky’s Bill of Attainder argument (pp. 28-29).

Judge Tatel concluded that Kaspersky’s complaint failed to plausibly allege that section 1634 was a bill of attainder, and affirmed the District Court’s dismissal of Kaspersky’s section 1634 case.  With respect to Kaspersky’s Directive case, he concluded that Kaspersky had “a serious standing problem” – in part because “invalidation of the Directive alone would do nothing to help Kaspersky’s plight as long as section 1634 remains good law” (p. 31) – and affirmed the District Court’s dismissal for lack of subject matter jurisdiction.

Note: Kaspersky should be of interest to more than constitutional law scholars, at least because it demonstrates that the executive, legislative, and judicial branches are capable of playing complementary roles, within the bounds of their respective powers, in addressing potential cyber threats to government operations.  The nonpunitive interest that Judge Tatel identified, the security of the federal government’s information systems, must be of paramount concern to the government when a software vendor has putative connections to foreign governments known to engage in economic espionage or intelligence-gathering through digital means.  When such potential threats are identified – as with Kaspersky in the case of Russia, or Huawei Technologies in the case of China – executive branch officials and legislators need to have the flexibility to craft reasonable and proportional responses to those threats rather than, as Judge Tatel put it, “wait[ing] patiently for those threats to cause empirically provable consequences” (p. 17).  For its part, as Judge Tatel’s opinion demonstrates, the judiciary is entirely capable of conducting a searching analysis of the factual and policy grounds of those responses without overstepping the limits of its own authority.