Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 1 of 22 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA KASPERSKY LAB INC 500 Unicorn Park 3rd Floor Woburn Massachusetts 01801 and KASPERSKY LABS LIMITED New Bridge Street House 30-34 New Bridge Street London EC4V 6BJ United Kingdom Plaintiffs v U S DEPARTMENT OF HOMELAND SECURITY Washington D C 20528 and Kirstjen Nielsen in her official capacity as Secretary of Homeland Security Washington D C 20528 Defendants Civil Action No ___________ COMPLAINT 1 Kaspersky Lab Inc a Massachusetts corporation together with its U K parent company Kaspersky Labs Limited Plaintiffs or Kaspersky Lab bring this action under the Administrative Procedure Act APA to uphold their constitutional due process and other rights which Defendants violated through unprecedented sweeping and retroactive debarment of Kaspersky Lab from U S Government information systems by way of the Department of Homeland Security's DHS Binding Operational Directive 17-01 issued on September 13 2017 the BOD 1 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 2 of 22 2 Without affording Plaintiffs notice or a prior opportunity to be heard and without sufficient evidence Defendants branded Kaspersky Lab's market-leading anti-virus products an information security threat vulnerability and risk to U S Government information systems and summarily ordered their identification removal and discontinuation by all subject U S government agencies and the private contractors operating within their IT systems 3 DHS was required under the APA and the U S Constitution to afford Plaintiffs due process--at the very least notice and a meaningful opportunity to be heard--before debarring Plaintiffs and depriving them of their liberty interest 4 Defendants never claimed--and nothing in the record suggests--any justification for denying Plaintiffs the basic right to notice and an opportunity to contest Defendants' evidence in substantial part consisting of uncorroborated news articles before the debarment In particular DHS has never claimed and nothing in the records suggests that the information security risks allegedly presented by Plaintiffs' products were so imminent so exigent or so urgent that they would justify depriving Plaintiffs of their constitutional due process rights 5 Defendants had ample time and opportunity to afford Plaintiffs the due process to which they were entitled prior to the issuance of the BOD and actively misled Plaintiffs regarding the status of their pre-BOD deliberations Plaintiffs wrote in good faith to Defendants in July 2017 to offer to discuss and respond to any concerns that Defendants might have regarding Kaspersky Lab products Defendants replied in August 2017 indicating that they appreciate d Plaintiffs' offer to provide information and would be in touch again shortly Instead Defendants proceeded with issuing the BOD in September without any prior notice to Plaintiffs or any opportunity for them to be heard 2 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 3 of 22 6 DHS issued the BOD pursuant to the Federal Information Security Modernization Act of 2014 44 U S C 3551 et seq 2014 FISMA which authorizes DHS to issue binding operational directives-- compulsory direction to agencies -- for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat vulnerability or risk 44 U S C 3552 b 1 7 The BOD compelled all federal agencies to 1 identify Kaspersky Lab-branded products on all federal informational systems within 30 days 2 develop a detailed plan to remove and discontinue the present and future use of all Kaspersky Lab-branded products within 60 days and 3 unless directed otherwise by DHS based on new information start actual removal within 90 days BOD at 2-3 8 While DHS professed to give Plaintiffs an opportunity to contest the BOD and change DHS's decision before the 90-day mark by allowing Kaspersky to make a written submission to DHS near in time to the 60-day mark this process was illusory and wholly inadequate because it failed to satisfy even the minimum standards of due process 9 In actuality the debarment of Plaintiffs and the damage caused was immediate and complete upon the issuance of the BOD The process for identification removal and discontinuation had been initiated immediately upon issuance all government agencies were prejudiced against Plaintiffs' software at that time and the process could therefore not have been adequately unwound 10 DHS expressly acknowledged that following its issuance of the BOD some agencies removed the software in advance of the BOD's requirement to start removal on day 90 without regard to the purported process set forth in the BOD See Jeannette Manfra testimony before the House Committee on Science Space and Technology November 14 2017 3 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 4 of 22 Following the Final Decision the Department confirmed that rather than treating the 90 daymark as the start of the removal process absent any change to the BOD by Defendants due to submissions received from Plaintiffs or other affected parties many agencies had actually removed the software by that time For the most part we're closed out on removing the Kaspersky antivirus -branded products See Christopher Krebs press briefing December 13 2017 11 Plaintiffs submitted a detailed written response to the BOD on November 10 2017 the Kaspersky Lab Submission 12 DHS issued a Final Decision on December 6 2017 13 Having already committed themselves and their subject agencies to detrimental action against Plaintiffs Defendants failed to adequately consider or respond to the Kaspersky Lab Submission Defendants simply re-asserted the BOD un-amended through the Final Decision 14 Even in their Final Decision and supporting materials Defendants continued to introduce new allegations facts and legal arguments to which Plaintiffs have had no opportunity to respond even pursuant to the professed but inadequate administrative process advanced by Defendants which concluded with the Final Decision 15 Accordingly Plaintiffs were harmed before any due process was offered at all and were never granted any meaningful process by which to challenge the administrative action in the BOD prior to the debarment The debarment therefore deprived Kaspersky of a constitutionally protected liberty interest without due process of law in violation of the Fifth Amendment of the Constitution 4 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 5 of 22 16 The BOD also fails to meet the evidentiary requirements of the APA Instead of relying on agency fact-finding DHS's principal and overwhelming source of evidence is uncorroborated news reports some citing anonymous sources --including the Rachel Maddow Show Fox News Wired Magazine Bloomberg News and Forbes 17 In an attempt to satisfy the APA's substantial evidence requirement Defendants have mis-categorized these articles and other unsubstantiated allegations as a substantial body of evidence Final Decision Information Memorandum at 23 18 To the contrary Jeannette Manfra the DHS author of the Information Memoranda in support of the BOD and the Final Decision testified before the House Committee on Science Space and Technology on November 14 2017 that in fact the Government does not have conclusive evidence that Kaspersky Lab had facilitated the breach of any U S Government information system When asked in the same hearing by the Committee Chairman to address other media reports regarding Plaintiffs Manfra testified that she could not make a judgement based off of press reporting Yet that is exactly what she asked DHS's Acting Secretary to do in her memoranda in support of the BOD and the Final Decision 19 DHS confirmed in its Final Decision that it has no evidence of any such breach or wrongdoing on the part of Kaspersky Lab in an entire section of the Final Decision's Information Memorandum entitled No Need for Evidence of Wrongdoing DHS roundly ignores its obligation to produce any meaningful and specific evidence against Plaintiffs 20 For these reasons Plaintiffs bring this suit challenging the BOD and the Final Decision under the APA as violative of Plaintiffs' Fifth Amendment right to due process and as arbitrary and capricious and not based on substantial evidence Plaintiffs seek declaratory relief 5 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 6 of 22 that the BOD and Final Decision are invalid and preliminary and permanent injunctive relief to rescind them and enjoin enforcement PARTIES 21 Plaintiff Kaspersky Lab Inc is a Massachusetts corporation with its principal place of business in Woburn Massachusetts Plaintiff Kaspersky Lab Inc is a directly whollyowned subsidiary of Plaintiff Kaspersky Labs Limited a U K holding company 22 Defendant DHS is the federal agency responsible for issuing and implementing the BOD and Final Decision at issue in this case 23 Defendant Kirstjen Nielsen is the Secretary of DHS and is being sued in her official capacity only JURISDICTION AND VENUE 24 This action arises under the Due Process clause of the Fifth Amendment of the Constitution and the APA 5 U S C 500-596 701 et seq This Court has jurisdiction pursuant to 28 U S C 1331 and the APA 25 The Court has the authority to grant declaratory and injunctive relief pursuant to 28 U S C 2201 and 2202 and its inherent equitable powers 26 Venue is proper in this district pursuant to 28 U S C 1391 e 1 FACTUAL ALLEGATIONS I Kaspersky Lab Its Reputation in the Industry and Its Principles of Fighting Cyberthreats 27 Kaspersky Lab is a multinational cybersecurity company exclusively focused on protecting against cyberthreats no matter their origin It is one of the world's largest privately owned cybersecurity companies It operates in 200 countries and territories and maintains 35 6 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 7 of 22 offices in 31 countries Among its offices are research and development centers employing antimalware experts in the U S Europe Japan Israel China Russia and Latin America 28 Although the corporate group's global headquarters are in Moscow more than 85% of Kaspersky Lab's sales are generated outside of Russia Kaspersky Lab's presence in Russia and its deployment in areas of the world in which many sophisticated cyberthreats originate makes it a unique and essential partner in the fight against such threats which in its absence may not otherwise be met 29 Over 400 million users--from governments to private individuals commercial enterprise to critical infrastructure owners and operators alike--utilize Kaspersky Lab technologies to secure their data and systems 30 Kaspersky products have received top ratings for malware detection among other performance factors For example in 2016 Kaspersky Lab products participated in 78 independent tests reviews--and the company was awarded 55 first places and 70 top-three finishes Kaspersky Lab consistently ranks among the world's top four vendors of security solutions for endpoint users II Kaspersky Lab Inc and Sales to the U S Government 31 Founded in 2004 Kaspersky Lab Inc is a Massachusetts corporation and is a directly wholly-owned subsidiary of Kaspersky Labs Limited Kaspersky Lab Inc acts as the company's North American headquarters through offices in Woburn Massachusetts and employs nearly 300 people in the U S 32 The U S has been and remains one of the most significant geographic markets in Kaspersky Lab's global business Sales to customers in the United States represent approximately one quarter of total global bookings in 2016 Plaintiff Kaspersky Lab Inc has 7 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 8 of 22 invested over half a billion dollars in its operations over the last twelve years and over $65 million in 2016 alone 33 Active licenses held by federal agencies have a total value to Plaintiffs of less than USD $54 000 which represents a tiny fraction 0 03% of Plaintiff Kaspersky Lab Inc 's annual sales in the United States 1 34 Notwithstanding the limited volume of U S Government sales Kaspersky Lab Inc has a substantial interest in its status as a vendor to the U S Government and in its continued ability to sell its product to the U S Government inclusive of the right to be free of disparagement prejudicing commercial and enterprise customers III Without Affording Plaintiffs Notice or Opportunity to Be Heard DHS Issued an Immediate and Complete Ban of Kaspersky Lab from all Government Agencies 35 On September 13 2017 without affording any notice to Kaspersky Lab or prior opportunity to rebut the allegations and despite Plaintiffs' July 2017 outreach and Defendants' professed willingness to enter into discussion in August DHS announced that it had determined that the risks presented by Kaspersky-branded products justify the issuance of Binding Operational Directive 17-01 Removal of Kaspersky-Branded Products BOD at 1 The BOD as explained below effectively banned all U S government agencies from using Kaspersky products and debarred the company immediately Additionally it required existing software instances to be identified and removed The BOD applied to virtually all products solutions and services supplied directly or indirectly by Kaspersky Lab 2 Id at 2 In the accompanying Decision DHS branded Kaspersky Lab products a threat to U S national security 1 Based on Plaintiff Kaspersky Lab Inc 's 2016 net booking data The BOD excepted two specific services Kaspersky Threat Intelligence and Kaspersky Security Training BOD at 2 8 2 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 9 of 22 based on the ability of the Russian government whether acting on its own or through Kaspersky to capitalize on access to federal information and information systems provided by Kasperskybranded products Decision at 2 36 DHS issued the BOD pursuant to FISMA which authorizes DHS to issue binding operational directives-- compulsory direction to agencies for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat vulnerability or risk Id at 1 citing 44 U S C 3552 b 1 37 Specifically DHS claimed that FISMA justified the BOD because unclassified evidence --almost entirely uncorroborated media reports several citing anonymous sources-- established that a s long as Kaspersky branded products are present on federal information systems Kaspersky Lab or the Russian government will have the ability to exploit Kaspersky Lab 's access to those information systems for purposes contrary to U S national security including viewing or exfiltrating sensitive data or installing malicious code on federal systems such as through an update to the anti-virus software Decision at 2 38 The BOD compelled all federal agencies to 1 identify the use or presence of Kaspersky Lab-branded products on all federal informational systems within 30 days 2 develop a detailed plan to remove and discontinue present and future use of all Kaspersky Labbranded products within 60 days and 3 start the actual removal within 90 days unless directed otherwise by DHS in light of new information obtained by DHS including but not limited to new information submitted by Kaspersky the 30-60-90 day structure BOD at 2-3 The 30day identification deadline fell on October 13 2017 the 60-day removal plan deadline fell on November 12 2017 and the 90-day deadline to begin removal fell on December 12 2017 9 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 10 of 22 IV The BOD's Purported Administrative Process 39 In a separate letter to Plaintiffs accompanying the BOD DHS claimed to Plaintiffs that it was providing an administrative process to inform DHS decision making --a process to be later set forth in a Federal Register Notice--but as explained below that process had no bearing on the debarment already effectuated by the BOD and was purely perfunctory See DHS Letter to Eugene Kaspersky dated September 13 2017 40 On September 19 2017 DHS did indeed announce in the Federal Register that it was permitting Plaintiffs and any other affected parties to initiate a review of the BOD by submitting to DHS a written response and any additional information or evidence supporting the response to explain the adverse consequences address the Department's concerns or mitigate those concerns 82 Fed Reg 180 43783 43784 Sept 19 2017 DHS gave Plaintiffs until November 3 2017 subsequently extended to November 10 2017 to respond to the BOD 41 The Federal Register further provided that following DHS's receipt of a response to the BOD the Secretary's decision will be communicated to the entity in writing by December 13 2017 Id But this was one day after the 90-day deadline by which agencies were to have begun removing Kaspersky products In apparent acknowledgement of this procedural deficiency the Information Memorandum accompanying the Final Decision recommend s that the Acting Secretary respond to Kaspersky and issue her Final Decision on or before Monday December 11 --notwithstanding the December 13 2017 deadline set forth in the Federal Register Final Decision Information Memorandum at 3 42 On September 29 2017 DHS retrospectively provided Plaintiffs through their counsel access to an internal 21-page DHS Information Memorandum drafted and submitted to 10 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 11 of 22 the then Acting DHS Secretary on September 1 2017 in support of the BOD the BOD Information 43 On November 10 2017 Plaintiffs delivered to the Defendants the Kaspersky Lab Submission an extensive written response to the BOD and its Information 44 The Kaspersky Lab Submission rebutted at length the legal and factual allegations levied against Plaintiffs corrected many misunderstandings held by DHS as perpetuated by the news articles it cited and highlighted the deficiencies in the administrative process offered by Defendants 45 Following the issuance of the BOD DHS had repeatedly declined the requests of Plaintiffs and their counsel to engage in order to present the Company's position address DHS's concerns and discuss any potential options for mitigation Following the Kaspersky Lab Submission DHS did finally agree to meet with Plaintiffs' representatives and counsel on November 29 2017 At that meeting Plaintiffs responded to a number of questions from Defendants' attorneys regarding the Kaspersky Lab Submission but Defendants did not offer any further support for the BOD much less an indication that they were willing to rectify the procedural or substantive deficiencies in the BOD or consider any mitigating options short of the outright ban contemplated by the BOD 46 Plaintiffs believe that such options were available to Defendants and have not been fully explored either prior to or subsequent to the issuance of the BOD 47 On December 6 2017 and without any adequate consideration of the Kaspersky Lab Submission DHS issued a Final Decision maintaining BOD 17-01 without modification the Final Decision The Final Decision was accompanied by a Letter to Plaintiffs and an 11 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 12 of 22 Information Memorandum directed to the Acting Secretary in support of the Final Decision the Final Information V Without Justification Defendants' Administrative Process Provided No Notice or Opportunity to be Heard Prior to Deprivation 48 Although the BOD's 30-60-90 day structure gives the impression that harm is not immediate in reality the BOD is an immediate and complete debarment of Kaspersky Lab from government business upon issuance 49 At a November 14 2017 Hearing of the Committee on Science Space and Technology of the U S House of Representatives Bolstering the Government's Cybersecurity A Survey of Compliance with the DHS Directive Jeanette Manfra DHS Assistant Secretary for Cybersecurity and Communications testified that some agencies had already proceeded with removal of Kaspersky products without regard to the 30-60-90 day structure We're working with each agency individually Some of them have chosen to go ahead and remove the products ahead of schedule Not all of the agencies have submitted the required action plan as I mentioned Some of them have gone ahead and just identified a way to remove the software so they're going about that This testimony was just four days after Plaintiffs submitted the Kaspersky Lab Submission to DHS and Manfra testified that she had not yet even had an opportunity to review Plaintiff's response Thus federal agencies had begun removing Kaspersky software long before DHS even had completed its review of the Kaspersky Lab Submission 50 The BOD supported by other actions in Congress has also had a severe adverse impact on Kaspersky's other commercial interests in the U S which begun long before the Defendants' decision was officially declared Final For example several retailers have 12 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 13 of 22 removed Kaspersky Lab products from their shelves and suspended their long-standing partnerships with Kaspersky Lab following the issuance of the BOD As a result of these and other actions Plaintiffs' 2017 Q3 retail sales have fallen significantly compared to the same period in 2016 Presently Plaintiffs are receiving and processing an unprecedented volume of product return and early termination requests as a result of DHS and other U S Government actions which customers specifically refer to when stating the reason for their return 51 Indeed Christopher Krebs the Senior Official Performing the Duties of the Under Secretary for the National Protection and Programs Directorate who participated in the recommendation that the BOD be issued stated DHS's intent bluntly during public statements on October 31 2017 W hen DHS makes a pretty bold statement like issuing the Kaspersky Lab binding operational directive I think that's a fairly strong signal to consumers 3 This statement was made in response to a question regarding how and to what extent consumers should be informed as to the nature of any risk posed by Kaspersky Lab products in light of the recent issuance of the BOD The fact that a senior DHS official decided to make a statement of that nature at the same time Defendants were purporting to offer Kaspersky Lab a genuine and meaningful right to be heard makes clear that the DHS specifically intended to prejudice Kaspersky Lab's commercial interests even before the expiration of DHS's own arbitrarily imposed process and deadline for the implementation of the BOD 52 Krebs also confirmed through his statements to the media following the Final Decision that with his oversight federal agencies had actually been removing Kaspersky Labbranded software while this process was purported to be running prior to the 90-day mark See Aspen Institute Is the US Losing the Cyber Battle October 31 2017 https www aspeninstitute org events us-losing-cyber-battle 13 3 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 14 of 22 53 Kaspersky had no opportunity to test or rebut the evidence contained in the BOD or its Information before action was taken at the time the BOD was issued and therefore there has been no opportunity to effectively be heard 54 Rather under the circumstances the Fifth Amendment required DHS to provide Plaintiffs procedural protections before debarring it through the BOD Critically DHS made no attempt to demonstrate how prior notice to Plaintiffs would have interfered with DHS's goals of eliminating the alleged information risks Nor did DHS show why it failed to consider less severe measures or potential mitigation that could have been imposed on Kaspersky to address DHS's purported concerns DHS's failure to provide adequate and timely notice created a substantial risk of wrongful deprivation 55 As explained above the BOD the Decision its Information the Final Decision and the Final Information are all devoid of even a suggestion that the information security risks allegedly presented by Kaspersky Lab are imminent exigent or urgent--let alone to a degree that justify foreclosing pre-deprivation notice 56 To the contrary DHS provides three months for affected agencies to begin to implement their plan of action BOD at 2 In the same vein the BOD rests heavily on media accounts some of which are nearly two years old--hardly indicating a paramount need for swift action See e g BOD Information at 8 n 23 10 n 38 57 In fact urgency and immediacy are conspicuously absent from the reasons DHS gives for relying on the BOD rather than the traditional debarment procedure under the Federal Acquisition Regulations FAR Rather the Decision explains that DHS considers the BOD to be a more appropriate process than a debarment proceeding under the FAR principally because it is more draconian unlike a debarment pursuant to the FAR the BOD is prospective as well as 14 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 15 of 22 retrospective requires the removal of Kaspersky-branded products indefinitely and prevents third parties from selling products produced by Kaspersky Decision at 4 And so paradoxically even though it is more thorough in depriving Kaspersky Lab of its rights the BOD provides far less adequate process than the FAR which has a well-established and constitutionally adequate due process that requires agency decisions be made in consideration of a contractor's response before any action is taken to exclude it from future government contracts 58 Defendants in fact had ample opportunity to provide Kaspersky Lab with due process protections prior to the issuance of the BOD Unaware of what action if any DHS was contemplating Kaspersky Lab wrote to DHS on July 18 2017 with an offer to provide any information or assistance with regard to any investigation involving the Company its operations or its products DHS responded on August 14 2017 acknowledging the Company's letter and its offer of assistance and indicated that DHS will be in touch again shortly Nearly one month later and absent any other communication from DHS the BOD was issued VI DHS's Introduction of New Evidence in its Final Decision also Violates Due Process 59 Aside from failing to provide due process prior to the issuance of the BOD the process which DHS professed to provide Plaintiffs after its issuance was not meaningful or fair 60 DHS based the BOD at least in part on a supposed concern about Russian law In its December 6 2017 Final Decision DHS introduced for the first time an analysis of relevant portions of Russian law prepared by Professor Peter Maggs of the University of Illinois College of Law the 'Maggs Report' Final Decision at 2 61 Rather than introducing the Maggs Report with the September 13 2017 BOD-- which would have enabled Plaintiffs to address the report when Plaintiffs filed the Kaspersky Lab Submission--DHS withheld or did not obtain the report until its December 6 2017 Final 15 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 16 of 22 Decision This approach denied Plaintiffs basic due process by unfairly foreclosing Plaintiffs any opportunity to rebut or contest the Maggs Report VII The BOD is Based Almost Entirely on Uncorroborated Media Reports--Not Substantial Evidence--and therefore is Arbitrary and Capricious 62 The BOD and the Final Decision are based on the following three broad allegations levied against Plaintiffs and their software 1 the broad access to files and elevated privileges of anti-virus software including Kaspersky software 2 ties between Kaspersky officials and Russian government agencies and 3 requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting between Kaspersky operations in Russia and Kaspersky customers including U S government customers Final Decision p 2-3 63 DHS's record underlying the BOD in support of these three arguments is devoid of reliable evidence Rather the BOD is based on a series of uncorroborated news articles most of which rely upon the same anonymous sources none of which have been tested in a fair and public forum A Broad access to files and elevated privileges of anti-virus software including Kaspersky Lab software 64 DHS relies on an assumption that a particular software product or vendor should be banned because of a generally presumed susceptibility to exploitation by a malicious actor but tellingly it does not extend such a prohibition to other software products beyond anti-virus software or to other anti-virus software vendors besides Kaspersky Lab 65 Kaspersky Lab software operates in a manner that closely mirrors the offerings of other providers which have not been subject to the DHS action Neither the BOD Information nor the assessment by the National Cybersecurity and Communications Integration Center 16 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 17 of 22 NCCIC Assessment on which it relies provide any technical evidence to indicate that any Kaspersky Lab product represents either a greater or lesser technical risk to federal information systems than similar anti-virus software products or vendors 66 As noted above Kaspersky Lab's U S government business represents a small fraction of its U S much less its global business and software footprint Other anti-virus software products have a much larger footprint across federal government systems and are likely as vulnerable to exploitation by malicious cyber actors as DHS alleges is the case for Kasperskybranded software products 67 Thus if DHS's claims about anti-virus software were legitimate DHS would apply the BOD to other software rather than to Kaspersky Lab products alone B Ties between Kaspersky Lab and the Russian government 68 There is no evidence presented by DHS of improper coordination between Kaspersky Lab or its executives and the Russian Government in furtherance of demonstrable illicit activities Rather DHS speculates that cybersecurity risks are presented by Kaspersky Lab products merely by virtue of the fact that the Company is headquartered in Moscow 69 DHS's stated concern that the Russian Government engages in cyberespionage see e g Decision at 2 is not evidence that any global company like Kaspersky Lab headquartered or with operations in Russia are facilitating government sponsored cyberintrusions 70 In fact more than 85 percent of Kaspersky Lab's revenue comes from outside of Russia--a powerful economic incentive to avoid any action that would endanger the trusted relationships and integrity that serve as the foundation of its business by conducting inappropriate or unethical activities with any organization or country 17 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 18 of 22 71 The BOD Information further alleges that Kaspersky Lab senior executives have ties with the Russian government and highlights among other things their long ago former service within the Russian government and or military and their current profiles and connections BOD Information at 10-11 It fails to acknowledge however that each of these individuals grew up in the Soviet Union at a time when the government relied heavily on conscripted service As such allegations of this sort could be made against the majority of Russians of the same generation These facts do not indicate that their connections or service with the Russian Government were or are inappropriate or that they have continued to this day 72 Moreover DHS does not suggest that an inappropriate relationship between Kaspersky Lab and the Russian Government or otherwise is likely or probable--or even that there is any relationship whatsoever DHS simply suggests that such an inappropriate relationship is possible Such an established relationship and connections between Kaspersky and the FSB Russian Security Services could facilitate future cooperation for other purposes and therefore is an area of serious concern to DHS Final Information at 13 emphasis added C Requirements under Russian law 73 The BOD Information alleges that Kaspersky Lab has obtained certificates and licenses from the Russian Security Services FSB and that this suggest s an unusually close relationship between the two BOD Information at 9 But there is simply nothing unusual about the licenses or certificates Kaspersky Lab has obtained from the FSB in the normal course of doing business in Russia All information technology companies involved in cryptography-related activities operating in Russia including leading U S companies are required to obtain the same licenses and certificates from the FSB In recognizing this exact role of the FSB in granting certificates for certain commercial products the U S Department of the 18 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 19 of 22 Treasury's Office of Foreign Assets Control issued General License No 1 under the Cyber Sanctions Executive Orders which expressly authorized U S companies to obtain precisely the same licenses from the FSB in a way that would otherwise have been prohibited due to the FSB's prior designation under those sanctions authorities 74 DHS also claims that the BOD is warranted based on the FSB's authority to compel or request assistance from companies in Russia Decision at 2 BOD Information at 2 12 However this obligation applies to all companies operating in Russia The FSB can request information from companies in Russia only in furtherance of specified duties--and are subject to challenge in Court Defendants fail to provide any evidence of the FSB actually compelling Plaintiffs to provide any information on Plaintiffs' customers in the U S or any other evidence of Plaintiffs' interaction with Russian authorities that would pose a security threat to federal agencies using the software in the U S VIII Defendants' Failure to Acknowledge and Fulfill Due Process and APA Protections 75 DHS through its actions and statements described above has demonstrated its willing failure to comply with the requirements of the APA and the U S Constitution in issuing the BOD Plaintiffs explained these violations in the Kaspersky Lab Submission 76 Rather than responding to these deficiencies and attempting in any way to remedy them DHS cursorily dismissed them in its Final Decision and Information DHS says simply that it is confident that the BOD procedures are constitutional and lawful that the BOD is based on a substantial body of evidence and that DHS provided Kaspersky with meaningful notice and opportunity to confront the evidence against it Final Information at 23 19 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 20 of 22 77 For the reasons set out in this Complaint this is not the case DHS has not in the Final Information the Final Decision or anywhere else demonstrated its fulfillment of its obligations under the APA or the U S Constitution EXHAUSTION FINALITY AND STANDING 78 Plaintiffs have exhausted the professed administrative process provided by DHS as described above through the November 10 2017 Kaspersky Lab Submission 79 Plaintiffs challenge a final agency action for purposes section 704 of the APA After DHS issued the BOD and Plaintiffs submitted the Kaspersky Lab Submission DHS issued its Final Decision maintaining BOD 17-01 as explained above 80 Plaintiff Kaspersky Lab Inc has standing to bring this suit because the Company sold its products through its partners to the U S Government and is injured by the debarment effectuated by the BOD The company also has been injured by DHS's disparagement of the Company through the BOD 81 Plaintiff Kaspersky Labs Limited also has standing As the U K parent Kaspersky Labs Limited suffers financial harm due to its wholly-owned subsidiary's loss of sales and reputational injury resulting from the BOD Kaspersky Labs Limited is also injured by the BOD's preclusive effect The BOD orders all federal agencies to discontinue all Kasperskybranded software thereby precluding Kaspersky Labs Limited from making a direct sale to the U S Government 20 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 21 of 22 FIRST CAUSE OF ACTION Administrative Procedure Act 5 U S C 706 2 B and the Due Process Clause of the Fifth Amendment of the United States Constitution 82 Plaintiffs incorporate by reference as if fully restated herein paragraphs 1-81 83 The APA directs that the the reviewing court shall hold unlawful and set aside above agency actions findings and conclusions found to be contrary to constitutional right power privilege or immunity 5 U S C 706 2 B 84 The BOD as issued to Kaspersky Lab and upheld by the Final Decision is unlawful and contrary to constitutional right power privilege and immunity 85 DHS violated Plaintiffs' Fifth Amendment rights to due process by depriving Plaintiffs of a protected liberty interest with constitutionally insufficient procedures attendant upon that deprivation Through the BOD DHS debarred Plaintiffs from government contracting and effectively terminated Kaspersky Lab as a government contractor while simultaneously broadcasting to the world insufficient and uncorroborated reasons for that termination As explained above DHS was required to provide pre-deprivation due process and did not SECOND CAUSE OF ACTION Administrative Procedure Act 5 U S C 706 2 A 86 Plaintiffs incorporate by reference as if fully restated herein paragraphs 1-81 87 The APA directs that the reviewing court shall hold unlawful and set aside above agency actions findings and conclusions found to be arbitrary capricious an abuse of discretion or otherwise not in accordance with law 5 U S C 706 2 A 21 Case 1 17-cv-02697 Document 1 Filed 12 18 17 Page 22 of 22 88 The BOD is not supported by substantial evidence DHS did not properly evaluate the strength of the evidence before it and therefore failed to satisfactorily support its decision or identify a rational connection between the facts before it and the conclusions it reached Accordingly the BOD was arbitrary and capricious and an abuse of agency discretion PRAYER FOR RELIEF WHEREFORE Plaintiffs respectfully request that a judgment be granted a Preliminarily and permanently invalidating and rescinding the BOD and the December 6 2017 Final Decision maintaining the BOD and enjoining DHS from enforcing the BOD and the Final Decision b Declaring the BOD and Final Decision invalid and declaring that the presence of Kaspersky Lab-branded products on federal information systems do not present a known or reasonably suspected information security threat vulnerability and risk to federal information systems and c Granting such other relief as the Court deems just and proper Dated December 18 2017 Respectfully submitted s Ryan P Fayhee Ryan P Fayhee Bar No 1033852 Steven Chasin Bar No 495853 Baker McKenzie LLP 815 Connecticut Avenue NW Washington D C 20006 Tel 202 452 7024 Fax 202 416 7024 Ryan Fayhee@bakermckenzie com Steven Chasin@bakermckenzie com Attorneys for Kaspersky Lab Inc and Kaspersky Labs Limited 22 Case 1 17-cv-02697 Document 1-1 Filed 12 18 17 Page 1 of 2 CIVIL COVER SHEET JS-44 Rev 6 17 DC I a PLAINTIFFS DEFENDANTS Kaspersky Lab Inc Kaspersky Labs Limited Department of Homeland Security KirstjenNielsen in her official capacity as Secretary of Homeland Security 88888 COUNTY OF RESIDENCE OF FIRST LISTED DEFENDANT _____________________ IN U S PLAINTIFF CASES ONLY b COUNTY OF RESIDENCE OF FIRST LISTED PLAINTIFF _____________________ EXCEPT IN U S PLAINTIFF CASES c ATTORNEYS FIRM NAME ADDRESS AND TELEPHONE NUMBER NOTE IN LAND CONDEMNATION CASES USE THE LOCATION OF THE TRACT OF LAND INVOLVED ATTORNEYS IF KNOWN Ryan P Fayhee Steven Chasin Baker McKenzie LLP 815 Connecticut Ave N W Washington DC 20006 Tel 202 452-7024 II BASIS OF JURISDICTION III CITIZENSHIP OF PRINCIPAL PARTIES PLACE AN x IN ONE BOX FOR PLACE AN x IN ONE BOX ONLY o o 1 U S Government Plaintiff 2 U S Government Defendant o o 3 Federal Question U S Government Not a Party 4 Diversity Indicate Citizenship of Parties in item III PLAINTIFF AND ONE BOX FOR DEFENDANT FOR DIVERSITY CASES ONLY PTF DFT Citizen of this State Citizen of Another State Citizen or Subject of a Foreign Country o1 o1 o2 o2 o3 o3 Incorporated or Principal Place of Business in This State Incorporated and Principal Place of Business in Another State Foreign Nation PTF DFT o4 o4 o5 o5 o6 o6 IV CASE ASSIGNMENT AND NATURE OF SUIT Place an X in one category A-N that best represents your Cause of Action and one in a corresponding Nature of Suit o A Antitrust 410 Antitrust o o o B Personal Injury Malpractice 310 Airplane 315 Airplane Product Liability 320 Assault Libel Slander 330 Federal Employers Liability 340 Marine 345 Marine Product Liability 350 Motor Vehicle 355 Motor Vehicle Product Liability 360 Other Personal Injury 362 Medical Malpractice 365 Product Liability 367 Health Care Pharmaceutical Personal Injury Product Liability 368 Asbestos Product Liability E General Civil Other Real Property 210 Land Condemnation 220 Foreclosure 230 Rent Lease Ejectment 240 Torts to Land 245 Tort Product Liability 290 All Other Real Property Personal Property 370 Other Fraud 371 Truth in Lending 380 Other Personal Property Damage 385 Property Damage Product Liability C Administrative Agency Review 151 Medicare Act Social Security 861 HIA 1395ff 862 Black Lung 923 863 DIWC DIWW 405 g 864 SSID Title XVI 865 RSI 405 g Other Statutes 891 Agricultural Acts 893 Environmental Matters 890 Other Statutory Actions If Administrative Agency is Involved OR Bankruptcy 422 Appeal 27 USC 158 423 Withdrawal 28 USC 157 Prisoner Petitions 535 Death Penalty 540 Mandamus Other 550 Civil Rights 555 Prison Conditions 560 Civil Detainee - Conditions of Confinement Property Rights 820 Copyrights 830 Patent 835 Patent - Abbreviated New Drug Application 840 Trademark o o D Temporary Restraining Order Preliminary Injunction Any nature of suit from any category may be selected for this category of case assignment If Antitrust then A governs F Pro Se General Civil Federal Tax Suits 870 Taxes US plaintiff or defendant 871 IRS-Third Party 26 USC 7609 Forfeiture Penalty 625 Drug Related Seizure of Property 21 USC 881 690 Other Other Statutes 375 False Claims Act 376 Qui Tam 31 USC 3729 a 400 State Reapportionment 430 Banks Banking 450 Commerce ICC Rates etc 460 Deportation 462 Naturalization Application 465 Other Immigration Actions 470 Racketeer Influenced Corrupt Organization 480 Consumer Credit 490 Cable Satellite TV 850 Securities Commodities Exchange 896 Arbitration 899 Administrative Procedure Act Review or Appeal of Agency Decision 950 Constitutionality of State Statutes 890 Other Statutory Actions if not administrative agency review or Privacy Act Case 1 17-cv-02697 Document 1-1 Filed 12 18 17 Page 2 of 2 o G Habeas Corpus 2255 o K Labor ERISA non-employment 710 Fair Labor Standards Act 720 Labor Mgmt Relations 740 Labor Railway Act 751 Family and Medical Leave Act 790 Other Labor Litigation 791 Empl Ret Inc Security Act If pro se select this deck If pro se select this deck o o L Other Civil Rights non-employment 441 Voting if not Voting Rights Act 443 Housing Accommodations 440 Other Civil Rights 445 Americans w Disabilities - Employment 446 Americans w Disabilities - Other 448 Education o I FOIA Privacy Act 895 Freedom of Information Act 890 Other Statutory Actions if Privacy Act 442 Civil Rights - Employment criteria race gender sex national origin discrimination disability age religion retaliation 530 Habeas Corpus - General 510 Motion Vacate Sentence 463 Habeas Corpus - Alien Detainee o o H Employment Discrimination 152 Recovery of Defaulted Student Loan excluding veterans o M Contract 110 Insurance 120 Marine 130 Miller Act 140 Negotiable Instrument 150 Recovery of Overpayment Enforcement of Judgment 153 Recovery of Overpayment of Veteran's Benefits 160 Stockholder's Suits 190 Other Contracts 195 Contract Product Liability 196 Franchise J Student Loan N Three-Judge Court 441 Civil Rights - Voting if Voting Rights Act V ORIGIN o 1 Original o 2 Removed o 3 Remanded Proceeding from State Court from Appellate Court o 4 Reinstated o 5 Transferred o 6 Multi-district o 7 Appeal to or Reopened from another district specify Litigation o 8 Multi-district District Judge from Mag Judge Litigation - Direct File VI CAUSE OF ACTION CITE THE U S CIVIL STATUTE UNDER WHICH YOU ARE FILING AND WRITE A BRIEF STATEMENT OF CAUSE Judicial review under Administrative Procedure Act 5 USC 702 seeking preliminary injunction against agency directive VII REQUESTED IN COMPLAINT CHECK IF THIS IS A CLASS ACTION UNDER F R C P 23 DEMAND $ JURY DEMAND Check YES only if demanded in complaint VIII RELATED CASE S IF ANY See instruction YES If yes please complete related case form 12 18 2017 DATE _________________________ NO YES NO s Ryan P Fayhee SIGNATURE OF ATTORNEY OF RECORD _________________________________________________________ INSTRUCTIONS FOR COMPLETING CIVIL COVER SHEET JS-44 Authority for Civil Cover Sheet The JS-44 civil cover sheet and the information contained herein neither replaces nor supplements the filings and services of pleadings or other papers as required by law except as provided by local rules of court This form approved by the Judicial Conference of the United States in September 1974 is required for the use of the Clerk of Court for the purpose of initiating the civil docket sheet Consequently a civil cover sheet is submitted to the Clerk of Court for each civil complaint filed Listed below are tips for completing the civil cover sheet These tips coincide with the Roman Numerals on the cover sheet I COUNTY OF RESIDENCE OF FIRST LISTED PLAINTIFF DEFENDANT b County of residence Use 11001 to indicate plaintiff if resident of Washington DC 88888 if plaintiff is resident of United States but not Washington DC and 99999 if plaintiff is outside the United States III CITIZENSHIP OF PRINCIPAL PARTIES This section is completed only if diversity of citizenship was selected as the Basis of Jurisdiction under Section II IV CASE ASSIGNMENT AND NATURE OF SUIT The assignment of a judge to your case will depend on the category you select that best represents the primary cause of action found in your complaint You may select only one category You must also select one corresponding nature of suit found under the category of the case VI CAUSE OF ACTION Cite the U S Civil Statute under which you are filing and write a brief statement of the primary cause VIII RELATED CASE S IF ANY If you indicated that there is a related case you must complete a related case form which may be obtained from the Clerk's Office Because of the need for accurate and complete information you should ensure the accuracy of the information provided prior to signing the form Case 1 17-cv-02697 Document 1-2 Filed 12 18 17 Page 1 of 2 AO 440 Rev 06 12 Summons in a Civil Action UNITED STATES DISTRICT COURT for the District of Columbia __________ District of __________ Kaspersky Lab Inc Kaspersky Labs Limited Plaintiff s v Department of Homeland Security Kirstjen Nielsen in her official capacity as Secretary of Homeland Security Defendant s Civil Action No SUMMONS IN A CIVIL ACTION To Defendant's name and address U S Department of Homeland Security Washington DC 20528 A lawsuit has been filed against you Within 21 days after service of this summons on you not counting the day you received it -- or 60 days if you are the United States or a United States agency or an officer or employee of the United States described in Fed R Civ P 12 a 2 or 3 -- you must serve on the plaintiff an answer to the attached complaint or a motion under Rule 12 of the Federal Rules of Civil Procedure The answer or motion must be served on the plaintiff or plaintiff's attorney whose name and address are Ryan P Fayhee Baker McKenzie LLP 815 Connecticut Ave N W Washington DC 20006 If you fail to respond judgment by default will be entered against you for the relief demanded in the complaint You also must file your answer or motion with the court CLERK OF COURT Date Signature of Clerk or Deputy Clerk Case 1 17-cv-02697 Document 1-2 Filed 12 18 17 Page 2 of 2 AO 440 Rev 06 12 Summons in a Civil Action Page 2 Civil Action No PROOF OF SERVICE This section should not be filed with the court unless required by Fed R Civ P 4 l This summons for name of individual and title if any was received by me on date ' I personally served the summons on the individual at place on date or ' I left the summons at the individual's residence or usual place of abode with name a person of suitable age and discretion who resides there on date and mailed a copy to the individual's last known address or ' I served the summons on name of individual who is designated by law to accept service of process on behalf of name of organization on date or ' I returned the summons unexecuted because or ' Other specify My fees are $ for travel and $ for services for a total of $ 0 00 I declare under penalty of perjury that this information is true Date Server's signature Printed name and title Server's address Additional information regarding attempted service etc Print Save As Reset Case 1 17-cv-02697 Document 1-3 Filed 12 18 17 Page 1 of 2 AO 440 Rev 06 12 Summons in a Civil Action UNITED STATES DISTRICT COURT for the District of Columbia __________ District of __________ Kaspersky Lab Inc Kaspersky Labs Limited Plaintiff s v Department of Homeland Security Kirstjen Nielsen in her official capacity as Secretary of Homeland Security Defendant s Civil Action No SUMMONS IN A CIVIL ACTION To Defendant's name and address Kirstjen Nielsen Secretary of Homeland Security U S Department of Homeland Security Washington DC 20528 A lawsuit has been filed against you Within 21 days after service of this summons on you not counting the day you received it -- or 60 days if you are the United States or a United States agency or an officer or employee of the United States described in Fed R Civ P 12 a 2 or 3 -- you must serve on the plaintiff an answer to the attached complaint or a motion under Rule 12 of the Federal Rules of Civil Procedure The answer or motion must be served on the plaintiff or plaintiff's attorney whose name and address are Ryan P Fayhee Baker McKenzie LLP 815 Connecticut Ave N W Washington DC 20006 If you fail to respond judgment by default will be entered against you for the relief demanded in the complaint You also must file your answer or motion with the court CLERK OF COURT Date Signature of Clerk or Deputy Clerk Case 1 17-cv-02697 Document 1-3 Filed 12 18 17 Page 2 of 2 AO 440 Rev 06 12 Summons in a Civil Action Page 2 Civil Action No PROOF OF SERVICE This section should not be filed with the court unless required by Fed R Civ P 4 l This summons for name of individual and title if any was received by me on date ' I personally served the summons on the individual at place on date or ' I left the summons at the individual's residence or usual place of abode with name a person of suitable age and discretion who resides there on date and mailed a copy to the individual's last known address or ' I served the summons on name of individual who is designated by law to accept service of process on behalf of name of organization on date or ' I returned the summons unexecuted because or ' Other specify My fees are $ for travel and $ for services for a total of $ 0 00 I declare under penalty of perjury that this information is true Date Server's signature Printed name and title Server's address Additional information regarding attempted service etc Print Save As Reset Case 1 17-cv-02697 Document 1-4 Filed 12 18 17 Page 1 of 2 AO 440 Rev 06 12 Summons in a Civil Action UNITED STATES DISTRICT COURT for the District of Columbia __________ District of __________ Kaspersky Lab Inc Kaspersky Labs Limited Plaintiff s v Department of Homeland Security Kirstjen Nielsen in her official capacity as Secretary of Homeland Security Defendant s Civil Action No SUMMONS IN A CIVIL ACTION To Defendant's name and address Attorney General of the United States Jefferson Sessions III 950 Pennsylvania Avenue NW Washington DC 20530 A lawsuit has been filed against you Within 21 days after service of this summons on you not counting the day you received it -- or 60 days if you are the United States or a United States agency or an officer or employee of the United States described in Fed R Civ P 12 a 2 or 3 -- you must serve on the plaintiff an answer to the attached complaint or a motion under Rule 12 of the Federal Rules of Civil Procedure The answer or motion must be served on the plaintiff or plaintiff's attorney whose name and address are Ryan P Fayhee Baker McKenzie LLP 815 Connecticut Ave N W Washington DC 20006 If you fail to respond judgment by default will be entered against you for the relief demanded in the complaint You also must file your answer or motion with the court CLERK OF COURT Date Signature of Clerk or Deputy Clerk Case 1 17-cv-02697 Document 1-4 Filed 12 18 17 Page 2 of 2 AO 440 Rev 06 12 Summons in a Civil Action Page 2 Civil Action No PROOF OF SERVICE This section should not be filed with the court unless required by Fed R Civ P 4 l This summons for name of individual and title if any was received by me on date ' I personally served the summons on the individual at place on date or ' I left the summons at the individual's residence or usual place of abode with name a person of suitable age and discretion who resides there on date and mailed a copy to the individual's last known address or ' I served the summons on name of individual who is designated by law to accept service of process on behalf of name of organization on date or ' I returned the summons unexecuted because or ' Other specify My fees are $ for travel and $ for services for a total of $ 0 00 I declare under penalty of perjury that this information is true Date Server's signature Printed name and title Server's address Additional information regarding attempted service etc Print Save As Reset Case 1 17-cv-02697 Document 1-5 Filed 12 18 17 Page 1 of 2 AO 440 Rev 06 12 Summons in a Civil Action UNITED STATES DISTRICT COURT for the District of Columbia __________ District of __________ Kaspersky Lab Inc Kaspersky Labs Limited Plaintiff s v Department of Homeland Security Kirstjen Nielsen in her official capacity as Secretary of Homeland Security Defendant s Civil Action No SUMMONS IN A CIVIL ACTION To Defendant's name and address United States Attorney for the District of Columbia Jessie K Liu 555 Fourth Street NW Washington DC 20530 A lawsuit has been filed against you Within 21 days after service of this summons on you not counting the day you received it -- or 60 days if you are the United States or a United States agency or an officer or employee of the United States described in Fed R Civ P 12 a 2 or 3 -- you must serve on the plaintiff an answer to the attached complaint or a motion under Rule 12 of the Federal Rules of Civil Procedure The answer or motion must be served on the plaintiff or plaintiff's attorney whose name and address are Ryan P Fayhee Baker McKenzie LLP 815 Connecticut Ave N W Washington DC 20006 If you fail to respond judgment by default will be entered against you for the relief demanded in the complaint You also must file your answer or motion with the court CLERK OF COURT Date Signature of Clerk or Deputy Clerk Case 1 17-cv-02697 Document 1-5 Filed 12 18 17 Page 2 of 2 AO 440 Rev 06 12 Summons in a Civil Action Page 2 Civil Action No PROOF OF SERVICE This section should not be filed with the court unless required by Fed R Civ P 4 l This summons for name of individual and title if any was received by me on date ' I personally served the summons on the individual at place on date or ' I left the summons at the individual's residence or usual place of abode with name a person of suitable age and discretion who resides there on date and mailed a copy to the individual's last known address or ' I served the summons on name of individual who is designated by law to accept service of process on behalf of name of organization on date or ' I returned the summons unexecuted because or ' Other specify My fees are $ for travel and $ for services for a total of $ 0 00 I declare under penalty of perjury that this information is true Date Server's signature Printed name and title Server's address Additional information regarding attempted service etc Print Save As Reset This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu