DocketNumber: Civil Action No. 2018-0325
Judges: Judge Colleen Kollar-Kotelly
Filed Date: 5/30/2018
Status: Precedential
Modified Date: 5/30/2018
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA KASPERSKY LAB, INC., et al., Plaintiffs v. Civil Action No. 17-2697 (CKK) UNITED STATES DEPARTMENT OF HOMELAND SECURITY, et al., Defendants KASPERSKY LAB, INC., et al., Plaintiffs v. Civil Action No. 18-325 (CKK) UNITED STATES OF AMERICA, Defendant MEMORANDUM OPINION (May 30, 2018) The United States government’s networks and computer systems are extremely important strategic national assets. Threats to these systems are constantly expanding and evolving. Their security depends on the government’s ability to act swiftly against perceived threats and to take preventive action to minimize vulnerabilities. These defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional. Plaintiffs in the two lawsuits discussed in this Opinion represent Kaspersky Lab, a large multinational cybersecurity company headquartered in Russia. At least until 2017, Kaspersky Lab’s cybersecurity products were used to defend the networks and computer systems of a number of United States federal government agencies. Amid growing concerns in early 2017 about malicious Russian cyber activity against the United States, government officials and members of Congress began asking questions, and voicing concerns, about the presence of these products on government systems. These concerns were based on the risk that the use of 1 Kaspersky Lab products to defend United States government computer systems could be exploited by Russia, either with or without Kaspersky Lab’s consent, cooperation, or knowledge. The concerns were fueled, in very summary form, by some combination of the following facts: Kaspersky Lab products enjoy extremely broad access and elevated privileges within the computer systems on which they are installed; Kaspersky Lab is headquartered in Russia; Kaspersky Lab and its founder and Chief Executive Officer, Eugene Kaspersky, have close connections to the Russian government and intelligence services; Kaspersky Lab products cycle users’ data to the company’s servers that are based in (or accessible from) Russia; Kaspersky Lab is subject to Russian laws that allow the Russian government to request or compel assistance from Russian companies, and is also susceptible to non-legal forms of pressure from the Russian government. The apparent national security risk presented by federal government agencies using Kaspersky Lab products eventually proved intolerable to both Executive Branch officials and Congress. On September 13, 2017, the Department of Homeland Security (“DHS”) issued a Binding Operative Directive (“BOD 17-01”) pursuant to the Federal Information Security Modernization Act of 2014 (“FISMA”), that required all federal departments and agencies to identify and, ninety days later, remove Kaspersky Lab products from their systems. That directive was soon effectively superseded when Congress passed the National Defense Authorization Act for Fiscal Year 2018 (“NDAA”), which contains a provision entitled “Prohibition on Use of Products and Services Developed or Provided by Kaspersky Lab.” As its title suggests, that provision prohibits all elements of the federal government from using any Kaspersky Lab products or services. 2 Shortly after BOD 17-01 was finalized and the NDAA was signed into law, Kaspersky Lab filed a lawsuit (17-cv-2697) claiming that the BOD violated the Administrative Procedures Act (“APA”) and the Due Process Clause of the Fifth Amendment to the United States Constitution (hereinafter the “BOD Lawsuit”). The BOD Lawsuit did not challenge the legality of the NDAA’s prohibition on the use of Kaspersky Lab products. Months later, after this omission became a point of contention regarding Plaintiffs’ standing in the BOD Lawsuit, Plaintiffs filed a second lawsuit (18-cv-325) claiming that the NDAA’s prohibition was an unconstitutional bill of attainder (hereinafter the “NDAA Lawsuit”). These lawsuits are separate and distinct, but both are pending before this Court. The Court is issuing this Opinion in both lawsuits, because there are motions pending in each that present overlapping and interrelated issues. Those motions include: Defendant’s [10] Motion to Dismiss the Complaint in the NDAA Lawsuit, Plaintiffs’ [19] Motion for Summary Judgment in the BOD Lawsuit, and Defendants’ [21] Motion to Dismiss or Alternatively for Summary Judgment in the BOD Lawsuit. Having carefully reviewed the record, the pleadings, 1 and the relevant authorities, the Court GRANTS Defendant’s Motion to Dismiss the NDAA Lawsuit. Plaintiffs have not plausibly alleged that the NDAA constitutes a bill of attainder. A bill of attainder is “a law that legislatively determines guilt and inflicts punishment upon an identifiable individual without 1 The Court’s consideration has focused on the following documents and their attachments in the NDAA Lawsuit: • Def.’s Mem. in Supp. of Mot. to Dismiss, ECF No. 10-1 (“Def.’s Mem.”); • Pls.’ Mem. in Opp’n to Def.’s Mot. to Dismiss, ECF No. 11 (“Pls.’ Opp’n”); • Def.’s Reply Mem. in Supp. of Mot. to Dismiss; ECF No. 12 (“Def.’s Reply”). In an exercise of its discretion, the Court finds that holding oral argument in this action would not be of assistance in rendering a decision. See LCvR 7(f). 3 provision of the protections of a judicial trial.” Nixon v. Adm’r of Gen. Servs.,433 U.S. 425
, 468 (1977). The NDAA does not inflict “punishment” on Kaspersky Lab. It eliminates a perceived risk to the Nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation. Having carefully reviewed the record, the pleadings, 2 and the relevant authorities, the Court also GRANTS Defendants’ Motion to Dismiss the BOD Lawsuit for lack of standing. Plaintiffs allege that BOD 17-01 causes them harm by depriving them of the ability to sell to the United States federal government and by damaging their reputation. Even if the Court were to rule in Plaintiffs’ favor in the BOD Lawsuit and order the rescission of BOD 17-01, these harms would continue. The NDAA would remain on the books, preventing any federal government agency from purchasing Kaspersky Lab products. It is true that the NDAA’s prohibition does not become effective until October 1, 2018. However, government agencies have likely already removed all Kaspersky Lab products from their systems as a result of BOD 17-01 and they know that, regardless, all such products must be removed by the fast-approaching NDAA effective date. Under these circumstances, it is completely implausible that any government entity would purchase a Kaspersky Lab product before October 1st. Accordingly, the empty “right” to sell to 2 The Court’s consideration has focused on the following documents and their attachments in the BOD Lawsuit: • Pls.’ Mem. of Law in Supp. of Mot. for Summ. J., ECF No. 19-1 (“Pls.’ Mem.”); • Defs.’ Mem. in Opp’n to Pls.’ Mot. for Summ. J. and in Support of Mot. to Dismiss or, in the Alternative, for Summ. J., ECF Nos. 20, 21-1 (“Defs.’ Opp’n”); • Pls.’ Reply in Supp. of Mot. for Summ. J. and in Opp’n to Defs.’ Mot. to Dismiss or, in the Alternative, for Summ. J., ECF Nos. 22, 23 (“Pls.’ Reply and Opp’n”); • Defs.’ Reply in Supp. of Mot. to Dismiss or, in the Alternative, for Summ. J., ECF No. 24 (“Defs.’ Reply”). In an exercise of its discretion, the Court finds that holding oral argument in this action would not be of assistance in rendering a decision. See LCvR 7(f). 4 the federal government for the short period before October 1st that Plaintiffs could stand to gain from success in the BOD Lawsuit lacks any concrete value. It is insufficient to confer standing. An order rescinding the BOD would also not redress the alleged harm to Plaintiffs’ reputation as a cybersecurity business because, according to Plaintiffs themselves, the NDAA independently causes, at least, that same harm. Plaintiffs attempted to avoid this jurisdictional roadblock by filing a separate lawsuit challenging the NDAA, but even if the later-filed NDAA Lawsuit had any relevance to Plaintiffs’ standing in the BOD Lawsuit, that relevance has been eliminated by its dismissal. Because the BOD Lawsuit is dismissed for lack of standing, the Court need not reach the parties’ cross-motions for summary judgment. I. BACKGROUND A. The Threat of Russian Cyber-Attacks An important context of Plaintiffs’ lawsuits, which neither party appears to dispute, is that it is the assessment of the United States government that cyber-attacks, especially from Russia, present a potent threat to critical United States infrastructure. As described by then- Director of National Intelligence James R. Clapper in a statement to the Senate Armed Services Committee in 2015, “[p]olitically motivated cyber-attacks are now a growing reality, and foreign actors are reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile.” AR0106. “[T]hose conducting cyber espionage are targeting US government, military, and commercial networks on a daily basis.”Id.
As current Director of National Intelligence Daniel R. Coats recently stated in a similar report, “Russia is a full-scope cyber actor that will remain a major threat to US Government, military, diplomatic, commercial, and critical infrastructure.” AR0065. “Moscow has a highly advanced offensive cyber program, and in recent years, the 5 Kremlin has assumed a more aggressive cyber posture.”Id.
“This aggressiveness was evident in Russia’s efforts to influence the 2016 US election.”Id.
B. Kaspersky Lab and Eugene Kaspersky Kaspersky Lab is a large cybersecurity company headquartered in Moscow. See Decl. of Angelo Gentile, BOD Lawsuit ECF No. 19-3 (“Gentile Decl.”), ¶¶ 9-11. It sells products that are intended to protect its customers’ computer systems against cyber-threats. Id. ¶ 9. The company was founded in 1997 by Eugene Kaspersky, who serves as the company’s Chief Executive Officer. Id. ¶ 11. Kaspersky Lab is a multinational corporation present in countries throughout the world, but the particular Plaintiffs in the two lawsuits discussed in this Opinion are Kaspersky Lab, Inc., a Massachusetts corporation that acts as the North American headquarters for Kaspersky Lab, and Kaspersky Lab Limited, a U.K.-based holding company for Kaspersky Lab entities. Id. ¶¶ 4, 9-11. It is important to note that Kaspersky Lab does not sell its products exclusively to the United States federal government. Id. ¶ 9. Far from it. To the contrary, “[o]ver 400 million users—from governments to private individuals, commercial enterprise to critical infrastructure owners and operators alike—utilize Kaspersky Lab technologies.” Id. ¶ 9. Indeed, only a tiny fraction of Kaspersky Lab sales in the United States are to the federal government. Id. ¶ 15. “Active licenses held by federal agencies in September 2017 had a total value (to Kaspersky Lab, Inc. and the Company as a whole) of less than $54,000—approximately 0.03% of Kaspersky Lab, Inc.’s annual U.S. sales at the time.” Id. C. Early Concerns Voiced About Kaspersky Lab Products Members of Congress and the Executive Branch began expressing concerns about the government’s use of Kaspersky Lab products—and acting on those concerns—in, at least, early 6 2017. For example, during a March 2017 Senate hearing on Russian cyber activities, Senator Marco Rubio of Florida cited a “long history” of open-source reporting connecting Kaspersky Lab to Russian security services, and asked a panel of cybersecurity experts if they would feel comfortable using Kaspersky Lab products on their devices. Although one of those experts noted that “Kaspersky is not an arm of the Russian government,” another responded “no, I wouldn’t, and I wouldn’t recommend that you do it either.” Disinformation: A Primer in Russian Active Measures and Influence Campaigns, Panel II Before the S. Select Comm. on Intelligence, 115th Cong. 40 (Mar. 30, 2017). In April 2017, the Senate Select Committee on Intelligence asked the Director of National Intelligence and the Attorney General to investigate Kaspersky Lab’s ties to the Russian government. See Bolstering the Government’s Cybersecurity: Assessing the Risks of Kaspersky Lab Products to the Federal Government Before the H. Comm. on Science, Space, and Technology, 115th Cong. 33 (Oct. 25, 2017). That same month, two Congressmen introduced a bill describing Kaspersky Lab as “a company suspected of having ties with the Russian intelligence services and later caught up in a Russian espionage investigation.” H.R. Con. Res. 47, 115th Cong. (2017). In May 2017, six United States intelligence directors, including the directors of the Central Intelligence Agency (“CIA”) and the National Security Agency (“NSA”), told the Senate Select Committee on Intelligence that they would not be comfortable using Kaspersky Lab products on their computers. See Hearing on Worldwide Threats Before the S. Select. Comm. on Intelligence, 115th Cong. (May 11, 2017), https://www.intelligence.senate.gov/hearings/open-hearing-worldwide-threats-hearing-0. NSA Director Michael Rogers said that he was “personally involved” in monitoring the Kaspersky Lab issue, and then-CIA Director Michael Pompeo acknowledged that concerns about Kaspersky Lab products “ha[d] risen to the director” level at the CIA. Id. 7 Throughout the summer of 2017, lawmakers continued to raise concerns about the presence of Kaspersky Lab products on federal government systems in at least three other committee hearings in the House and the Senate. See Bolstering the Government’s Cybersecurity: Lessons Learned from Wannacry Before H. Comm. on Science, Space, and Technology, 115th Cong. (June 15, 2017); Russian Interference in the 2016 U.S. Elections Before S. Select Comm. on Intelligence, 115th Cong. (June 21, 2017); Help or Hindrance? A Review of SBA’s Office of the Chief Information Officer Before the H. Comm. on Small Business, 115th Cong. (July 12, 2017). In July 2017, Congressman Lamar Smith, Chairman of the House Science Committee, sent a letter to various federal agencies requesting information about their use of Kaspersky Lab software and expressing concern that the company’s products were “susceptible to manipulation by the Russian government.” AR0557-58. Also in July 2017, the General Services Administration (“GSA”) removed Kaspersky Lab as a pre-approved vendor for contracts. AR0017. D. Communications Between Kaspersky Lab and DHS Prior to BOD 17-01 On July 18, 2017, amidst this growing consensus that the use of Kaspersky Lab products to defend federal systems posed national security risks, Eugene Kaspersky wrote then-Secretary of Homeland Security John F. Kelly a letter “offer[ing] any information or assistance we can provide with regard to any Department investigation regarding the company, its operations, or its products.” AR0749. The letter generally extolled Kaspersky Lab’s integrity and sought to assure Secretary Kelly that the company had no ties with the Russian government and has not, and would not, assist any government with cyber-espionage efforts. Id. Mr. Kaspersky offered to make himself available to DHS, the Senate Select Committee on Intelligence, or any other committees or agencies conducting any relevant investigations. Id. 8 DHS responded by letter on August 14, 2017, thanking Mr. Kaspersky for offering to provide information, stating that DHS looked forward to communicating with him further, and indicating that DHS “will be in touch again shortly.” AR0940. E. BOD 17-01 Much to Plaintiffs’ dismay, the next they heard from DHS was on September 13, 2017, when, pursuant to her authority under FISMA, Acting DHS Secretary Elaine C. Duke issued BOD 17-01, entitled “Removal of Kaspersky-Branded Products.” AR0633-35. A very brief explanation of BODs generally is necessary here. Pursuant to FISMA, federal agencies are required, under the supervision of the Director of the Office of Management and Budget and the Secretary of Homeland Security, to establish and implement their own policies, principles, standards and guidelines on information security.44 U.S.C. § 3554
(b) (“Each agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency.”). As particularly relevant to this case, FISMA provides that “[t]he Secretary, in consultation with the Director, shall administer the implementation of agency information security policies and practices for information systems,” including by “developing and overseeing the implementation of binding operational directives to agencies.”44 U.S.C. § 3553
(b)(2). A binding operational directive, or BOD, is “a compulsory direction to an agency that (A) is for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk; (B) shall be in accordance with policies, principles, standards, and guidelines issued by the Director; and (C) may be revised or repealed by the Director if the direction issued on behalf of the Director is not in accordance with policies and principles 9 developed by the Director.”Id.
§ 3552(b)(1). In other words, BODs are used to address suspected threats, vulnerabilities, or risks to federal information systems. In this way, the BOD is a tool that gives the DHS Secretary the ability to take swift action based on predictive judgments to address constantly evolving cyber-threats. BOD 17-01 in particular required all federal departments and agencies to take three actions: (1) within 30 days of the issuance of the BOD (October 13, 2017), all agencies were required to identify the use or presence of Kaspersky-branded products on all federal information systems and report this information to DHS; (2) within 60 days (November 12, 2017), all agencies were required to develop and provide to DHS a plan for removing and discontinuing present and future use of all Kaspersky-branded products beginning 90 days after the issuance of the BOD; and (3) within 90 days (December 12, 2017), unless otherwise directed, all agencies were required to begin implementing their plan and provide DHS a status report on that implementation every 30 days thereafter until full removal and discontinuance of Kaspersky- branded products was achieved. AR0634-35. “Kaspersky-branded products” were defined as “information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.” AR0634. BOD 17-01 exempted from its scope “national security systems” and certain other systems operated by the Department of Defense and the intelligence community. AR0633. The BOD itself stated that “DHS, in consultation with interagency partners, ha[d] determined that the risks presented by Kaspersky-branded products justif[ied] the issuance of” the BOD, AR0633, and a “Decision Memorandum” accompanying the BOD explained the reasoning underlying that determination. The Acting Secretary stated that she had issued the BOD because, based on the evidence presented to her by the Assistant Secretary for Cyber 10 Security and Communications, she had concluded that Kaspersky-branded products on federal information systems presented a known or reasonably suspected information security threat, vulnerability, and risk to federal information and information systems. AR0628-29. That conclusion was based primarily on the following factors: (1) Kaspersky-branded products were currently being used by federal agencies, and Kaspersky Lab intended to expand its sale of those products to federal agencies in the near future; (2) anti-virus products like Kaspersky Lab’s enjoy broad access to files and elevated privileges on the systems on which they are used that can be exploited by malicious cyber-actors; (3) data of those using Kaspersky Lab products is transferred automatically from their computers to Kaspersky Lab servers (which are either located in Russia or accessible from Russia); (4) Russia has engaged in, and will likely continue to engage in, malicious cyber-activities against United States government information systems; (5) Kaspersky Lab and Kaspersky Lab officials have ties to the Russian government, and specifically to its intelligence services; and (6) Russian legal provisions allow Russian intelligence services to request or compel assistance from companies like Kaspersky Lab and to intercept communications transiting Russian networks. AR0629-30. The BOD was not based on a determination that Kaspersky Lab was disloyal or guilty of any wrongdoing. Acting Secretary Duke explained that the “crux” of the threat addressed by the BOD was “the ability of the Russian government, whether acting on its own or through Kaspersky, to capitalize on access to federal information and information systems provided by Kaspersky-branded products.” AR0629. “These risks,” she noted, “exist regardless of whether Kaspersky-branded products already have been used by Kaspersky or the Russian Government for malicious purposes.” Id. Her determination was supported by the unclassified information 11 presented to her, although she noted that she had reviewed classified information as well that provided further support for her action. AR0631. BOD 17-01 was supported by a considerable administrative record. Most relevant for the purposes of this Opinion is a September 1, 2017, memorandum prepared for Acting Secretary Duke by the Assistant Secretary for Cyber Security and Communications, Jeanette Manfra, which outlined much of the publically available information underlying concerns about Kaspersky Lab products. AR0003-23. The memo stated that “DHS cybersecurity experts in the National Protection and Programs Directorate, in consultation with interagency partners, agree that Kaspersky-branded products present known or reasonably suspected information security risks to federal information and information systems.” AR0004. More specifically, the memo stated that: BOD 17-01 is based on expert judgment about threats to U.S. national security. The danger stems in part from the inherent properties of anti-virus software, which operates with broad file access and elevated privileges. Such access and privileges can be exploited by a malicious cyber actor such as Russia, which has demonstrated the intent to target the U.S. government and the capability to exploit vulnerabilities in federal information systems. Kaspersky or the Russian government could use this software to engage in a wide range of malicious cyber activities against federal information and information systems, including exfiltrating files, modifying data, or installing malicious code, with potentially grave consequences for U.S. national security. These actions could take place because of a range of factors, including Russian laws that authorize the Russian Federal Security Service (“FSB”) to compel Russian enterprises to assist the FSB in the execution of FSB duties, to second FSB agents to Russian enterprises (with the enterprise’s consent), and to require Russian companies to include hardware or software needed by the FSB to engage in “operational/technical measures.” Kaspersky also relies on the FSB for needed business licenses and certificates, and the FSB could condition the granting of such approvals on Kaspersky’s cooperation. Finally, Russian law allows the FSB to intercept all communications transiting Russian telecommunications and Internet Service Provider networks, which presumably includes data transmissions between Kaspersky and its 12 U.S. government customers. Because of these known or reasonably suspected risks to federal information and information systems, which directly implicate U.S. national security, this memorandum recommends that you exercise your authority to issue BOD 17-01. Id. The Assistant Secretary’s memo goes on to explain these concerns in far more detail than the Court will recount in this Opinion. However, certain of her findings warrant emphasis. First, according to a report prepared by the National Cybersecurity and Communications Integration Center (“NCCIC”), anti-virus products generally, and Kaspersky Lab products specifically, present unique security risks. AR0007. Because these products are intended to defend against cyber-threats, they require the highest level of privileges and access on the systems on which they are installed. Id. Those privileges may allow them to extract files and send them to company servers and may permit the interception of otherwise-encrypted communications. Id. Moreover, because these products are themselves supposed to defend the systems on which they are installed from malicious activities, they can be modified to intentionally not identify malicious files. Id. They can also be used to install malicious code under the guise of a security update, extract a file of interest under the pretext that it needs to be inspected for malware, or simply decline to install security updates that are needed. AR0008. In other words, if compromised, cybersecurity products like Kaspersky Lab’s could end up being the proverbial fox guarding the hen house. Also warranting brief mention here is the memorandum’s analysis of Kaspersky Lab’s ties to the Russian government and intelligence agencies (including Eugene Kaspersky’s personal ties). These include, among other things, reports that Kaspersky Lab has certificates and licenses from the Federal Security Service (“FSB”), a Russian intelligence service, that suggest a close relationship between Kaspersky Lab and that organization, as well as reports that Eugene Kaspersky, who graduated from an institute that was sponsored by the KGB and 13 previously worked for the Russian Ministry of Defense, maintains close personal ties with Russian intelligence officers. AR0011-13. Other Kaspersky Lab leaders have similar pedigrees. AR0013. In addition to citing the above facts as her basis for concern that Kaspersky Lab products posed a cybersecurity risk on federal systems, Acting Secretary Duke also explained her reasoning for using a BOD to address this risk as opposed to a “debarment” process under the Federal Acquisition Regulation (“FAR”). AR0631. She concluded that debarment would not be effective because “debarment would affect only future contracts for a finite period; it would not require federal agencies to remove products previously purchased and installed on federal networks, and thus would not address current information security risks to federal information systems.” Id. Debarment also would allow third parties to continue selling Kaspersky Lab products to the federal government, and would allow agencies to continue contracts in existence at the time the contractor was debarred. Id. For those reasons, the Acting Secretary determined that debarment would not remove the threat DHS (and others) had identified because it would not completely remove Kaspersky Lab products from federal information systems. Id. 3 The BOD established an administrative process for the submission and consideration of comments on the removal of Kaspersky-branded products before that removal took place 90 days thereafter. AR0630. On the same day that BOD 17-01 was issued, Acting Secretary Duke also sent Eugene Kaspersky a letter informing him of the BOD and providing him “an opportunity to provide [DHS] with any information that [he thought was] relevant to [her] ongoing 3 Both the Acting Secretary’s Decision Memorandum and the Assistant Secretary’s memorandum addressed “contrary evidence” or arguments that Kaspersky Lab had publicly made regarding the integrity of its products, and explained why those arguments were not persuasive. AR0630; AR0019-23. 14 deliberations concerning [Kaspersky Lab’s] products and services.” AR0637-38. The letter informed Mr. Kaspersky that he could initiate a review by DHS by providing the Department with a written response to the BOD and supporting evidence. Id. DHS also published a notice in the Federal Register that explained the actions required by BOD 17-01, and gave any entity whose commercial interests were directly impacted by the BOD an opportunity to respond, provide additional information, and initiate a review by DHS. AR0639-46. Mr. Kaspersky and other entities that wanted to respond were given 45 days to do so, and informed that a decision by the Secretary regarding their responses would be communicated to them in 85 days. AR0639, 646. F. Congressional Scrutiny of Kaspersky Lab Continues In the meantime, Congress continued to deliberate about the risks presented by the reliance on Kaspersky Lab products to defend federal systems. In October 2017, the House Science Committee held investigative hearings on the federal government’s use of Kaspersky Lab products, and the implementation of BOD 17-01. See, e.g., Bolstering the Government’s Cybersecurity: Assessing the Risks of Kaspersky Lab Products to the Federal Government Before the H. Comm. on Science, Space, and Technology, 115th Cong. 33 (Oct. 25, 2017). The BOD itself was discussed, as were the major issues raised by DHS about Kaspersky Lab products in the BOD proceedings, including, among other things, Kaspersky Lab and Eugene Kaspersky’s ties to Russia and their susceptibility to exploitation by the Russian government. On October 31, 2017, the House Science Committee issued a report about the risks presented by the presence of Kaspersky Lab products on federal government systems and concluded that “Congress must take aggressive actions to support and assure a fundamentally different approach to cybersecurity that addresses the magnitude and nature of growing threats.” H.R. Rep. No. 15 115-376, at 4 (Oct. 31, 2017); see also Decl. of Ryan P. Fayhee, ECF No. 19-4 (“Fayhee Decl.”), Ex. D (transcript from November 2017 House Subcommittee on Oversight hearing regarding the implementation of BOD 17-01). G. Kaspersky Lab Responds to the BOD Kaspersky submitted a lengthy response to BOD 17-01 on November 10, 2017. AR0647-745; see also AR0746-48 (granting Kaspersky Lab a one-week extension of time to submit their response). According to Plaintiffs, the submission “rebutted at length the legal arguments and factual allegations levied against Plaintiffs, corrected many misunderstandings apparently held by DHS and perpetuated by the cited news reports, and highlighted the deficiencies in the administrative process offered by DHS.” Pls.’ Mem. at 9. The submission argued, among other things, that Kaspersky Lab had no improper relationship with the Russian government; that there was no evidence that Kaspersky Lab had engaged in any wrongdoing or posed any more risk than similarly situated companies; that the BOD was based on uncorroborated and anonymous sources; that the administrative procedure surrounding the issuance of the BOD and for responding to the BOD was insufficient; and that the BOD violated Kaspersky Lab’s equal protection and due process rights. Id. No other entity submitted a response to the BOD. AR0755. On November 29, 2017, Kaspersky Lab officials and their counsel met with DHS officials to discuss BOD 17-01. See Fayhee Decl. ¶ 6. DHS officials had declined to meet with Kaspersky Lab until after their written response to the BOD was submitted. AR0746-68. At the November 29, 2017 meeting, “Plaintiffs responded to a number [of] questions from DHS attorneys regarding the Kaspersky Lab Submission.” Fayhee Decl. ¶ 6. The meeting included a discussion of the company’s submission and numerous related topics, including “Kaspersky’s 16 corporate structure,” “the alleged effects to the company’s business,” “the NDAA,” “Kaspersky’s intention not to target federal business,” and “mitigation proposals.” AR0755. H. Final Decision on BOD 17-01 On December 6, 2017, Acting Secretary Duke issued a “Final Decision” on BOD 17-01. AR0934-37. She stated that the Department had “closely reviewed the Kaspersky Submission,” “met with Kaspersky and its counsel,” “identified additional statements made by Kaspersky from public sources, obtained information from agencies pursuant to the BOD 17-01 reporting requirements, and received a report on relevant provisions of Russian law prepared by Professor Peter Maggs of the University of Illinois College of Law, as well as a supplemental Assessment from the [NCCIC].” AR0935. Secretary Duke stated that “the information obtained by DHS since issuance of the BOD [did] not meaningfully impact, and indeed further support[ed], the information security and national security determination that [she] made in issuing the BOD.” AR0934. Accordingly—relying on the reasons explained in the preceding DHS memoranda— the Acting Secretary stated that her determination that Kaspersky-branded products presented a known or reasonably suspected information security threat, vulnerability, or risk to federal information and information systems remained unchanged, and that she maintained BOD 17-01 without modification. AR0935. Acting Secretary Duke sent a letter to Mr. Kaspersky notifying him of her decision the day it was issued. AR0938. The reasoning underlying the Final Decision was explained further in a memorandum from Assistant Secretary Manfra. AR0752-76. That memorandum indicated that fourteen federal government agencies had reported identifying Kaspersky-branded products on their information systems. AR0756. Some of those agencies had, on their own initiative, already removed those products prior to the 90-day deadline under BOD 17-01. Id. This was done of 17 the agencies’ own accord, pursuant to their own agency risk management responsibilities under FISMA. Id. DHS did not advise those agencies to remove the products before the BOD’s 90- day deadline. Id. All other agencies had submitted plans to remove Kaspersky Lab products, but had not yet implemented them. Id. This memorandum also discussed the report on Russian law prepared by Professor Peter Maggs. AR0756; see also AR0777-821 (Report of Peter B. Maggs). Professor Maggs had prepared a report that, the memorandum indicated, supported DHS’s view of Russian law and provided additional support for DHS’s Russian law-related concerns (i.e., that under Russian law, the FSB could use companies like Kaspersky Lab with or without their consent). Id. The memorandum also contained approximately 18 pages of detailed responses to the arguments in Kaspersky Lab’s response to BOD 17-01, explaining why those arguments were not persuasive to DHS. AR0757-75. In conclusion, the Assistant Secretary stated that, “the totality of the administrative record,” including Kaspersky Lab’s submission, “presents a compelling picture of the various ways that the Russian Government, and particularly the FSB intelligence agency, can compel, request, and otherwise exploit the access provided by Kaspersky-branded products to the information and information systems of Kaspersky customers, including U.S. government customers.” AR0775. I. The National Defense Authorization Act for Fiscal Year 2018 Almost immediately after the BOD was finalized, it was effectively superseded by an act of Congress. On the heels of DHS’s proceedings, Congress passed, and President Donald J. Trump signed into law, the NDAA. See PL 115-91, 2017 HR 2810, PL 115-91, December 12, 2017, 131 Stat 1283. In very summary terms, the NDAA is a law that authorizes appropriations and sets policies for Department of Defense programs and activities. 18 The relevant portion of the NDAA for the purposes of this Opinion is Section 1634. Section 1634 falls within Subtitle C of the Act, entitled “Cyberspace-Related Matters.” Section 1634(c) requires the Secretary of Defense, in consultation with other agencies, to conduct a review of procedures for removing suspect products and services from federal information technology networks and to submit a report to Congress on the same. Section 1634(a) focuses on Kaspersky Lab products. It states that “[n]o department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—(1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership.” Id. § 1634(a). Section 1634(b) sets October 1, 2018, as the effective date for the prohibition. Id. § 1634(b). This prohibition is broader in scope than BOD 17-01 in two ways. First, it applies to all Kaspersky Lab products (hardware, software, and services), whereas the BOD only applied to a smaller subset of “Kaspersky-branded products.” Second, unlike BOD 17-01, the NDAA does not have any carve outs or exceptions for national security systems or other systems used by the Department of Defense or the intelligence community. As initially introduced, the NDAA did not contain a provision regarding Kaspersky Lab products. An amendment to the Act adding a prohibition on the use of Kaspersky Lab products was first introduced by Senator Jeanne Shaheen of New Hampshire. A Senate Armed Services Committee executive summary described the amendment as a response to “reports that the 19 Moscow-based company might be vulnerable to Russian government influence.” NDAA FY 2018, U.S. Senate Armed Services Committee, at 10, https://www.armed-services.senate. gov/imo/media/doc/FY18%20NDAA%20Summary6.pdf. Senator Shaheen’s proposed prohibition appears to have attracted bipartisan support in Congress and grown broader before it was eventually passed into law as Section 1634. Plaintiffs’ lawsuits cite certain statements Senator Shaheen made to the public regarding the proposed prohibition and Kaspersky Lab generally around the time that the amendment was introduced and adopted. On September 4, 2017, the New York Times published an editorial authored by Senator Shaheen, in which she asserted that the use of Kaspersky Lab products by federal agencies created a “threat” of Russian cyber-interference, and that she was proposing an amendment to bar federal government use of those products “to close this alarming national security vulnerability.” See Compl., Ex. C, NDAA ECF No. 1-3. In addition, in a September 18, 2017, press release, issued after an amendment to the NDAA barring the use of Kaspersky Lab products passed in the Senate, Senator Shaheen stated that “[t]he case against Kaspersky Lab is overwhelming.” See Compl., Ex. E, NDAA ECF No. 1-5. She continued: The strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented. I’m very pleased that the Senate has acted in a bipartisan way on my amendment that removes a real vulnerability to our national security. I applaud the Trump administration for heeding my call to remove Kaspersky Lab software from all federal computers. It’s important that this prohibition also be a part of statute and be expanded to the entire federal government, as my amendment would do. Considering the 20 strong bipartisan, bicameral support for this proposal, I’m optimistic this will soon be signed into law. J. Plaintiffs’ Lawsuits and Procedural History Plaintiffs Kaspersky Lab Inc. and Kaspersky Labs Limited have filed two related but separate lawsuits. One, the BOD Lawsuit, was filed on December 18, 2017, shortly after the BOD was finalized and the NDAA was signed into law. See Compl., BOD ECF No. 1. Plaintiffs allege in that suit that the BOD and the Final Decision confirming the BOD violate the APA and Plaintiffs’ Fifth Amendment right to due process. Id. ¶¶ 1, 20. The lawsuit does not challenge the NDAA. On January 17, 2018, Plaintiffs filed an Application for Preliminary Injunction in the BOD Lawsuit. See Pls.’ App. for Preliminary Injunction, BOD ECF No. 10. Upon receipt of that Application, the Court immediately held a teleconference on the record with the parties to set a briefing schedule. Defendants then filed an opposition to that Application wherein they argued, in part, that Plaintiffs lacked standing. See Defs.’ Mem. in Opp’n to Pls.’ App. for Prelim. Inj., BOD ECF No. 13, at 14-27. Because the BOD Lawsuit left the NDAA’s complete prohibition of Kaspersky Lab products unchallenged, Defendants argued that even if Plaintiffs were successful in obtaining the rescission of BOD 17-01, their alleged harms would not be redressed. Id. In an apparent effort to rebut this argument, on the same day that Plaintiffs filed their reply in support of their Application for Preliminary Injunction in the BOD Lawsuit, they also filed the NDAA Lawsuit. See Compl., NDAA ECF No. 1. That suit claims that Sections 1634(a) and (b) of the NDAA constitute an unconstitutional bill of attainder. Id. ¶ 4. After these filings, the Court issued a Minute Order giving Defendants in the BOD Lawsuit an opportunity to file a sur-reply addressing the legal relevance of the newly-filed 21 NDAA lawsuit to Plaintiffs’ request for a preliminary injunction in the BOD Lawsuit. See Feb. 13, 2018 Min. Order. The Court also gave Plaintiffs an opportunity to withdraw their preliminary injunction application in lieu of pursuing an expedited summary judgment briefing schedule. 4 Id. Plaintiffs subsequently did withdraw their application. See Pls.’ Notice of Withdrawal, BOD ECF No. 16. The Court then consolidated the BOD Lawsuit and the NDAA Lawsuit “solely for the purpose of briefing an upcoming round of dispositive motions,” including cross-motions for summary judgment and a motion to dismiss in the BOD Lawsuit and a motion to dismiss in the NDAA Lawsuit.” See Feb. 16, 2018 Order, BOD ECF No. 17, NDAA ECF No. 7. Those motions have now been fully briefed and are ripe for resolution. II. LEGAL STANDARDS A. Motion to Dismiss for Lack of Jurisdiction When a motion to dismiss a complaint under Federal Rule of Civil Procedure 12(b)(1) is filed, a federal court is required to ensure that it has “the ‘statutory or constitutional power to adjudicate [the] case[.]’” Morrow v. United States,723 F. Supp. 2d 71
, 77 (D.D.C. 2010) (emphasis omitted) (quoting Steel Co. v. Citizens for a Better Env’t,523 U.S. 83
, 89 (1998)). “Federal courts are courts of limited jurisdiction” and can adjudicate only those cases or controversies entrusted to them by the Constitution or an act of Congress. Kokkonen v. 4 As the Court discussed with the parties, there is a troubling trend in APA cases whereby plaintiffs are routinely filing preliminary injunction motions simply to “jump the queue” and have the Court consider the merits of their claims immediately. There are certainly instances where such motions are necessary and appropriate to prevent an impending injury, but increasingly these “emergency” motions are being filed simply because the plaintiff is aggrieved by an agency decision and wants the Court to focus its attention on its claims immediately, at the expense of the claims of other litigants. This practice is strongly discouraged. See Am. Bioscience, Inc. v. Thompson,269 F.3d 1077
, 1084 n.8 (D.C. Cir. 2001) (warning against the use of preliminary injunction motions in APA cases); Emily’s List v. Fed. Election Comm’n,362 F. Supp. 2d 43
, 53 (D.D.C.), aff’d, 170 F. App’x 719 (D.C. Cir. 2005) (“the preliminary injunction stage is not the appropriate time to consider the merits of Plaintiff’s substantive APA claims.”). 22 Guardian Life Ins. Co. of Am.,511 U.S. 375
, 377 (1994). In determining whether there is jurisdiction on a motion to dismiss, the Court may “consider the complaint supplemented by undisputed facts evidenced in the record, or the complaint supplemented by undisputed facts plus the court’s resolution of disputed facts.” Coal. for Underground Expansion v. Mineta,333 F.3d 193
, 198 (D.C. Cir. 2003) (citations omitted). “Although a court must accept as true all factual allegations contained in the complaint when reviewing a motion to dismiss pursuant to Rule 12(b)(1),” the factual allegations in the complaint “will bear closer scrutiny in resolving a 12(b)(1) motion than in resolving a 12(b)(6) motion for failure to state a claim.” Wright v. Foreign Serv. Grievance Bd.,503 F. Supp. 2d 163
, 170 (D.D.C. 2007) (citations omitted). B. Motion to Dismiss for Failure to State a Claim Under Rule 12(b)(6), a party may move to dismiss a pleading on the grounds that it “fail[s] to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). “[A] complaint [does not] suffice if it tenders ‘naked assertion[s]’ devoid of ‘further factual enhancement.’” Ashcroft v. Iqbal,556 U.S. 662
, 678 (2009) (quoting Bell Atl. Corp. v. Twombly,550 U.S. 544
, 557 (2007)). Rather, a complaint must contain sufficient factual allegations that, if accepted as true, “state a claim to relief that is plausible on its face.” Twombly,550 U.S. at 570
. “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal,556 U.S. at 678
. “In determining whether a complaint fails to state a claim, [the Court] may consider only the facts alleged in the complaint, any documents either attached to or incorporated in the complaint and matters of which [the Court] may take judicial notice,” such as facts in the public record. E.E.O.C. v. St. Francis Xavier Parochial Sch.,117 F.3d 621
, 624 (D.C. Cir. 1997). 5 5 The Court has taken judicial notice of all of the public records discussed in this Opinion. 23 III. DISCUSSION The Court’s Opinion will be divided into two parts. The first part addresses Defendant’s motion to dismiss the NDAA Lawsuit on the grounds that Sections 1634(a) and (b) of the NDAA do not constitute legislative punishment, and therefore are not a bill of attainder. The second part of the Court’s Opinion addresses Defendants’ motion to dismiss the BOD Lawsuit on the grounds that Plaintiffs lack standing to challenge BOD 17-01. Defendants argue that the harms that this agency action allegedly causes Plaintiffs are independently caused by the NDAA, which will remain “on the books” even if the BOD is rescinded, rendering the outcome of the BOD Lawsuit meaningless. The Court agrees with Defendants and will dismiss both lawsuits. It accordingly need not reach the parties’ cross-motions for summary judgment in the BOD Lawsuit. A. The NDAA Lawsuit Plaintiffs claim that Sections 1634(a) and (b) of the NDAA constitute a bill of attainder in violation of Section 9 of Article I of the United States Constitution. That Section states that “[n]o Bill of Attainder or ex post facto Law shall be passed.” U.S. Const. art. I, § 9, cl. 3 (the “Bill of Attainder Clause”). A bill of attainder is “a law that legislatively determines guilt and inflicts punishment upon an identifiable individual without provision of the protections of a judicial trial.” Nixon,433 U.S. at 468
. “Under the now prevailing case law, a law is prohibited under the bill of attainder clause ‘if it (1) applies with specificity, and (2) imposes punishment.’” Foretich v. United States,351 F.3d 1198
, 1217 (D.C. Cir. 2003) (quoting BellSouth Corp. v. F.C.C.,162 F.3d 678
, 683 (D.C. Cir. 1998) (“BellSouth II”)); see also United States v. Brown,381 U.S. 437
, 447 (1965) (explaining that the Bill of Attainder Clause bars “legislative punishment, of any form or severity, of specifically designated persons or groups”). “Both 24 ‘specificity’ and ‘punishment’ must be shown before a law is condemned as a bill of attainder.” Foretich,351 F.3d at 1217
. Defendant appears to concede the specificity element—the heart of the parties’ dispute is about punishment. 1. Specificity The first requirement of any bill of attainder is that it be specific. That is, the law must apply with specificity to only a designated person or group. “The element of specificity may be satisfied if the statute singles out a person or class by name or applies to ‘easily ascertainable members of a group.’” Hettinga v. United States,677 F.3d 471
, 477 (D.C. Cir. 2012) (quoting Foretich,351 F.3d at 1217
). Defendant does not contend in its Motion to Dismiss that Sections 1634(a) and (b) lack the requisite specificity. See Def.’s Mem. at 11 (“Even assuming Kaspersky can demonstrate that Section 1634 satisfies the specificity requirement . . . ”). Accordingly, for the purposes of this Opinion, the Court will assume that the specificity requirement is satisfied. Given that the NDAA expressly singles out Kaspersky Lab by name, this assumption appears to be a sound one. 2. Punishment Specificity alone, however, “does not render a statute an unconstitutional bill of attainder.” Foretich,351 F.3d at 1217
. The law must also inflict “punishment.”Id.
Many laws apply with specificity. It is the inflicting of “punishment” that is the “principal touchstone” of a bill of attainder.Id. at 1218
. “In deciding whether a statute inflicts forbidden punishment,” the Supreme Court has “recognized three necessary inquiries: (1) whether the challenged statute falls within the historical meaning of legislative punishment [the “Historical Test”]; (2) whether the statute, ‘viewed in terms of the type and severity of burdens imposed, reasonably can be said to further 25 nonpunitive legislative purposes’ [the “Functional Test”]; and (3) whether the legislative record ‘evinces a congressional intent to punish’ [the “Motivational Test”].” Selective Serv. Sys. v. Minnesota Pub. Interest Research Grp.,468 U.S. 841
, 852 (1984) (quoting Nixon,433 U.S. at 473, 475-76, 478
). These three tests are each “independent—though not necessarily decisive— indicator[s] of punitiveness.” Foretich,351 F.3d at 1218
. They “are considered independently, and are weighed together to resolve a bill of attainder claim.” Patchak v. Jewell,828 F.3d 995
, 1006 (D.C. Cir. 2016). That being said, the D.C. Circuit has noted on multiple occasions that the Functional Test is the most important of the three, see, e.g., BellSouth II,162 F.3d at 684
, and indeed that “compelling proof” under this test may even “be determinative,” Foretich,351 F.3d at 1218
. All three tests lead to the same conclusion in this case: the challenged provisions of the NDAA are not punishment. Sections 1634(a) and (b) of the NDAA do not fall within the historical meaning of legislative punishment and reasonably further the nonpunitive legislative purpose of safeguarding the Nation’s infrastructure from the risk of Russian cyber-attacks. Moreover, there is nothing in the record that indicates a congressional intent to punish Kaspersky Lab. a. The Historical Test First, the NDAA does not qualify as a bill of attainder under the Historical Test. The Historical Test asks if the challenged legislation constitutes one of a “checklist of deprivations and disabilities” that have been historically associated with bills of attainder. Foretich,351 F.3d at 1218
. This checklist includes death, “imprisonment, banishment, . . . the punitive confiscation of property by the sovereign,” and “legislative enactment[s] barring designated individuals or groups from participation in specified employments or vocations.” Nixon,433 U.S. at 474
. These “deprivations and disabilities” have been said to be “so disproportionately severe and so 26 inappropriate to nonpunitive ends that they unquestionably have been held to fall within the proscription of Art. I, s 9.”Id. at 473
. Little need be said about most of these historical forms of legislative punishment. Sections 1634(a) and (b) of the NDAA bar federal government agencies from using the products of a particular cybersecurity vendor. They do not order anyone’s execution, imprisonment, or banishment, nor do they confiscate anyone’s property. Plaintiffs do not seem to seriously contend otherwise. 6 Instead, Plaintiffs’ principal argument with respect to the Historical Test is that the NDAA “falls within the scope of the historic work and employment bans.” Pls.’ Opp’n at 8. This argument is untenable. There is no doubt that legislation barring specific individuals or groups of individuals from certain types of employment, or preventing them from pursuing certain vocations, constitutes “punishment” as that term has been historically understood. In fact, “the [Supreme] Court’s four major decisions invalidating statutes on Bill of Attainder Clause grounds have all involved legislation preventing specific classes of persons from pursuing certain occupations.” BellSouth Corp. v. F.C.C.,144 F.3d 58
, 64 (D.C. Cir. 1998) (“BellSouth I”). These decisions (hereinafter, the “Employment Ban Cases”) include United States v. Brown,381 U.S. 437
(1965), in which the Supreme Court invalidated a law that made it a crime for a member of the 6 In a footnote, Plaintiffs make a cursory argument that the NDAA is a “punitive confiscation of property” because it will “diminish the value of the corporation” “if sold to a new owner.” Pls.’ Opp’n at 11 n.6. As an initial matter, Plaintiffs have no property interest in discretionary contracts that they may or may not have received from the federal government in the future. Regardless, the Court rejects the notion that any attenuated effect on a hypothetical future sale of Plaintiffs’ corporation is the type of punitive “confiscation of property by the sovereign” that has historically been associated with bills of attainder. Plaintiffs cite nothing in support of that argument. 27 Communist Party to serve as an officer of a labor union, United States v. Lovett,328 U.S. 303
(1946), in which the Court invalidated a law that prohibited payment of salary to three named federal employees who were members of the Communist Party, and Cummings v. Missouri,71 U.S. 277
(1866) and Ex parte Garland,71 U.S. 333
(1866), in which the Court struck down laws effectively preventing individuals who sympathized with the rebellion against the Union from engaging in certain professions. The NDAA, however, is nothing like the legislation in these Employment Ban Cases. Sections 1634(a) and (b) of the NDAA have nothing to do with anyone’s employment. They do not bar any individual from pursuing their livelihood or from engaging in any vocation. In fact, unlike the legislation in the Employment Ban Cases, these sections of the NDAA do not apply to any “flesh-and-blood” individuals at all. They apply to the products of a multinational corporation. Even assuming that the Bill of Attainder Clause applies to corporations in the abstract, 7 the fact that the legislation at issue here targets the products of a multinational corporation, instead of an individual, certainly distinguishes it from the “historic work and employment bans.” See BellSouth II,162 F.3d at 684
(“[I]t is obvious that there are differences between a corporation and an individual under the law,” and “[t]hus, any analogy between prior cases that have involved individuals and this case, which involves a corporation, must necessarily take into account this difference.”); ACORN v. United States,618 F.3d 125
, 137 (2d Cir. 2010) (“‘[T]here may well be actions that would be considered punitive if taken against an individual, but not if taken against a corporation.’”) (quoting Consol. Edison Co. of New York, 7 BellSouth I,144 F.3d at 63
(“We assume, as do the parties, that the Bill of Attainder Clause protects corporations as well as individuals.”); Consol. Edison Co. of New York v. Pataki,292 F.3d 338
, 346-49 (2d Cir. 2002) (holding that the Bill of Attainder Clause applies to legislation that targets corporations as well as natural persons). 28292 F.3d at 354
). This distinction is an important one, because “[w]hen the [Supreme] Court extended ‘punishment’ to include employment bars, it did so because it was concerned that the government had imposed restrictions that violated the fundamental guarantees of political and religious freedom.” BellSouth II,162 F.3d at 686
. That concern simply is not implicated here. A statute that does not apply to any individual but instead deprives a large multinational corporation of one of its many sources of revenue does not threaten anyone’s personal rights or freedoms. Moreover, even if there could be a case where depriving a corporation of a source of revenue had such a profound impact on its business that the deprivation effectively rose to the level of a work or employment ban, this is not that case. The effect on Kaspersky Lab of losing the United States federal government as a customer does not begin to compare to the effect of historically recognized “employment bans” on the targeted individuals. Those historically recognized bans have completely prevented individuals from being employed in certain positions or pursuing certain types of vocations. Kaspersky Lab is not prevented from operating as a cybersecurity business. 8 It is prevented from seeking discretionary contracts from the United States federal government. The company may still operate and derive revenue throughout the world, including in the United States, by selling its products to individuals, private companies, and other governments. This is no meaningless concession. Kaspersky Lab concedes that sales to the United States federal government make up a tiny fraction of the company’s overall business. In Kaspersky Lab’s own words, “[o]ver 400 million users—from governments to private 8 The Court rejects Plaintiffs’ attempt to characterize their “vocation” as “direct and indirect federal government contracting.” Pls.’ Opp’n at 10. That is not a vocation. 29 individuals, commercial enterprise to critical infrastructure owners and operators alike—utilize Kaspersky Lab technologies.” Gentile Decl. ¶ 9. “Active licenses held by federal agencies in September 2017 had a total value (to Kaspersky Lab, Inc. and the Company as a whole) of less than $54,000—approximately 0.03% of Kaspersky Lab, Inc.’s annual U.S. sales at the time.”Id.
There is simply no plausible way that the NDAA’s prohibition on the federal government’s use of Kaspersky Lab products—depriving that corporation of less than one percent of its revenue from sales in one country within which it operates—can be compared to the individual employment bans that have been struck down by the Supreme Court. The D.C. Circuit has rejected the argument that regulations limiting the types of business which a company may engage in, or the products it may sell, thereby depriving that company of some revenue, are akin to a historical employment ban. In BellSouth I, the D.C. Circuit held that a line-of-business restriction “imposing structural separations on corporations seeking to engage in specific types of commercial activity” was not the same as “traditional employment debarments.”144 F.3d at 64-65
. That court explained that such a restriction could not be fairly compared to employment bans because it left its subjects “free to pursue their” business goals, simply subject to requirements that, despite being “hardly costless,” did not “remotely approach the disabilities that have traditionally marked forbidden attainders.”Id. at 65
; see also Navegar, Inc. v. United States,192 F.3d 1050
, 1066-67 (D.C. Cir. 1999) (holding that law preventing a company from selling particular products was not equivalent to historical employment bans). Plaintiffs here too are free to pursue their business goals. Their products simply will not be used by the federal government of the United States. While not costless, this restriction does not approach the degree of disability historically associated with bills of attainder. 30 Perhaps the weakness of Plaintiffs’ argument on this point is best indicated by the caselaw that they are able to marshal in its support. Plaintiffs cite three out-of-circuit district court opinions, one of which is unpublished. These authorities are of course not binding and, in any event, do not discuss Plaintiffs’ argument in depth. More importantly, all three opinions are clearly distinguishable. In all of them, unlike in this case, the legislation challenged had the effect of shutting down the businesses of, and/or laying off or terminating, actual “flesh-and- blood” people. In Florida Youth Conservation Corps., Inc. v. Stutler, No. 4:06CV275-RH/WCS,2006 WL 1835967
, at *1 (N.D. Fla. June 30, 2006), the court held (in an unpublished opinion at the preliminary injunction stage with six sentences addressing the bill of attainder issue) that a law barring a not-for-profit corporation from state contracting was “very much akin to the enactments that prompted the framers to include in the Constitution a prohibition on bills of attainder.” That ruling, however, was in part based on the court’s finding that the effect of the law “would be to put plaintiff out of business, or at least to put plaintiff out of the business in which it has been engaged to date.”Id.
In Planned Parenthood of Central North Carolina v. Cansler,877 F. Supp. 2d 310
, 324 (M.D.N.C. 2012), the court held (relying primarily on Florida Youth Conservation Corps.) that a law that prevented Planned Parenthood from any opportunity to apply for or receive government grants or contracts was “analogous to legislation that prohibits a person or entity from engaging in certain employment, which courts have historically found to be associated with punishment.” That ruling, however, came after the court had determined in a previous opinion that the law at issue would require plaintiff to “close facilities” and “lay-off employees.” Planned Parenthood of Cent. N. Carolina v. Cansler,804 F. Supp. 2d 482
, 498 (M.D.N.C. 2011). Finally, in Mendelsohn v. Meese,695 F. Supp. 1474
, 1486-89 (S.D.N.Y. 1988), the court held that the Anti-Terrorism Act was akin to historical forms of 31 punishment, but it did so because the law penalized a group of “employees”—i.e., flesh-and- blood people—“by closing their offices and effectively terminating their activities in the United States.” In sum, even if the Court found the analysis in these non-binding district court opinions persuasive, they nevertheless would not prove Plaintiffs’ point because, in each of them, individual people were prevented from pursuing their employment. They do not stand for the proposition that depriving a large multinational corporation like Kaspersky Lab of one tiny source of revenue is a historically recognized form of legislative punishment. Finally, another reason that the challenged provisions of the NDAA are unlike the legislation in the Employment Ban Cases is that they do not brand Kaspersky Lab as disloyal, or express any determination that Kaspersky Lab is guilty of any wrongdoing. The decisions of the Supreme Court that have determined that employment bans are legislative punishment have done so “where the employment bans were imposed as a brand of disloyalty.” Foretich,351 F.3d at 1217
. And, more generally, “[a] familiar theme in the[ ] classic examples of punishment is the initial determination by the legislature of ‘guilt.’” ACORN,618 F.3d at 136
. The NDAA lacks these characteristics. As Plaintiffs repeatedly emphasize, the law appears to have nothing to do with any finding that Kaspersky Lab has done anything wrong or disloyal. Instead, it is premised on the determination that the use of that company’s products to defend federal government networks and computer systems presents a national security vulnerability because they could be used (whether with or without Kaspersky Lab’s knowledge or consent) by the Russian government. The law does not assume any guilt, disloyalty, or wrongdoing on the part of Kaspersky Lab. 9 9 Plaintiffs attempt to demonstrate that the law brands them as disloyal by pointing to Senator Jeanne Shaheen’s public statements. The Court is not convinced. As discussed further 32 In sum, the Court finds that Plaintiffs have not plausibly alleged that the challenged provisions of the NDAA are legislative punishment under the Historical Test. Plaintiffs, perhaps foreseeing this result, have argued that the Court should nonetheless consider that the NDAA is not entirely incongruous with historical notions of punishment when weighing all three punishment tests together. Pls.’ Opp’n at 8. The Court does consider the results of all three tests in their totality, but this does not help Plaintiffs. The next two tests clearly weigh against them. b. The Functional Test “[W]here an enactment falls outside the historical definition of punishment, therefore failing to satisfy the first test, the legislation may still be a bill of attainder under the functional test if no legitimate nonpunitive purpose appears.” Foretich,351 F.3d at 1218
. The Court accordingly moves on to the Functional Test. 10 The principal question under the Functional Test is “whether the law under challenge, viewed in terms of the type and severity of burdens imposed, reasonably can be said to further nonpunitive legislative purposes.” Nixon,433 U.S. at 475-76
. “Under this functional test, the nonpunitive aims must be ‘sufficiently clear and convincing’ before a court will uphold a below in the Court’s analysis of the Motivational Test, the thrust of Senator Shaheen’s statements demonstrates a purpose of preventing Russia from exploiting Kaspersky Lab products, not of punishing Kaspersky Lab for being disloyal. To the extent one could interpret some aspects of Senator Shaheen’s statements differently, one-off statements by a single Senator to the media do not control the meaning or effect of a statute. 10 Plaintiffs cite a Second Circuit opinion, Consol. Edison Co. of New York v. Pataki,292 F.3d 338
(2d Cir. 2002), for the proposition that a statute that imposes a burden that falls within the historical meaning of legislative punishment is “per se” a bill of attainder. See Pls.’ Opp’n at 8. This would appear to conflict with the statement of the D.C. Circuit that “‘[e]ven measures historically associated with punishment—such as permanent exclusion from an occupation— have been otherwise regarded when the nonpunitive aims of an apparently prophylactic measure have seemed sufficiently clear and convincing.’” BellSouth I,144 F.3d at 65
(quoting Laurence H. Tribe, American Constitutional Law, § 10–5, at 655 (2d ed.1988)). The Court notes this apparent discrepancy but need not resolve it because it finds that Sections 1634(a) and (b) do not fall within any historic meaning of legislative punishment. 33 disputed statute against a bill of attainder challenge.” Foretich,351 F.3d at 1221
. “Courts have conducted this inquiry by examining both the purported ends of contested legislation and the means employed to achieve those ends.”Id.
The D.C. Circuit has emphasized that there must be “a rational connection between the burden imposed and nonpunitive purposes of the legislation.”Id.
“In other words, the means employed by the statute must be rationally designed to meet its legitimate nonpunitive goals.” Patchak, 828 F.3d at 1006. “[T]here must be a nexus between the legislative means and legitimate nonpunitive ends.” Foretich,351 F.3d at 1221
. “[W]here there exists a significant imbalance between the magnitude of the burden imposed and a purported nonpunitive purpose, the statute cannot reasonably be said to further nonpunitive purposes.”Id.
Sections 1634(a) and (b) of the NDAA do not constitute legislative punishment under the Functional Test. These provisions of the NDAA serve a legitimate and eminently reasonable nonpunitive function: protecting the United States government’s information systems from the threat of Russian cyber-intrusion. This is a prospective, risk-prevention function that is distinct from punishment. Moreover, the challenged provisions of the NDAA are rationally related to this nonpunitive goal—that is, there is a nexus between the means Congress used and the nonpunitive end it sought to achieve. 11 As discussed in more detail above, Congress was presented with at 11 Plaintiffs argue that the D.C. Circuit in Foretich instructed courts to consider “whether there is a ‘coherent and reasonable nexus between the burden imposed and the benefit to be gained’” as part of the Historical Test. Pls.’ Opp’n at 12-13. The Court actually understands the Foretich opinion to mean that this consideration is, under modern precedent, considered as part of the “Functional Test.” Foretich,351 F.3d at 1219
(“These early decisions foreshadowed the development of the functional test and reinforce the necessity of a coherent and reasonable nexus between the burden imposed and the benefit to be gained.”). The Court has considered this factor, but has addressed it as part of its Functional Test analysis. 34 least the following set of facts: Russia had committed, and will likely continue to commit, malicious cyber-activities against the United States; the United States’ federal government computer systems relied on Kaspersky Lab products to protect them from malicious cyber- activity; those products can be misused to exploit or harm the systems on which they are installed; Kaspersky Lab is headquartered in Russia and subject to Russian laws; and both Kaspersky Lab and its founder and CEO have connections to the Russian government and intelligence services. It is not Plaintiffs’ or this Court’s role to determine de novo what precise actions should have been taken in light of this information to protect the nation’s cyber-security. That function was reserved for the political branches. It is sufficient for this Court to say that it was rational for Congress to conclude on the basis of this information that barring the federal government’s use of Kaspersky Lab products would help prevent further Russian cyber-attacks. See Patchak, 828 F.3d at 1006 (“[T]he means employed by the statute must be rationally designed to meet its legitimate nonpunitive goals.”). In other words, this is not a case where Congress barred Plaintiff from an activity based on characteristics (e.g., holding an unpopular political view) that had no rational connection with its suitability for that activity. Such a disconnect, which could suggest a punitive purpose, is absent here. Information suggesting that a company’s products could be used by a foreign power known to be regularly attempting cyber-attacks on the United States rationally bears on that company’s suitability to provide cyber-security products to the federal government. See Flemming, 363 U.S. at 614 (“Where the source of legislative concern can be thought to be the activity or status from which the individual is barred, the disqualification is not punishment even though it may bear harshly upon one affected. The contrary is the case where the statute in question is evidently aimed at the person or class of 35 persons disqualified.”); Siegel v. Lyng,851 F.2d 412
, 418 (D.C. Cir. 1988) (finding that bar from employment in agricultural industry was not punishment because it was based on “legitimate justifications”—connection to an entity that had previously violated agricultural laws). Congress’ non-punitive purpose was also not out of balance with the burden that the NDAA places on Kaspersky Lab. “[M]erely because a regulation is burdensome does not mean that it constitutes punishment.” Navegar, 192 F.3d at 1067. The Court must ask whether that burden, however great, is out of balance with the purpose of the regulation. Here, that is clearly not the case. On the one side of the scale in this case is Congress’ goal of securing our Nation’s networks and computer systems from malicious cyber-threats. The importance of this goal in today’s world can hardly be overstated. On the other side of the scale is the burden to Kaspersky Lab which, while real, is exaggerated by Plaintiffs. The NDAA deprives Kaspersky Lab of one of its revenue streams. But, as discussed above, that revenue stream represents a tiny portion of the company’s overall business. And, although the prohibition also may have a negative effect on Kaspersky Lab’s reputation in the cybersecurity field, that reputational harm is not as great as Plaintiffs suggest. Plaintiffs compare this case to Foretich, but the comparison is a stretch. The reputational burden the D.C. Circuit addressed in Foretich derived from Congress having effectively labeled a particular individual as a child molester who had sexually abused his own daughter. See Foretich,351 F.3d at 1223
. The Act “memorialize[d] a judgment by the United States Congress that [the plaintiff] was guilty of horrific crimes.”Id.
The reputational burden in this case is not as severe. Through the NDAA, Congress has effectively declared that the use of Kaspersky Lab products by federal government agencies presents a security risk because those products could be used—whether with or without 36 Kaspersky Lab’s knowledge or consent—by the Russian government. This understandably will affect Kaspersky Lab’s reputation as a cybersecurity business, but it does not, as Plaintiffs repeatedly argue, label them as disloyal or adjudge them guilty of any “horrific crime.” In sum, even considering the reduction in revenue and harm to reputation Plaintiffs allegedly suffered, this is not a case where “[a] grave imbalance or disproportion between the burden and the purported nonpunitive purpose suggests punitiveness.”Id. at 1222
. The burdens placed on Kaspersky Lab by the challenged provisions of the NDAA, although perhaps not trivial in absolute terms, are not out of balance with Congress’ goal of protecting the Nation’s cyber- security. Plaintiffs argue that various aspects of Sections 1634(a) and (b) reveal that its actual function is punitive. First, Plaintiffs argue that the punitive nature of the NDAA is demonstrated by the fact that it singles out Kaspersky Lab and no other cybersecurity vendors. Indeed, Plaintiffs at times go so far as to imply that the law is inherently a bill of attainder because it is not one of general applicability. See, e.g., Pls.’ Opp’n at 22-23. This argument is not persuasive. It is true that the specificity of a law is one factor that the Court may consider when determining whether a law is punitive. See Foretich,351 F.3d at 1222
. However, it is also true that specificity alone is not sufficient to establish that a law has a punitive function. See Nixon,433 U.S. at 470-71
(rejecting notion that a law was a bill of attainder simply because it “impose[d] undesired consequences on an individual or on a class that is not defined at a proper level of generality” because this notion, if accepted, would “cripple the very process of legislating, for any individual or group that is made the subject of adverse legislation [could] complain that the lawmakers could and should have defined the relevant affected class at a greater level of generality.”); ACORN,618 F.3d at 138-39
(explaining that specificity is relevant to assessing an 37 alleged punitive purpose but “does not create a presumption of unconstitutionality”). Where a law targets a particular individual (or corporation) because there is a legitimate nonpunitive reason to take such targeted action, specificity is not improper and does not evince punishment. See Nixon,433 U.S. at 472
(holding that law was not objectionable solely because it singled out President Richard Nixon, because Congress had reason to conclude that action against President Nixon specifically “demanded immediate attention”); SeaRiver Mar. Fin. Holdings, Inc. v. Mineta,309 F.3d 662
, 676 (9th Cir. 2002) (holding that focus on removing a particular tank vessel from the Prince William Sound did not evince a punitive purpose because it was reasonable to conclude that prompt action with respect to that vessel in particular was necessary). That was the case here. Grappling with a real-time need to take action to protect the government’s networks and computer systems from cyber-attacks, Congress opted to pass a law of general applicability that ordered the review of procedures for removing suspect products and services from federal systems going forward (Section 1634(c)), and also immediately took action to stem a perceived risk caused by the government’s use of one company’s products in particular based on facts already known (Sections 1634(a) and (b)). There was nothing improper about this course of action. The record indicates that no other cybersecurity vendor had the same set of characteristics that had caused concerns about Kaspersky Lab. AR770. It was therefore reasonable for Congress to act only with respect to that company. Plaintiffs also argue that Sections 1634(a) and (b) of the NDAA do not have a legitimate nonpunitive function because Congress could have employed less burdensome alternatives and because the statute lacks “safeguards” for Kaspersky Lab’s rights. Plaintiffs’ considerable reliance on these points is misplaced. These are merely factors the Court may consider when determining whether a law had a nonpunitive purpose. They are not requirements. Neither the 38 Supreme Court nor the D.C. Circuit has held that the Court may invalidate a law with a clear nonpunitive purpose that is rationally designed to further that purpose simply because it lacks “safeguards” for a class that is burdened by the law. Nor have those courts held that it is necessary, or appropriate, for the Court to apply a “least restrictive means test” to laws challenged as bills of attainder. Additionally, the principal “less burdensome alternative” proffered by Plaintiffs— “refer[ing] the matter to the executive branch to consider” proceedings to debar Kaspersky Lab under the FAR, Pls.’ Opp’n at 29—would not have accomplished Congress’ nonpunitive goal. Debarment would have only applied to future transactions between Kaspersky Lab and the government—it would not have required federal agencies to remove Kaspersky Lab products they had previously purchased and installed. AR0631. Nor would debarment have prohibited third parties from selling Kaspersky Lab products to federal agencies.Id.
Accordingly, debarment would not have prevented agencies from using Kaspersky Lab products. To the extent Plaintiffs argue that the prohibition could have been limited to only Kaspersky Lab software (not hardware or services), or should have provided Kaspersky Lab a means to “extricate itself from the ban,” Pls.’ Opp’n at 27, the Court is not convinced that these characteristics of the NDAA cast any doubt on its nonpunitive function. Considering the extensive record regarding Kaspersky Lab that was before Congress, it was reasonable for Congress to conclude that a broad and permanent ban was necessary to prevent the sort of cyber- attacks about which Congress was concerned. Plaintiffs believe that the law could have been designed better but, as already stated, it is not the Court’s role to review de novo the technical decisions Congress makes to protect the Nation’s cyber-security. It is enough that a “rational and fairminded Congress” could have determined that the approaches urged by Plaintiffs would 39 not have accomplished its nonpunitive goals. Nixon,433 U.S. at 483
. The Court easily concludes that that is the case here. For the foregoing reasons, Sections 1634(a) and (b) of the NDAA have a clear nonpunitive function. The means Congress employed to accomplish that function are rational, and the burdens imposed by the NDAA are not out of balance with the importance of its nonpunitive goal. Therefore, the Functional Test shows that the law does not constitute punishment. c. The Motivational Test “The final test of legislative punishment is ‘strictly a motivational one: inquiring whether the legislative record evinces a congressional intent to punish.’” Foretich,351 F.3d at 1225
(quoting Nixon,433 U.S. at 478
). “Under this prong, a court must inspect legislation for a congressional purpose to ‘encroach[ ] on the judicial function of punishing an individual for blameworthy offenses.’”Id.
(quoting Nixon,433 U.S. at 479
). “Courts conduct this inquiry by reference to legislative history, the context or timing of the legislation, or specific aspects of the text or structure of the disputed legislation.”Id.
The Motivational Test “by itself is not determinative in the absence of ‘unmistakable evidence of punitive intent.’”Id.
(quoting Selective Serv. Sys.,468 U.S. at
856 n.15). The Court approaches the Motivational Test with caution, because “[j]udicial inquiries into Congressional motives are at best a hazardous matter.” Flemming, 363 U.S. at 617. When a law is claimed to impose legislative punishment on the basis of such an inquiry, “only the clearest proof could suffice to establish the unconstitutionality of [the] statute.” Id.; see also ACORN,618 F.3d at 141
(“The legislative record by itself is insufficient evidence for classifying a statute as a bill of attainder unless the record reflects overwhelmingly a clear legislative intent to punish.”). 40 Presumably in light of this daunting standard, Plaintiffs disavow any argument that Sections 1634(a) and (b) of the NDAA constitute a bill of attainder on the basis of the Motivational Test alone. See Pls.’ Opp’n at 30 (“Plaintiffs are not challenging the constitutionality of the NDAA on ‘this prong itself.’”). They contend only that this test “bolsters” their showing that the NDAA is punishment.Id.
Even this modest claim, however, is wrong. The Motivational Test does not “bolster” Plaintiffs’ argument. If anything, it weakens it. Plaintiffs’ primary argument under the Motivational Test is that the record related to Congress’ decision to prohibit the use of Kaspersky Lab products is “silent.” Pls.’ Opp’n at 3. There are two major flaws with this argument. The first is that, even if it was accurate, it would defeat Plaintiffs’ claim. Statutes are presumed constitutional. See Flemming, 363 U.S. at 617 (“[T]he presumption of constitutionality with which this enactment, like any other, comes to us forbids us lightly to choose that reading of the statute’s setting which will invalidate it over that which will save it.”). It is Plaintiffs’ burden under the Motivational Test to demonstrate that Congress was motivated to punish Kaspersky Lab. See BellSouth I,144 F.3d at 67
(finding that law was not punishment under the Motivational Test where plaintiff had not “come forward” and “provided” any evidence on Congress’ purpose). If the record was in fact “silent,” Plaintiffs could not do so. See SeaRiver,309 F.3d at 677
(“The congressional silence surrounding § 2737 impedes SeaRiver in successfully carrying its burden on this factor.”). Congress’ silence, even when coupled with an awareness that its actions will harm a particular individual or company, is not sufficient to demonstrate punitive intent. See Patchak, 828 F.3d at 1007 (“While it may be true that Mr. Patchak was adversely affected as a result of the legislation, the record does not show that Congress acted with any punitive or retaliatory intent.”); SeaRiver,309 F.3d at
674 41 (“Although Congress was aware when it passed § 2737 that it would impose a cost on SeaRiver, this awareness does not translate into a suggestion that Congress’s intent was to punish”). The second problem with Plaintiffs’ “silence” argument is that it is incorrect as a matter of fact. As the Court described at length in the Background section of this Opinion, the NDAA was passed after months of congressional inquiries into the risk of Russian cyber-attacks created by the federal government’s use of Kaspersky Lab products. The Court will not repeat that entire history here, but notes that concerns were raised at various committee hearings, and six United States intelligence directors, including the directors of the CIA and the NSA, told the Senate Select Committee on Intelligence that they would not be comfortable using Kaspersky Lab products on their computers. In addition, a Senate Armed Services Committee report discussing the prohibition on Kaspersky Lab products stated that the prohibition was a response to “reports that the Moscow-based company might be vulnerable to Russian government influence.” NDAA FY 2018, U.S. Senate Armed Services Committee, at 10, https://www. armed-services.senate.gov/imo/media/doc/FY18%20NDAA%20Summary6.pdf. Although drawing conclusions about Congress’ motivation is a “hazardous” endeavor, Flemming, 363 U.S. at 617, as a whole, this record suggests a motivation to take preventive action to eliminate a risk of Russian cyber-attacks, not to punish Kaspersky Lab. 12 Plaintiffs argue that certain statements Senator Jeanne Shaheen made to the media show that Congress was motivated to punish. As described above, Senator Shaheen stated in a press 12 Plaintiffs argue that most of this history should be ignored because it is not formal legislative history addressing the exact amendment to the NDAA that resulted in the prohibition at issue. Plaintiffs take far too narrow a view of the types of material that the Court may consider when assessing Congress’ motivation under the Motivational Test. As the D.C. Circuit has held, courts may consider “the context or timing of the legislation.” Foretich,351 F.3d at 1225
. This congressional activity provides helpful context that informs the Court’s understanding of Congress’ motivation. 42 release that “[t]he case against Kaspersky Lab is overwhelming.” See Compl., Ex. E, NDAA ECF No. 1-5. She elaborated that: The strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented. I’m very pleased that the Senate has acted in a bipartisan way on my amendment that removes a real vulnerability to our national security. I applaud the Trump administration for heeding my call to remove Kaspersky Lab software from all federal computers. It’s important that this prohibition also be a part of statute and be expanded to the entire federal government, as my amendment would do. Considering the strong bipartisan, bicameral support for this proposal, I’m optimistic this will soon be signed into law.Id.
Additionally, in an editorial authored for the New York Times, Senator Shaheen wrote that the presence of Kaspersky Lab products on federal systems created a “threat” of Russian cyber- interference, and that she was proposing to bar federal government use of those products “to close this alarming national security vulnerability.” See Compl., Ex. C, NDAA ECF No. 1-3. These statements do not indicate that Congress’ motivation was to punish Kaspersky Lab. As an initial matter, the overall emphasis of Senator Shaheen’s statements was not that Congress should punish Kaspersky Lab for anything, but instead that the use of Kaspersky Lab products to defend federal government systems created a risk of Russian cyber-interference, and that action needed to be taken swiftly to address this vulnerability. It was the “case” for such action, according to Senator Shaheen, that was “overwhelming.” Additionally, even if these statements could be interpreted as indicating that Senator Shaheen was motivated to punish Kaspersky Lab—and the Court does not interpret them that way—isolated statements of one legislator are not sufficient under the Motivational Test to demonstrate a punitive motivation. “‘Several isolated statements’ are not sufficient to evince punitive intent.” BellSouth II,162 F.3d at 690
(quoting Selective Serv. Sys.,468 U.S. at
856 43 n.15); Navegar, 192 F.3d at 1067 (holding that “isolated statements are not sufficient to show a punitive intent”); ACORN,618 F.3d at 142
(holding that “smattering” of legislators’ opinions regarding plaintiff’s guilt of fraud was insufficient to demonstrate motivation to punish). In other words, even if Senator Shaheen’s intention in passing the NDAA’s prohibition on Kaspersky Lab products was to punish that company, as opposed to merely limit the risk of future Russian cyber-attacks, that intention of a sole senator is not sufficient to demonstrate that Congress as a whole was motivated to punish. Also relevant to the Court’s Motivational Test inquiry is that the NDAA was passed on the heels of actions by the Executive Branch addressing similar concerns about Kaspersky Lab products. Most importantly, Congress was considering the NDAA’s prohibition on Kaspersky Lab products at the same time that DHS was in the midst of its BOD 17-01 proceedings. Congress even held hearings about those proceedings. By statute, BODs are used “for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk”—not to impose punishment based on any wrongdoing.44 U.S.C. § 3552
(b)(1). The purpose of BOD 17-01 in particular was to stem the risk of Russian cyber-attacks, and DHS made clear that the action was not based on any assumption that Kaspersky Lab had done, or would do, anything wrong or worthy of punishment. AR0629. It is reasonable to assume that Congress had a similar motivation when, after overseeing the implementation of BOD 17-01, it passed a prohibition very similar to that BOD just days after it was finalized. Additionally, “specific aspects of the text or structure” of Section 1634, such as the provision’s placement within the NDAA, indicate Congress’ nonpunitive motivation. See Foretich,351 F.3d at 1225
; see also BellSouth I,144 F.3d at 66
(noting that a claim of punitive 44 purpose can be undermined by a provision’s placement within an Act). Section 1634 falls under a subtitle of the NDAA entitled “Cyberspace-Related Matters.” This section of the NDAA does not dole out punishments. It provides authorizations, sets policies, and requires reporting on various cyber-security issues. Section 1634(c), which follows immediately after the challenged sections, is one example: it requires agencies to conduct reviews of their procedures for removing suspect products or services from the information technology networks of the federal government. That the prohibition on Kaspersky Lab products falls within this section of the NDAA indicates that Congress viewed it as a similar cyber-security measure, not punishment. The text and effect of the statutory sections themselves also indicate Congress’ nonpunitive motivation. The statute does not prohibit purchases from Kaspersky Lab, but instead the use of Kaspersky Lab products. This required the government to undergo a time- intensive and costly process of identifying and discontinuing the “use” of Kaspersky Lab products throughout the government. If Congress’ purpose was simply to punish Kaspersky Lab for something, it could have accomplished that goal in a far easier and cheaper manner by simply barring any future purchases from that company. The fact that it declined that option and instead ordered that all “use” of Kaspersky Lab products be halted, and incurred the considerable cost to do so, 13 suggests that the function of the law was to protect against prospective Russian cyber- threats, not to punish Kaspersky Lab. In sum, it was Plaintiffs’ burden to plausibly allege facts that would suggest that Sections 1634(a) and (b) were punishment under the Motivational Test. Their inability to do so defeats their claim. In addition, the record—including congressional activity, administrative activity, 13 The Government also points out that if Congress had intended to punish Kaspersky Lab, it might have required the company to bear the cost of removing its own products, but Congress opted not to do so. 45 and the nature of the statute itself—affirmatively indicates a nonpunitive motivation. Accordingly, the Court concludes that Plaintiffs cannot plausibly establish that the challenged provisions constitute legislative punishment under the Motivational Test. *** Weighing all three tests for punishment together, the Court concludes that Sections 1634(a) and (b) of the NDAA clearly do not inflict punishment on Plaintiffs. The law does not impose any form of historically recognized legislative punishment. It has an obvious and eminently reasonable nonpunitive purpose and, although the law has negative effects on Plaintiffs, those effects are not out of balance with the goal of protecting the Nation’s cyber- security. Finally, there is no evidence that Congress acted with any motivation to punish Plaintiffs. The Court emphasizes that “[i]n order to decide whether a statute impermissibly inflicts punishment, [the Court] consider[s] each case in ‘its own highly particularized context.’” Patchak, 828 F.3d at 1006 (quoting Selective Serv. Sys.,468 U.S. at 852
); see also Flemming, 363 U.S. at 616 (“[E]ach case [ ] turn[s] on its own highly particularized context.”). The context of this case—Congress’ real-time attempt to address cutting edge and constantly evolving cyber- threats to some of our Nation’s most sensitive strategic assets—is extremely unique. Viewed in this unique context, for the reasons explained above, the challenged provisions of the NDAA cannot plausibly be said to be a bill of attainder. Plaintiffs’ NDAA Lawsuit will accordingly be dismissed. B. The BOD Lawsuit Plaintiffs’ BOD Lawsuit will also dismissed, but for a different reason. Article III of the Constitution limits the jurisdiction of this Court to the adjudication of “Cases” and 46 “Controversies.” U.S. Const., Art. III, § 2. “In an attempt to give meaning to Article III’s case- or-controversy requirement, the courts have developed a series of principles termed ‘justiciability doctrines,’ among which [is] standing.” Nat’l Treasury Emps. Union v. United States,101 F.3d 1423
, 1427 (D.C. Cir. 1996) (citing Allen v. Wright,468 U.S. 737
, 750 (1984)). Standing requires, in essence, that a plaintiff have “a personal stake in the outcome of the controversy . . . .” Warth v. Seldin,422 U.S. 490
, 498 (1975). The familiar requirements of Article III standing are: (1) that the plaintiff have suffered an “injury in fact”—an invasion of a judicially cognizable interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) that there be a causal connection between the injury and the conduct complained of—the injury must be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court; and (3) that it be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Bennett v. Spear,520 U.S. 154
, 167 (1997) (citing Lujan v. Defs. of Wildlife,504 U.S. 555
, 560- 61 (1992)); see also Spokeo, Inc. v. Robins,136 S. Ct. 1540
, 1547 (2016). Plaintiffs cannot satisfy these requirements in the BOD Lawsuit. Plaintiffs assert that they have standing to challenge BOD 17-01 because it causes them two types of injury: it prevents them from selling to the United States federal government, and it damages their reputation. To establish standing in the BOD Lawsuit, Plaintiffs must show “‘that it [is] likely, as opposed to merely speculative, that the[se] injur[ies] will be redressed by a favorable decision’” in that suit. Chamber of Commerce of U.S. v. E.P.A.,642 F.3d 192
, 200 (D.C. Cir. 2011) (quoting Bennett,520 U.S. at 167
). Plaintiffs cannot make that showing. After BOD 17- 01 was finalized, Congress separately passed an even broader prohibition on Kaspersky Lab products: Sections 1634(a) and (b) of the NDAA. Regardless of the outcome of the BOD 47 Lawsuit, those provisions of the NDAA will be the law. Sections 1634(a) and (b) of that law cause, at least, the same alleged harms as BOD 17-01. Therefore, even if Plaintiffs were successful and the Court were to order the rescission of the BOD, their harms would not be redressed. The Court has no jurisdiction to proceed to the merits of a lawsuit where its ultimate decision will have no real effect. The NDAA has never been challenged as part of the BOD Lawsuit. Plaintiffs did eventually file a separate lawsuit challenging the NDAA (the NDAA Lawsuit, discussed above), but the two suits have always been, and remain, separate and distinct. The filing of a separate lawsuit challenging the NDAA did not have any effect on the Court’s consideration of standing in the BOD Lawsuit, given that standing is determined at the time of the commencement of suit, and the NDAA Lawsuit was filed after the BOD suit. See Lujan,504 U.S. at
571 n.5 (“standing is to be determined as of the commencement of suit”). Regardless, even assuming that the NDAA Lawsuit was relevant in any way to Plaintiffs’ standing in the BOD Lawsuit, the NDAA Lawsuit has been dismissed. Accordingly, the Court assesses Plaintiffs’ standing in the BOD Lawsuit assuming that, regardless of the outcome of that suit, the NDAA will remain in place. It is a well-established principle that a plaintiff cannot demonstrate redressability when its lawsuit challenges only one of two government actions that both independently produce the same alleged harm. See Delta Const. Co. v. E.P.A.,783 F.3d 1291
, 1296 (D.C. Cir. 2015) (holding that petitioners did not have standing to challenge Environmental Protection Agency standards that allegedly raised the price of vehicles due to lack of redressability because the National Highway Traffic Safety Administration had promulgated substantially identical standards that were not challenged in the lawsuit, and therefore “even were we to vacate the EPA standards, the NHTSA standards would still increase the price of vehicles”); Texas v. E.P.A.,726 F.3d 180
, 198 48 (D.C. Cir. 2013) (dismissing challenge to administrative rules for lack of standing because vacating those rules “would not redress the State petitioners’ injury,” which was separately caused by a statute); Renal Physicians Ass’n v. U.S. Dep’t of Health & Human Servs.,489 F.3d 1267
, 1277 (D.C. Cir. 2007) (finding that plaintiff challenging a regulatory safe harbor had not satisfied the redressability prong because “[e]ven if a court invalidated the safe harbor, dialysis facilities would remain obligated under the Stark Law to pay no more than fair market value for medical director services”). This principle applies with full force in this case. Sections 1634(a) and (b) of the NDAA are not challenged in the BOD Lawsuit and cause both of the injuries Plaintiffs claim to suffer as a result of BOD 17-01. First, like BOD 17-01, the NDAA prevents Plaintiffs from selling to the United States federal government. The NDAA requires that all federal agencies stop using all Kaspersky Lab products and services. In fact, the prohibition in the NDAA is broader than the prohibition in BOD 17-01, because it includes all Kaspersky Lab products and services (not just “Kaspersky- branded” products), and because it does not exempt any national security systems. The fact that the NDAA’s prohibition does not technically become effective until October 1, 2018, does not change this analysis. There is no redressability unless a decision in Plaintiffs’ favor would “produce tangible, meaningful results in the real world.” Common Cause v. Dep’t of Energy,702 F.2d 245
, 254 (D.C. Cir. 1983). No meaningful results would be produced by lifting BOD 17-01’s prohibition on Kaspersky Lab products for the few months before the NDAA’s prohibition goes into effect. Under the NDAA, federal agencies must have identified and halted the use of all Kaspersky Lab products by October 1, 2018. This is not contingent on the outcome of any review process. It is a date certain by which all use must stop. Under these 49 circumstances, it is highly implausible that, upon learning that BOD 17-01 was rescinded, any federal government agency would purchase a Kaspersky Lab product, obtain the necessary approval to use that product, install it, and begin using it, only to have to remove it again by October 1, 2018. To do so would not only defy common sense, it would also likely violate each federal agency’s obligations under FISMA to reduce the risks to their information systems in a cost-effective manner. Defendants have provided the Court with a declaration from the Acting Federal Chief Information Security Officer at the OMB, Grant Schneider, attesting to these points. Mr. Schneider’s job is to oversee the development of government-wide cybersecurity policy and Federal civilian agency implementation of cybersecurity laws and policies. See Decl. of Grant Schneider, BOD ECF No. 13-1, ¶ 1. In his declaration, he states that “federal agencies are widely aware of the NDAA prohibition” and that “even if BOD 17-01 were rescinded before October 1, 2018, no federal agency would be likely to procure, test and install Kaspersky products, and then remove them, all before the October 1st NDAA effective date.” Id. ¶ 5. He explains that “each federal agency makes its own independent IT acquisition decisions as long as the agency complies with applicable law and executive branch policy,” and the personnel involved in those decisions “are acutely aware of the need to avoid use of IT products that increase risks to their information and information systems.” Id. ¶ 6. In particular, agencies are aware of their obligations under FISMA to reduce risks to their information systems in a cost- effective manner, and are separately required under Executive Order and OMB policy to implement information security and cybersecurity risk management plans and measures. Id. “Rescinding the BOD would not eliminate the security concerns underlying the decision to issue the directive in the first place,” Mr. Schneider attests, which had been raised by other 50 lawmakers and intelligence officials, and which are also memorialized by the NDAA. Id. ¶ 7. Even if the BOD were rescinded, these agencies would still have to confront these concerns. They would have to determine that using Kaspersky Lab software in the months before the NDAA officially takes effect is an acceptable risk to their networks, and that purchasing those products, acquiring the necessary authorizations to use them and taking the time and resources to test, install, and deploy them—only to then immediately remove them prior to October 1, 2018— would be cost-effective and not wasteful. Id. ¶¶ 7-10. Mr. Schneider finds it “highly unlikely” that any agency’s Chief Information Officer would make these determinations and choose to use Kaspersky Lab products between now and October 1, 2018, if the BOD was rescinded. Id. ¶ 7. In fact, according to Mr. Schneider, purchasing these products could open an agency up to investigation for wasteful procurement. Id. ¶¶ 8, 11. Plaintiffs do not seriously attempt to dispute these points. Instead, Plaintiffs respond to Defendants’ standing argument by attempting to recast their alleged injury as being deprived of the “right to sell to the government” until October 1, 2018. Pls.’ Reply and Opp’n at 5 (emphasis in original). Regardless of whether any United States government agency would purchase their products, Plaintiffs argue, they stand to win back this “right to sell.” This asserted “right” is worthless. To “sell” requires another to “buy.” Because no government agency would buy Plaintiffs’ product in the period before October 1, 2018, Plaintiffs’ theoretical “right” to sell has no value at all in the real world. The asserted deprivation of this empty procedural right would not affect any substantive or concrete interest of the Plaintiffs, and therefore is not sufficient to confer standing. See Summers v. Earth Island Inst.,555 U.S. 488
, 496-97 (2009) (rejecting standing based on a “procedural injury, namely, that [respondents] have been denied the ability to file comments on some Forest Service 51 actions,” because “deprivation of a procedural right without some concrete interest that is affected by the deprivation—a procedural right in vacuo—is insufficient to create Article III standing”); Sierra Club v. E.P.A.,754 F.3d 995
, 1002 (D.C. Cir. 2014) (“[B]ecause Petitioners have failed to establish that they will likely suffer a substantive injury, their claimed procedural injury—being denied the right to comment on the Memorandum—necessarily fails.”). Second, the NDAA will continue to cause the same (or worse) harm to Plaintiffs’ reputation as does BOD 17-01, even if the latter is rescinded. Even assuming that Plaintiffs can demonstrate that BOD 17-01 caused the reputational harms they allege, there are “circumstances in which governmental action is a substantial contributing factor in bringing about a specific harm, but the undoing of the governmental action will not undo the harm, because the new status quo is held in place by other forces.” Renal Physicians Ass’n,489 F.3d at 1278
. That is the case here. The NDAA would preserve the new status quo with respect to Plaintiffs’ reputation even if BOD 17-01 was rescinded. As Plaintiffs concede, it is their burden to show that “rescission likely would redress the discrete harm stemming from the BOD’s labelling of Plaintiffs’ products as ‘information security risks’ to federal government information systems.’” Pls.’ Reply and Opp’n at 10. Plaintiffs cannot make this showing. As has been discussed already at length, BOD 17-01 and Sections 1634(a) and (b) of the NDAA are roughly equivalent prohibitions on Kaspersky Lab products, based on approximately the same concerns about the company. For this reason, Plaintiffs allege that the NDAA, like BOD 17-01, causes them “profound reputational injuries.” Compl., NDAA ECF No. 1, ¶ 45. If anything, the effect of the NDAA on Plaintiffs’ reputation would be greater than the effect of the BOD, because the NDAA codifies the prohibition against Plaintiffs’ products into law and is broader than BOD 17-01 (covering all Kaspersky Lab products and services and all federal information systems). 52 Whatever harm was caused by the BOD labelling Plaintiffs’ products as risks would not be redressed if the BOD was rescinded, because the NDAA would remain in place, continuing to label Plaintiffs’ products in exactly the same way. And to the extent there is some distinct incremental harm that the existence of the BOD could be said to have on Plaintiffs’ reputation above and beyond the existence of the NDAA, and therefore could be at stake in this lawsuit, that theoretical harm is simply “too vague and unsubstantiated” to support standing. McBryde v. Comm. to Review Circuit Council Conduct & Disability Orders of Judicial Conference of the United States,264 F.3d 52
, 57 (D.C. Cir. 2001) (in discussing standing and mootness based on incremental effect on reputation of a particular government action, noting that “[a]t some point . . . claims of reputational injury can be too vague and unsubstantiated to preserve a case from mootness”); see also Lebron v. Rumsfeld,670 F.3d 540
, 562 (4th Cir. 2012) (where plaintiff sought order enjoining the government from designating him as an enemy combatant, ruling that plaintiff did not have standing based on reputational injury because “[i]t is hard to imagine what ‘incremental’ harm it does to Padilla’s reputation to add the label of ‘enemy combatant’ to the fact of his convictions and the conduct that led to them”). Plaintiffs argue that their standing is established by the D.C. Circuit’s opinion in Foretich. The Court disagrees. The Foretich court did find that a plaintiff had standing based on an injury to his reputation. Moreover, that court did hold that the plaintiff had standing despite the fact that his reputation was harmed by the challenged law as well as other factors (e.g., publicity surrounding an underlying custody dispute and allegations in that dispute). Foretich,351 F.3d at 1216
. However, in Foretich, there was only one government determination that harmed plaintiff’s reputation. Plaintiff’s “reputational harms resulted directly” from a law that “embodie[d] a congressional determination that he engaged in criminal acts of child abuse from 53 which his daughter needed protection.”Id. at 1211
. The D.C. Circuit found that declaring that law unconstitutional would have redressed plaintiff’s reputational harm because it would have “remove[d] the imprimatur of government authority from” that determination.Id. at 1215
. This simply is not the case here. In this case, there are multiple government determinations about Kaspersky Lab at issue—most importantly BOD 17-01 and the NDAA, but also apparent determinations by intelligence chiefs and the GSA—that make the same finding about Kaspersky Lab products that allegedly harms Plaintiffs’ reputation. Accordingly, ordering the rescission of BOD 17-01 would not “remove the imprimatur of government authority” from the determination that Kaspersky Lab products present a risk to federal government networks. The Foretich court was not presented with these facts. See Paracha v. Obama,194 F. Supp. 3d 7
, 10-11 (D.D.C. 2016) aff’d sub nom. Paracha v. Trump, 697 F. App’x 703 (D.C. Cir. 2017) (finding no causation or redressability in case where petitioner challenged statutes labelling him a terrorist because, unlike in Foretich, petitioner presented no evidence that his reputational injury “derive[d] directly” from the challenged statutes, given that “petitioner [would] remain designated as an enemy combatant and will continue to be detained as such even if the Court rules in his favor”). In short, it is simply not plausible, let alone likely, that a favorable decision in the BOD Lawsuit ordering the rescission of that agency action on APA and procedural grounds would have any meaningful effect on Plaintiffs’ reputation, where the same determinations about Kaspersky Lab products expressed by the BOD are codified in the NDAA and have also been expressed by numerous other government actors. The Court also notes that, for many of the same reasons discussed above with respect to the redressability element, Plaintiffs also cannot demonstrate the causation requirement of 54 standing with respect to their alleged reputational harm. “Courts are powerless to confer standing when the causal link is too tenuous.” Winpisinger v. Watson,628 F.2d 133
, 139 (D.C. Cir. 1980). As discussed above, BOD 17-01 is but one of a number of congressional and Executive Branch actions that would presumably have the same type of alleged effects on Kaspersky Lab’s reputation. Prior to the issuance of BOD 17-01, various congressional committees were investigating the company, six intelligence directors had told the Senate Select Committee on Intelligence that they would not be comfortable using Kaspersky Lab products on their computers, and the GSA had removed the company as a vendor. All of these acts presumably had negative impacts on Plaintiffs’ reputation. Plaintiffs cannot demonstrate that the BOD, and not these other acts, caused their reputational injury. IV. CONCLUSION For the reasons set out above, the Court will dismiss both Plaintiffs’ NDAA Lawsuit and their BOD Lawsuit. The NDAA Lawsuit is dismissed for failure to state a claim, because Plaintiffs have not plausibly alleged that Sections 1634(a) and (b) of the NDAA constitute a bill of attainder. The BOD Lawsuit is dismissed for lack of standing because, even if Plaintiffs were to succeed in that lawsuit and the Court were to order the rescission of BOD 17-01, none of Plaintiffs’ alleged harms would be redressed. They would continue in full force as a result of the NDAA. Because the BOD Lawsuit is dismissed for lack of standing, the Court need not reach the parties’ cross-motions for summary judgment. Appropriate Orders accompany this Memorandum Opinion in each lawsuit. /s/ COLLEEN KOLLAR-KOTELLY United States District Judge 55
Amer Bioscience Inc v. Thompson, Tommy G. ( 2001 )
Wright v. Foreign Service Grievance Board ( 2007 )
consolidated-edison-company-of-new-york-inc-v-george-e-pataki-in-his ( 2002 )
Nixon v. Administrator of General Services ( 1977 )
Spokeo, Inc. v. Robins ( 2016 )
PLANNED PARENTHOOD OF CENTRAL NC. v. Cansler ( 2011 )
National Treasury Employees Union v. United States ( 1996 )
Common Cause v. Department of Energy ( 1983 )
Melvyn Siegel v. Richard E. Lyng, Secretary of Agriculture ... ( 1988 )
seariver-maritime-financial-holdings-inc-seariver-maritime-inc-seariver ( 2002 )
Coalition for Underground Expansion v. Mineta ( 2003 )
Kokkonen v. Guardian Life Insurance Co. of America ( 1994 )
Equal Employment Opportunity Commission v. St. Francis ... ( 1997 )
Lujan v. Defenders of Wildlife ( 1992 )
Steel Co. v. Citizens for a Better Environment ( 1998 )
Summers v. Earth Island Institute ( 2009 )