Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 1 of 32 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA KASPERSKY LAB INC and KASPERSKY LABS LIMITED Plaintiffs v U S DEPARTMENT OF HOMELAND SECURITY and KIRSTJEN NIELSEN in her official capacity as Secretary of Homeland Security Defendants Civ Act No 17-cv-02697-CKK REPLY MEMORANDUM IN SUPPORT OF PLAINTIFFS' APPLICATION FOR PRELIMINARY INJUNCTION Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 2 of 32 TABLE OF CONTENTS INTRODUCTION 1 I Plaintiffs Have Standing to Challenge their Own Debarment 2 A B II III The enactment of the NDAA does not preclude the redress of Plaintiffs' injuries 2 1 Plaintiffs have challenged the NDAA as an unconstitutional Bill of Attainder 2 2 The NDAA ban does not yet have legal effect 3 Plaintiffs' injuries fairly trace to the BOD and are likely to be redressed by rescission of the BOD 3 1 The loss of Plaintiffs' legal right to sell to the U S Government would be redressed by a favorable decision rescinding the BOD 4 2 Plaintiffs' reputational injury is fairly traceable to the BOD and likely would be redressed by rescission 6 Defendants Have Failed to Articulate Sufficient Due Process or Produce an Adequate Administrative Record 9 A DHS's decision was final upon issuance of the BOD in September 2017 the Final Decision issued in December is an illusion which Defendants continue through their Response 9 B Plaintiffs suffered injury long before the Final Decision 11 C Defendants seek to retroactively demonstrate due process where none exists 13 D Defendants' administrative process falls well short of what would have been required to debar Plaintiffs under the Federal Acquisition Regulations 15 Defendants Overstate the Degree of Discretion Granted to DHS Under FISMA and the Degree of Deference Afforded under the APA 17 A Binding Operational Directives issued under FISMA are subject to APA review 17 B There is no suggestion in the record of any operational urgency for the BOD 20 ii Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 3 of 32 C IV The BOD is based on news reports and not on any highly technical or classified information 21 Plaintiffs have Established Remaining Elements for Preliminary Injunction 24 CONCLUSION 25 iii Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 4 of 32 TABLE OF AUTHORITIES Page s Cases ACORN v United States 618 F 3d 125 2d Cir 2010 4 5 Advantage Media L L C v City of Eden Prairie 456 F 3d 793 8th Cir 2006 2 Arent v Shalala 70 F 3d 610-614 D C Cir 1995 19 Cobell v Kempthorne 455 F 3d 301 D C Cir 2006 17 Common Cause v Dept of Energy 702 F 2d 245 D C Cir 1983 5 Delta Air Lines v Export-Import Bank of the US 718 F 3d 974 D C Cir 2013 18 20 Delta Const Co v EPA 783 F 3d 1291 D C Cir 2015 2 Drakes Bay Oyster Co v Jewell 747 F 3d 1073 9th Cir 2014 3 Foretich v United States 351 F 3d 1198 D C Cir 2003 6 7 8 Gonzalez v Freeman 334 F 2d 570 D C Cir 1964 1 25 Hi-Tech Furnace Systs Inc v FCC 224 F 3d 781 D C Cir 2000 18 Holy Land Foundation v Ashcroft 333 F 3d 156 D C Cir 2003 22 Huntington Branch NAACP v Huntington 689 F 2d 391 2d Cir 1982 5 6 Int'l Union of Bricklayers Allied Craftsmen v Meese 761 F 2d 798 D C Cir 1985 6 Kirwa v DOD 2017 U S Dist LEXIS 176826 D D C Oct 25 2017 18 iv Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 5 of 32 Larson v Valente 456 U S 228 1982 8 McBryde v Committee to Rev Cir Council Conduct 264 F 3d 52 D C Cir 2001 9 McConnell v FEC 540 U S 93 2003 2 Nat'l Conference on Ministry to the Armed Forces v James 278 F Supp 2d 37 D D C 2003 24 Nat'l Council of Resistance of Iran v Dep't of State 251 F 3d 192 D C Cir 2001 12 Nat'l Wrestling Coaches Ass'n v Dep't of Educ 366 F 3d 930 D C Cir 2004 5 Nicopure Labs LLC v FDA 266 F Supp 3d 360 D D C 2017 19 Open Cmtys All v Carson 2017 U S Dist LEXIS 211319 D D C Dec 23 2017 25 Paracha v Obama 194 F Supp 3d 7 D D C 2016 2 People's Mojahedin Organization v State 182 F 3d 17 D C Cir 1999 22 Physician's Education Network Inc v Department of Health Education Welfare 653 F 2d 621 D C Cir 1981 3 Qualls v Rumsfeld 357 F Supp 2d 274 D D C 2005 24 Renal Physicians Ass'n v DOH 489 F 3d 1267 D C Cir 2007 5 Scenic Am Inc v U S Dept of Transp 836 F 3d 42 D C Cir 2016 5 Spokeo Inc v Robins 136 S Ct 1540 2016 4 St John's United Church of Christ v FAA 520 F 3d 460 D C Cir 2008 5 Texas v EPA 726 F 3d 180 2013 3 v Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 6 of 32 U S Ecology Inc v DOI 231 F 3d 20 D C Cir 2000 5 In re U S Office of Pers Mgmt Data Sec Breach Litig 266 F Supp 3d 1 D D C 2017 17 19 Watervale Marine Co v DHS 55 F Supp 3d 124 D D C 2014 17 White v United States 601 F 3d 545 6th Cir 2010 2 Wisconsin Gas Co v FERC 758 F 2d 669 D C Cir 1985 24 25 Workers Union of Am AFL-CIO v Transp Sec Admin 492 F 3d 471 D C Cir 2007 3 Zevallos v Obama 793 F 3d 106 D C Cir 2015 22 Statutes Administrative Procedure Act 5 U S C 706 et seq passim Federal Inforamation Security Modernization Act of 2014 44 U S C 3551 et seq 2014 passim National Defense Authorization Act for Fiscal Year 2018 Public Law No 115-91 passim Other Authorities 48 C F R Part 9 406-3 c 16 48 C F R Part 9 406-3 d 1 16 82 Fed Reg 43 782 Sept 19 2017 14 Fifth Amendment of the Constitution 14 vi Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 7 of 32 Defendants' Opposition in Response to Plaintiffs' Application for Preliminary Injunction Response or Resp warrants the following reply INTRODUCTION T he power of debarment is tantamount to one of life or death over a business Gonzalez v Freeman 334 F 2d 570 575 n 5 D C Cir 1964 J Burger quotation omitted DHS exercised this power against Plaintiffs Binding Operational Directive 17-01 the BOD bars Plaintiffs from contracting with the federal government publicly labels them an information security threat and results in irreparable reputational and financial harm Indeed Defendants do not dispute that the BOD deprived Plaintiffs of their liberty interests Nevertheless Defendants argue that the Court should not reach this issue claiming that the National Defense Authorization Act for Fiscal Year 2018 NDAA precludes standing because it effects an independent debarment of Plaintiffs' products Plaintiffs have challenged the NDAA by separate lawsuit and its effects are no longer inevitable Presently the BOD is the only legal bar to Plaintiffs' exercise of their rights and the only provision formally labeling Plaintiffs as an information security threat And this Circuit's case law makes clear that rescission of the BOD need not redress every reputational injury suffered by Plaintiffs--only the discrete one stemming from the BOD Defendants' irreparable harm arguments are premised on the same theories and are likewise unavailing Defendants' claim that Plaintiffs received adequate due process for the deprivation of their liberty rights mischaracterizes the record and ignores this Circuit's holdings The only purported process occurred after DHS issued the BOD Since the BOD effected the deprivation at the time it was issued this was a deprivation of due process Nor was the process afforded 1 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 8 of 32 after this deprivation constitutionally adequate Simply put the Final Decision was a foregone conclusion I Plaintiffs Have Standing to Challenge their Own Debarment A The enactment of the NDAA does not preclude the redress of Plaintiffs' injuries Defendants argue that Plaintiffs lack standing on the grounds that enactment of Section 1634 of the NDAA has essentially duplicated the effect of the BOD Defendants rest their argument on cases providing that where an independent and unchallenged action will cause the same harm the injury is not redressable See Resp at 15-16 Neither predicate exists here 1 Plaintiffs have challenged the NDAA as an unconstitutional Bill of Attainder First concurrent with this filing Plaintiffs are challenging the NDAA Kaspersky Lab has filed a Complaint in this Court challenging the NDAA as an unconstitutional bill of attainder See Complaint Kaspersky Lab Inc et al v United States 18-cv-325 D D C Feb 12 2018 As a result Defendants' cited cases are now inapposite as the plaintiffs in those cases failed because they challenged only one governing rule regulation or label leaving another unchallenged rule that deprived them of the same right In other words these were all halfmeasures to exercise the right at issue the petitioner had to invalidate two regulations but challenged only one and a favorable ruling would leave them in precisely the same position 1 Here Plaintiffs are not asking for a half-measure and--if successful--would not obtain a hollow 1 Plaintiffs' inapplicable authority turning on the existence of some unchallenged law rule or label include Advantage Media L L C v City of Eden Prairie 456 F 3d 793 801 8th Cir 2006 unchallenged provisions of code bar proposed sign White v United States 601 F 3d 545 552 6th Cir 2010 unchallenged state law barred cockfighting Delta Const Co v EPA 783 F 3d 1291 1296 D C Cir 2015 unchallenged NHTSA rule caused same harm as EPA regulation Paracha v Obama 194 F Supp 3d 7 10 D D C 2016 unchallenged Executive decision caused same harm as statute McConnell v FEC 540 U S 93 2003 unchallenged provision of same statute See Resp at 15-16 2 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 9 of 32 victory they are seeking to invalidate both federal actions 2 In short Defendants cannot avoid their constitutional obligations in this case by citing to the NDAA 2 The NDAA ban does not yet have legal effect Second the NDAA is not yet legally effective It has an October 1 2018 Effective Date Today the BOD is the only action that deprives Plaintiffs their legal ability to sell to the Government Defendants attempt to conflate this by stating that the October 1 date is a deadline not a start date Resp at 19 In reality the October 1 2018 date is both a deadline and a start date It is the effective date Defendants cannot have it both ways arguing that the BOD is the operative prohibition on agency use of Kaspersky Lab products until October 1 2018 Final Information Memorandum at AR0756-AR0757 in order to sustain the BOD--while also arguing that the NDAA has complete and immediate effect e ven without being in force by making the prospect of doing business with Kaspersky Lab during the implementation period a practical if not legal impossibility Resp at 19 B Plaintiffs' injuries fairly trace to the BOD and are likely to be redressed by rescission of the BOD With that background it is clear that Plaintiffs meet the three elements of standing to challenge their own debarment Defendants do not and cannot dispute Plaintiffs' injuries-in-fact 2 Defendants' other cases at Resp 15-16 are inapposite because they involve 1 challenges to the wrong regulations--see Texas v EPA 726 F 3d 180 199 2013 challenged rules instead of Act 2 challenges seeking the wrong relief--Workers Union of Am AFL-CIO v Transp Sec Admin 492 F 3d 471 477 D C Cir 2007 challenging only agency's decision to switch to new rule when both old and new rule had same result for petitioner 3 challenges where the harm could not be undone--Physician's Education Network Inc v Department of Health Education Welfare 653 F 2d 621 623 D C Cir 1981 harm from Congress relying on report no longer redressable where Congress had already relied on report and 4 mismatch between object of challenge and claimed injury--Drakes Bay Oyster Co v Jewell 747 F 3d 1073 1092 9th 2014 claimed injury arises from the Secretary's decision to let its permit expire not the designation in the notice 3 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 10 of 32 their loss of the legal right to sell to the government and their reputational harm--either or both of which establish standing Rather Defendants argue that those injuries are not fairly traceable to the BOD and are not likely to be redressed by rescission of the BOD Resp at 25 14 see Spokeo Inc v Robins 136 S Ct 1540 1547 2016 These arguments lack merit 1 The loss of Plaintiffs' legal right to sell to the U S Government would be redressed by a favorable decision rescinding the BOD Defendants attack the redressability element of Plaintiffs' first injury--the deprivation of Plaintiffs' legal right to sell to the government--arguing that the BOD will have no practical effect on Plaintiffs because it is unlikely that Plaintiffs would be able to submit a winning bid for government work Resp at 17-19 This misses the point The injury is Plaintiffs' deprivation of a right to apply for a contract with the government Defendants do not dispute traceability--i e that the BOD caused Plaintiffs' debarment and hence their loss of the right to sell to the government That certain government officials may believe Plaintiffs would not be able to submit a successful bid does not diminish the right to submit the bid in the first place What matters is that rescission of the BOD restores the loss of this legal right See generally e g ACORN v United States 618 F 3d 125 2d Cir 2010 holding that plaintiff ACORN had standing to challenge a federal appropriations law singling ACORN out by name and cutting off its right to receive federal funds--although there was no assertion that ACORN would receive federal funds or even would apply to government agencies for money if the court invalidated the law if the plaintiffs are not and never will be interested in applying for grants or funding from the Department of Defense the fact that the Defense Department's appropriations law specifically prohibits ACORN and its affiliates from being eligible for federal funds affects the plaintiffs' reputation with other agencies states and private donors Id at 134 4 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 11 of 32 Defendants' cases on redress for the loss of a legal right are irrelevant here Defendants' so-called status quo cases see Resp at 17-19 stand for the notion that w hen the existence of one or more of the essential elements of standing--in this case redressability--depends on the unfettered choices made by independent actors not before the courts and whose exercise of broad and legitimate discretion the courts cannot presume either to control or to predict it becomes substantially more difficult to establish standing Scenic Am Inc v DOT 836 F 3d 42 50 D C Cir 2016 emphasis added internal quotations omitted For example in Renal Physicians Ass'n v DOH 489 F 3d 1267 D C Cir 2007 cited at Resp at 17 19 24 25 plaintiff's claimed injury--loss of income for doctors caused by the challenged regulatory safeharbor--would not be redressed by invalidation of the challenged regulatory safe-harbor because there was no showing that the relevant third parties dialysis facilities and hospitals would actually pay more money to doctors 3 Clearly this rule has no applicability here Plaintiffs are not challenging the BOD in order to force federal agencies to buy their products again--but are simply seeking to recover the legal right to sell to those agencies Defendants' cases purporting to instruct the Court on how to assess the redressability element are similarly unhelpful Defendants quote Common Cause v Dept of Energy 702 F 2d 245 D C Cir 1983 claiming that redressability turns on whether judicial intervention will produce tangible meaningful results in the real world --but that case involved a lawsuit to require the government to develop an energy conservation plan for government buildings How that has application to the debarment context is unclear Defendants also cite to Huntington Branch NAACP v Huntington 689 F 2d 391 394 2d Cir 1982 cited at Resp at 22 but omit the Second Circuit's holding that plaintiffs had standing and the reason why D ismissal of a 3 See also Nat'l Wrestling Coaches Ass'n v Dep't of Educ 366 F 3d 930 D C Cir 2004 applying same rule and St John's United Church of Christ v FAA 520 F 3d 460 D C Cir 2008 same U S Ecology Inc v DOI 231 F 3d 20 D C Cir 2000 same 5 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 12 of 32 complaint because of a lack of committed financing may well prevent any litigant from challenging a zoning ordinance Like the zoning ordinance in Huntington the problematic laws and regulations at issue may make government officials reluctant to buy Plaintiffs' products but that does not mean that Plaintiffs lack standing to challenge those official acts 4 Simply put the loss of Plaintiffs' legal right to sell to the government will be likely redressed by a favorable decision in this case Rescission and remand of DHS's determination which is in violation of Plaintiffs' procedural due process rights and the APA will erase an improper legal decision This relief would remove the operative debarment reinstating Kaspersky Lab's right to sell to the federal government To be sure there are additional harms-- some which will also be alleviated by this decision some which may not But that does not deprive Plaintiffs of standing to challenge the deprivation of their legal right to sell to the government 2 Plaintiffs' reputational injury is fairly traceable to the BOD and likely would be redressed by rescission Defendants also attack traceability and redressability of Plaintiffs' reputational injury arguing that 1 Kaspersky Lab's reputational injury is not fairly traceable to the BOD because of other factors harming the company's reputation Resp at 25 and that 2 rescinding the BOD would not relieve the reputational harm Id at 22-23 But Foretich v United States 351 F 3d 1198 D C Cir 2003 --the seminal D C Circuit case concerning the traceability and redressability of reputational injuries by government action--unequivocally rejects these arguments 4 Defendants also cite Int'l Union of Bricklayers Allied Craftsmen v Meese 761 F 2d 798 801 D C Cir 1985 which involved a union's challenge to an immigration policy that allowed foreign workers to come to the United States There the court denied relief to such an abstract 'injury ' disallowing the action just because one disagrees with it or even finds it odious distasteful and offensive 6 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 13 of 32 In Foretich the D C Circuit held that plaintiff Dr Foretich--accused by his ex-wife of sexually molesting their daughter and sullied by the media and certain lawmakers--had standing based on reputational injury to challenge as an unconstitutional bill of attainder the Elizabeth Morgan Act a federal law singling out Dr Foretich and restricting his child visitation rights-- even though the legal effect of the Act had become moot as the child was now an adult Id at 1209 The D C Circuit rejected the same traceability argument that Defendants now advance here Even if damage to Dr Foretich's reputation comes in part from the publicity surrounding the custody dispute and his ex-wife's allegations not solely from the Elizabeth Morgan Act this misses the point The Act itself has caused significant harm to Dr Foretich Id at 1216 The Court also rejected the same redress arguments advanced by Defendants here explaining B y vindicating Dr Foretich's assertion that Congress unfairly and unlawfully rendered a judgment as to his character and fitness as a father declaratory relief will provide a significant measure of redress sufficient to satisfy the requirements of Article III standing Id The D C Circuit rejected the notion that Dr Foretich had to parse out the Act's harm from other negative attention--which Defendants argue Kaspersky Lab must do here See Resp at 27 Foretich also rejected another of Defendants' arguments that Plaintiffs cannot establish redressability unless they show that their lost commercial and retail customers would re-engage with their products upon rescission of the BOD See Resp at 25 Specifically in Foretich the D C Circuit observed that Dr Foretich was o nce a prominent oral surgeon that his business suffered a 30% decline following adoption of the Act that he was f orced to seek employment outside of northern Virginia denied a position at a North Carolina university in part because of the Act and that he was asked to resign his position as Regent of the American 7 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 14 of 32 College of Oral and Maxillofacial Surgeons Foretich 351 F 3d at 1209 But the D C Circuit did not require Dr Foretich to show that patients who had left his practice would return to him upon invalidation of the Act or that those other identified injuries would be redressed Yet that is what Defendants claim Kaspersky Lab must demonstrate for the Court even to hear this case Further in Foretich the challenged Act was nearly seven years old at the time of the D C Circuit's decision and no longer of legal effect because Dr Foretich's daughter had reached age 21--yet the D C Circuit still held that Dr Foretich had standing based on reputational injury alone and invalidated it as an unconstitutional bill of attainder Id at 1209 By contrast the BOD is just months old and Plaintiffs have submitted fresh evidence establishing the reputational injury's traceability and redress Plaintiffs submitted evidence of customers both retail and commercial specifically citing the BOD rather than any other source as the reason they decided not to make a purchase--or decided to return--Plaintiffs' products See Application at 34 Plaintiffs also submitted evidence that the company will be on stronger ground in addressing immediate customer concerns should the BOD be preliminarily rescinded Declaration of Angelo Gentile 24 Plaintiffs need show only that rescission likely would redress the discrete harm stemming from the BOD's labelling Plaintiffs' products as information security risks to federal government information systems Indeed as the Supreme Court has stated A plaintiff satisfies the redressability requirement when he shows that a favorable decision will relieve a discrete injury to himself He need not show that a favorable decision will redress his every injury Larson v Valente 456 U S 228 243 n 15 1982 emphasis in original Finally it bears mention that Defendants' quotations from McBryde v Committee to Rev Cir Council Conduct 264 F 3d 52 D C Cir 2001 see Resp at 23 24 to support its redress 8 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 15 of 32 argument are equally unhelpful In McBryde the court held that a censured district judge had standing based on injury to his reputation to challenge his public reprimand but not to challenge the record of his suspensions which had expired and become moot See Id at 55-58 The standing analysis in McBryde turned on mootness See Id at 57 injury to reputation alleged as a secondary effect of an otherwise moot action emphasis added Defendants do not argue that Plaintiffs' BOD claim is legally moot--in fact they acknowledge it is not actually moot See Resp 27 n 21 The BOD is exactly the type of public reprimand the McBryde court found was an injury capable of being redressed by the courts II Defendants Have Failed to Articulate Sufficient Due Process or Produce an Adequate Administrative Record The Response is the latest in a series of unsuccessful attempts by Defendants following the BOD to dress-up the administrative record and the accompanying process to give the appearance of adequate legal administrative and constitutional protections A DHS's decision was final upon issuance of the BOD in September 2017 the Final Decision issued in December is an illusion which Defendants continue through their Response As explained at length in our Application Memorandum the BOD was fully final and injurious at the time that it was issued See Application at 10 No notice or opportunity to be heard was afforded by Defendants prior to that time as was required See Id at 19 Defendants now seek to retroactively argue that the BOD itself was a pre-deprivation notice and that no decision was made or injury caused to the Plaintiffs prior to the Final Decision in December Resp at 28 This argument is wholly unsupported by the administrative record and mis-characterizes the approach taken by the Defendants throughout this post-BOD process In describing the BOD in their Response Defendants betray their true intent DHS on September 13 2017 Issued BOD 17-01 Acting Secretary Elaine Duke issued the directive 9 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 16 of 32 after determining that the presence of Kaspersky Lab products on federal information systems presents a known or reasonably suspected threat vulnerability or risk to federal information and information systems Resp at 10 emphasis added Accordingly it is clear that all relevant legal determinations and the relevant administrative decision had been made prior to or immediately upon the issuance of the BOD in September without any notice to Plaintiffs or a meaningful opportunity to be heard In its continued series of contradictions only two pages later in their Response Defendants argue the same decision was in fact made in December and then only a fter closely reviewing the company's submission of opposition to the BOD Resp at 12 In so doing Defendants again conflate the BOD as pre-deprivation notice and the 30-60-90 day structure as a pre-deprivation consultation period It was neither Rather the BOD set in motion a process for the identification and removal of Plaintiffs' products from federal information systems that had no prospect of being reversed The 30-60-90 day structure was always an implementation phase and never an administrative review period Relatedly Defendants are simultaneously critical of the filing for preliminary injunction more than four months after DHS issued the BOD while also arguing that no final decision was made until December 2017 Resp at 2 Had Plaintiffs brought their Complaint in September Defendants would surely have argued that they had not exhausted their administrative remedies and so redress of the court under the APA would not have been available Notwithstanding the obvious deficiencies in the advertised process at the time and Plaintiffs' immediate and ongoing injury occasioned by the BOD Plaintiffs in good faith sought to engage with Defendants during these months in the hope that Defendants would rectify their errors or give proper consideration to the Kaspersky Lab Submission Defendants did not do so 10 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 17 of 32 thereby warranting the Plaintiffs' prompt filing of the Complaint and Application for Preliminary Injunction in this matter B Plaintiffs suffered injury long before the Final Decision In issuing the BOD Defendants indicated their clear intent to all federal agencies and to the world that they had determined Kaspersky Lab products to be a known or reasonably suspected threat vulnerability or risk to federal information systems The damage was immediate This is clearly evidenced by the actions taken by a number of agencies to remove Plaintiffs' software prior to the 90-day mark See Application at 10 It makes no difference that Defendants did not expressly direct any agency to do so the damage caused prior to the 90-day mark is self evident and would not have occurred but for the manner in which the BOD was issued Indeed Defendants make precisely this argument with respect to the effective date of the NDAA and its implementation arguing that prior to its effective date the impending ban would make the prospect of doing business with Kaspersky during the implementation period a practical if not legal impossibility Congress has spoken on the use of Kaspersky products and its intent was clear Resp at 19 Defendants cannot simultaneously argue that the BOD caused Plaintiffs no injury prior to the Final Decision as DHS' intent was equally clear at the time the BOD was issued Ample opportunity was available for Defendants to grant Plaintiffs notice and an opportunity to be heard prior to the BOD being issued Defendants claim that i n the weeks and months before the BOD the Department engaged in extensive consultations with its cybersecurity experts and interagency partners and reviewed information from a variety of 11 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 18 of 32 sources Resp at 10 However Defendants failed to consult or engage with the one source with which they were constitutionally obliged to the Plaintiffs If as they now argue the period between the BOD and the Final Decision represented a fact finding or information-gathering stage and a pre-deprivation opportunity for the Plaintiffs to be heard Resp at 30 it would have been entirely possible for Defendants to have designed a process which fulfilled that objective comported with Plaintiffs' due process rights and delayed injury to the Plaintiffs until a final decision was made For example via either a BOD or a simple letter agencies could have been asked to identify whether they were using Plaintiffs' software At the same time Defendants could have given Plaintiffs proper pre-deprivation notice the administrative record and a right to respond before publicizing the allegations Such a notice would have come closer to the type of predeprivation notice considered appropriate before imposing for example the designating of a party as a foreign terrorist organization in Nat'l Council of Resistance of Iran v Dep't of State 251 F 3d 192 207 D C Cir 2001 In that case the D C Circuit found it was not immediately apparent how providing notice would work any harm to the government's interest in national security Id at 207 208 Here nothing in the record suggests an extraordinary situation or an indication that the State must act quickly or that it would be impractical to provide predeprivation process or that this is one of those limited cases demanding prompt action Predeprivation process would have in no way inhibited the government's interest in security In this hypothetical process now armed with the results of their fact-finding and the input of the Plaintiffs DHS could have made an informed decision about the information security risks if any presented by Plaintiffs' and others' software and notified agencies of how those risks could be properly and consistently mitigated 12 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 19 of 32 The record is clear Defendants proceeded otherwise At best affording Plaintiffs an opportunity to make a submission after the BOD was issued is a post-deprivation appeal process and is nevertheless inadequate In actual fact no opportunity existed for Plaintiffs to challenge the BOD The decision had already been made was being implemented and had no genuine prospect of being reversed No meaningful decision was made in December 2017 The status quo from the date of the BOD's issuance was simply maintained without modification See Information Memo for Acting Secretary Dec 4 2017 at AR0753 C Defendants seek to retroactively demonstrate due process where none exists Upon issuance it was immediately clear to all concerned including Defendants that the BOD gave insufficient consideration to the due process rights of the Plaintiffs The BOD Decision and the letter by which it was conveyed to Plaintiffs contained only passing reference to the fact that an administrative process was to be provided to Plaintiffs and other affected parties without providing any meaningful detail It was clear that a process was an afterthought and not considered by Defendants to have been a central part of the review and decision making process The repeated announcement of a forthcoming administrative process absent any meaningful standards actually being provided should not be confused as constitutional due process This was administrative process in name only Ever since Defendants have highlighted their attempts to retroactively demonstrate or appear to demonstrate due process where none existed On September 19 2017 an enumerated process did appear in the Federal Register which as described elsewhere effectively amounted only to the ability for the Plaintiffs to write a letter of objection to the Department 13 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 20 of 32 hoping beyond hope that the BOD decision would be reversed 82 Fed Reg 43 782 Sept 19 2017 The Federal Register further provided that following DHS's receipt of a response to the BOD T he Secretary's decision will be communicated to the entity in writing by December 13 2017 See id at 43 784 December 13 2017 was one day after the 90-day deadline by which agencies were to have begun removing Kaspersky Lab products In apparent acknowledgement of this procedural deficiency and in an attempt to conceal the fact that the process was inadequate and illusionary the Final Information recommend ed that the Acting Secretary respond to Kaspersky and issue her Final Decision on or before Monday December 11 -- notwithstanding the December 13 2017 deadline set forth in the Federal Register See Information Memo for Acting Secretary Dec 4 2017 at AR0754 Defendants did not provide the BOD Information to Plaintiffs until September 29 2017 two weeks after the BOD had been issued and Plaintiffs were notified and then only following request of Plaintiffs' counsel See Decl of Ryan Fayhee at Document 10-3 8 It is clear that absent this request the administrative record would not otherwise have been provided as part of the stated process Defendants now incorrectly claim that the BOD Information was provided at the beginning of the administrative process Resp at 35 retroactively implying a level of forethought and planning on behalf of Defendants where none actually existed at the time Despite repeated requests by Plaintiffs' counsel for immediate engagement See Email Correspondence between Ryan Fayhee and Daniel Sutherland Fayhee Decl at Ex I plaintiffs were only afforded a meeting with DHS following its formal submission The meeting occurred on November 29 2017 over two months after the BOD was issued Such a meeting was clearly not planned or anticipated to be part of any due process at the time of the BOD and was only 14 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 21 of 32 allowed to give the appearance of an adequate process In an attempt to meet their due process obligations Defendants now incredibly argue that this limited and reluctant engagement amounts to a fully interactive process Resp at 12 The record shows otherwise The meeting itself was perfunctory and not indicative of meaningful consideration or due process as indicated by the issuance of the Final Decision only a week later on December 6 2017 Right up to and including in the Final Decision and its Information Defendants continued to introduce new materials and arguments into the administrative record including but not limited to the Maggs Report Defendants now list the Maggs Report and the supplemental NCCIC report included with the Final Decision in its list of documents forming part of the administrative record to which they argue Plaintiffs had opportunity to respond as if those documents had been available to the Plaintiffs during the review period from the beginning Resp at 11 and 41 D Defendants' administrative process falls well short of what would have been required to debar Plaintiffs under the Federal Acquisition Regulations The actions taken by Plaintiffs clearly amount to a debarment of Plaintiffs' products In fact the Decision is explicit that DHS considered the BOD to be a more appropriate process than a debarment proceeding under the FAR principally because it is more draconian Decision at 4 The BOD had immediate effect since in the Defendants' own words used in relation to their claimed immediate debarring effect of the NDAA no agency would make an investment in Kaspersky software and go to the trouble of testing installing and integrating the software only to have to remove it and start the process anew within a matter of months Resp at 20 citing Schneider Declaration at 9-11 Plaintiffs concede that had debarment proceeded through the FAR the attendant well-established and constitutionally adequate debarment procedures would have had to have been followed Resp at 32 15 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 22 of 32 Defendants go on to argue however that the process afforded to Kaspersky not only meets the FAR requirements but even exceeds it in important ways Resp at 29 and that any differences between the two procedures are not of constitutional dimension Resp at 32 However Defendants make only one comparison to the FAR process namely that Plaintiffs were afforded 52 days - more than three weeks longer than the 30 days required under the FAR to respond to the BOD Resp at 30 Under the FAR debarring officials must provide formal notice of proposed suspension and or debarment including 1 the reasons for the proposed debarment in terms sufficient to put the contractor on notice of the alleged conduct upon which the action is based 2 notice of the opportunity to submit information and arguments in opposition to the proposed debarment within 30 days of receipt of the notice 3 procedures that will govern the agency's decisionmaking process and 4 the effects of proposed and actual debarment See 48 C F R Part 9 4063 c Critically the debarring official's decision may be made only within 30 working days after receipt of information and argument from the contractor See 48 C F R Part 9 406-3 d 1 This final protection under the FAR is consistent with the due process requirement that an affected party be given a meaningful opportunity to rebut the evidence before action is taken to deprive it of a property or liberty interest The additional 22 days afforded to Plaintiffs to respond to the BOD is immaterial when compared to the fundamental difference between the FAR process and that afforded by Defendants namely that the FAR process has to conclude before any debarment can take effect Under the FAR process there is a 60-day period between the notice and the first day upon which the debarment can take effect Contrary to Defendants' contention this difference is absolutely of a constitutional dimension It goes to the heart of constitutionally sound due process 16 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 23 of 32 III Defendants Overstate the Degree of Discretion Granted to DHS Under FISMA and the Degree of Deference Afforded under the APA In the alternative and assuming a deficient due process Defendants argue either that the relevant provision of the FISMA is not reviewable under the APA since it affords absolute discretion to DHS in issuing binding operational directives and or that enhanced deference ought to be granted to the Defendants in light of the national security context urgency and highly technical nature of the BOD's subject matter Resp at 35 and 40 A Binding Operational Directives issued under FISMA are subject to APA review Defendants argue that numerous plaintiffs have brought APA challenges seeking to enjoin agency decisions under FISMA yet n ot one of these suits has prevailed and every court to consider the issue has agreed that decisions under FISMA are committed to agency discretion and thus outside the scope of APA review Resp at 13 Defendants cite only three FISMA cases in support each involving a class action seeking monetary damages but none instructive here See Resp at 37-8 5 Defendants have not referenced a single case in which a FISMA binding operational directive has been challenged under the APA and for good reason this is the first such challenge This is not a case where Plaintiffs attempt to use the APA to police a federal agency's actions under FISMA Resp at 3 Defendants rather have used FISMA to effectuate a 5 See Resp at 37-8 citing Welborn v IRS 218 F Supp 3d 64 D D C 2016 victims of cyber breaches at federal agency suing agency alleging its failure to comply with FISMA In re U S Office of Pers Mgmt Data Sec Breach Litig 266 F Supp 3d 1 43-44 D D C 2017 same and Cobell v Kempthorne 455 F 3d 301 303 D C Cir 2006 class action brought prior to 2014 amendment of FISMA by beneficiaries of American Indian Money trust accounts based on Interior's problems maintaining adequate computer security As Defendants' lead case makes clear these stand in stark contrast and are wholly inapplicable to the reviewability issue at hand See Watervale Marine Co v DHS 55 F Supp 3d 124 135 140 D D C 2014 internal quotation omitted All other courts that have addressed this statutory provision have done so under markedly different circumstances 17 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 24 of 32 debarment and one that is immediate and enhanced They cannot escape the availability of the APA to challenge debarment decisions particularly where debarment is effected in a more draconian fashion through a statute which was never intended to be used to debar individual companies rather than via the well-established and constitutionally sound FAR processes FISMA was established and amended so that DHS could establish uniform security standards through binding operational directives and to otherwise protect federal information systems not so that it could be used to debar companies from federal contracting without due process The starting point for Defendants' committed to agency discretion argument must be the presumption of reviewability The APA embodies the basic presumption of judicial review to one suffering legal wrong because of agency action or adversely affected or aggrieved by agency action within the meaning of a relevant statute Delta Air Lines v Export-Import Bank of the US 718 F 3d 974 976 D C Cir 2013 internal quotations omitted As a threshold matter t he exception for agency action 'committed to agency discretion by law' is a very narrow one reserved for those rare instances where statutes are drawn in such broad terms that in a given case there is no law to apply Hi-Tech Furnace Systs Inc v FCC 224 F 3d 781 788 343 D C Cir 2000 internal quotation and citation omitted Rather there is a strong presumption that agency action is reviewable and Congress rarely draws statutes in terms so broad that there is no meaningful standard Kirwa v DOD 2017 U S Dist LEXIS 176826 at 28 D D C Oct 25 2017 quoting Sec'y of Labor v Twentymile Coal Co 456 F 3d 151 156 D C Cir 2006 In an attempt to establish this very narrow exception Defendants apply a three-part test Resp at 36 inviting the court to evaluate 1 the nature of the administrative action at issue 2 the language and structure of the statute that supplies the applicable legal standards for 18 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 25 of 32 reviewing that action and 3 Congress's intent to commit the matter fully to agency discretion as evidenced by among other things the statutory scheme See Resp at 36 citing Waterville 55 F Supp 3d at 137-38 internal quotations omitted Under the first factor the BOD clearly is not one of the categories of administrative decisions that the Supreme Court and the D C Circuit consider presumptively unreviewable -- as in f or example an agency's refusal to take enforcement action Id at 138 internal quotation omitted Rather as DHS makes clear in both its Information and Decision Memos the BOD has effectuated a debarment See Information Memo for Acting Secretary Sept 1 2017 at AR0005-AR0006 and Acting Secretary Decision Memo Sept 13 2017 at AR0631 sections entitled DEBARMENT DHS acknowledges it based the BOD solely on unclassified information See Acting Secretary Decision Memo at AR0631 I therefore hereby exercise my authority to issue BOD 17-01 I make this determination based on the unclassified record alone Under the second factor Congress need only provide a meaningful--not a rigorous but neither a meaningless--standard against which to judge the exercise of agency discretion Arent v Shalala 70 F 3d 610-614 D C Cir 1995 The limitation of the BOD to safeguard federal IT systems from a known or reasonably suspected information security threat vulnerability or risk certainty provides meaningful standards against which to measure DHS's action 44 U S C 3552 b 1 3553 b 2 See e g Nicopure Labs LLC v FDA 266 F Supp 3d 360 D D C 2017 rejecting FDA's committed-to-agency-discretion argument where the statute gave the agency the authority to apply the Tobacco Control Act's provisions to any other tobacco products that the Secretary by regulation deems to be subject to that Act quoting 21 U S C 387a b Indeed a statute can confer on an agency a high degree of 19 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 26 of 32 discretion and yet a court might still have an obligation to review the agency's exercise of its discretion to avoid abuse especially on procedural grounds Delta 718 F 3d at 977 quoting 3 Richard J Pierce Jr Administrative Law Treatise 17 6 4th ed 2002 Clearly FISMA provides meaningful standards that qualify DHS' discretion in issuing BODs and has not vested DHS with complete discretion as Defendants claim See Reply at 37 Nor is it determinative as Defendants suggest that there is no statutory definition of what constitutes a 'known or reasonably suspected information security threat vulnerability or risk ' It is within the court's power to interpret these qualifications based on their plain meaning or comparative legal concepts Finally applying the third factor--Congress' intent as evidenced by the statutory scheme--as discussed supra Defendants simply quote from inapplicable FISMA-related class actions Defendants fail to point to anything in FISMA that would indicate Congress intended to allow DHS to effectuate a debarment beyond the reach of judicial review B There is no suggestion in the record of any operational urgency for the BOD Defendants next argue that the U S government's networks and computers security depends on the government's ability to act swiftly and effectively in the face of rapidly evolving cyber threats Resp at 1 However nothing in the administrative record or in the Defendants' Response indicates any operational urgency to this BOD To the contrary Defendants at Resp FN1 cite to a 2012 Wired magazine article which contains many of the same arguments that Defendants seek to rely on in support of the BOD over five years later The only significant development in 2017 was intense political scrutiny following Russia's apparent interference in the 2016 presidential election in which there is no allegation that Plaintiffs had any involvement See Resp at 7-10 This political pressure culminated in the 20 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 27 of 32 issuance of the BOD and the enactment of the NDAA both of which bowed unconstitutionally to that pressure in singling out and punishing Plaintiffs and depriving them of their due process rights C The BOD is based on news reports and not on any highly technical or classified information Defendants also argue that this is a circumstance in which enhanced deference is due to their administrative decision-making process due to the expert-driven and highly technical nature of the BOD and its subject matter Resp at 38 In reality the BOD is neither highly technical nor expert-driven the underlying administrative record consists almost entirely of unsubstantiated news reports and allegations against the company which the court is well within its capability to review for their evidential value Defendants also claim that the BOD was issued only after extensive investigation and consultation with cyber security experts inside and outside of the DHS Resp at 1 But nowhere in the administrative record is there any indication of these consultations The only support cited are two reports authored by the National Cybersecurity and Communications Integration Center NCCIC NCCIC falls under DHS' jurisdiction and so can hardly be considered an independent assessment or interagency review If other consultations occurred Plaintiffs request and the court requires that evidence of the same be added to the administrative record filed by Defendants should they wish to rely upon them in this case Defendants also claim their reliance on news reports is appropriate by citing cases where news articles from part of the unclassified record as in Zevallos v Obama or as part of a broad range of evidence as in Holy Land However in neither of these cases did the record reflect such a heavy focus on news articles 21 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 28 of 32 The D C Circuit's express rationale for permitting reliance on news articles is simply inapplicable here i there is no need to protect confidential information because the BOD is not based in part on classified information ii there are no logistical or political difficulties obtaining judicial or law enforcement records from other countries iii there are no diplomatic concerns limiting what the agency can say publicly --to the contrary DHS has been frank about its views and iv there is no suggestion in this case that the safety of investigators or informants might be put at hazard See Zevallos v Obama 793 F 3d 106 113 D C Cir 2015 Moreover in the cases allowing such a reliance the media articles were used to establish discrete facts--not ultimate legal conclusions as here See e g Id at 112 reliance on newspaper articles that a designated drug kingpin controlled overseas assets See also People's Mojahedin Organization v State 182 F 3d 17 24-25 D C Cir 1999 T he Secretary had before her information that each of the organizations engaged in bombing and killing in order to further their political agendas Any one of the incidents would have sufficed under the statute And in Holy Land Foundation v Ashcroft 333 F 3d 156 162 D C Cir 2003 the D C Circuit made clear that while the terrorist designation could be based on a broad range of evidence including intelligence data and hearsay declarations --Treasury's decision was based on ample evidence in a massive administrative record --including testimony of numerous FBI sources and findings by both Israeli and Palestinian governmental authorities emphasis added In contrast as stated in the Plaintiffs' Application many sections of the BOD Information and key DHS findings in support of the BOD's three elements6 and particularly the 6 1 The broad access to files and elevated privileges provided by antivirus products and services including Kaspersky products that can be exploited by malicious cyber actors to compromise information systems 2 Ties between certain Kaspersky officials and Russian intelligence and other government agencies and 3 Russian legal provisions that allow Russian 22 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 29 of 32 second and most critical of those three elements allege ties between certain Kaspersky officials and Russian intelligence and other government agencies and are supported exclusively by uncorroborated news reports Defendants also contend that to escape the BOD it was for Plaintiffs to prove their own innocence by rebutting or disproving these news articles Resp at 41 But it is the Defendants who have failed to meet the evidentiary standards required of them in establishing a sufficient risk to the government information systems that are supported by substantial evidence Defendants continue to cite news articles in purported support for their Response Resp FN 11 as if they were determinative of fact and as a substitute for genuine or meaningful agency fact-finding Since the substance of those allegations are not determinative of this Motion and since Plaintiffs have already responded to these substantive issues in detail in the Kaspersky Submission Plaintiffs do not intend to address or refute them here save to note their continued objection both to their substance and their continued perpetuation without corroboration In an apparent attempt to distract from the deficiencies in the administrative record Defendants have again alluded to the classified materials considered by the Acting Secretary Resp at 10 as if the existence of such a record regardless of its content lends weight to their arguments on national security grounds At the same time Defendants also reiterate their claim as they have done throughout this process that DHS believes that the BOD can be sustained on the basis of the unclassified portions of the administrative record Resp at FN 12 An APA challenge examines only what the agency actually considered and relied upon in making its decision If Defendants in fact did not rely on the classified record they should strike their intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks 23 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 30 of 32 repeated references throughout the unclassified record and their tacit insinuation that if we were to pull back the curtain all potential questions and concerns would be satisfied Plaintiffs do not seek this Court's assessment or ruling on those allegations nor as Defendants allege at Resp 45 do Plaintiffs ask the Court to second guess any determination of DHS in that regard Rather Plaintiffs simply request the court to uphold the requirements of the APA and Plaintiffs' constitutional rights to due process and that Defendants properly consider this matter in line with their legal and constitutional obligations IV Plaintiffs have Established Remaining Elements for Preliminary Injunction Finally Defendants' remaining arguments on the preliminary injunction standard are not availing See Resp at 42-43 First they claim that the heightened requirement applies to a mandatory injunction where the plaintiff seeks to compel a positive act See Qualls v Rumsfeld 357 F Supp 2d 274 286 D D C 2005 the court would order the Army to discharge Qualls Nat'l Conference on Ministry to the Armed Forces v James 278 F Supp 2d 37 42 D D C 2003 seeking mandamus requiring defendant to include plaintiff in fundraising program But Plaintiffs are not seeking to compel Defendants to accept their products or to install products on their systems They are seeking a preventative injunction one that would stem a continuing injury Second there is no merit to Defendants' claim that Plaintiffs' grave financial and reputational harm does not amount to irreparable harm Defendants rely on Wisconsin Gas Co v FERC 758 F 2d 669 674 D C Cir 1985 --but that was not an APA case nor is it instructive here See also Open Cmtys All v Carson 2017 U S Dist LEXIS 211319 67 D D C Dec 23 2017 explaining that defendants misread Wisconsin Gas and holding that in an APA case monetary losses can establish irreparable harm because APA provides no damages remedy 24 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 31 of 32 Plaintiffs' financial harm is anything but speculative nor is there any question that Plaintiffs are directly harmed by the BOD Cf Wisconsin Gas 758 F 2d at 675 denying preliminary injunction based on a purely hypothetical chain of events Moreover that other sources of reputational harm may have contributed does not preclude relief See Supra Finally on balance of equities it bears repeating T he power of debarment is tantamount to one of life or death over a business Gonzalez 334 F 2d at 575 n 5 quotation omitted To effect this debarment Defendants violate well-established standards of due process and the APA As this Court has held There is generally no public interest in the perpetuation of unlawful agency action To the contrary there is a substantial public interest in having governmental agencies abide by the federal laws--such as the APA Open Cmtys 2017 U S Dist LEXIS 211319 at 68-69 internal quotations omitted CONCLUSION For the reasons set out above and those set out in its Memorandum of Law in Support of Preliminary Injunction Plaintiffs respectfully repeat their request that the Court grant their Application and preliminarily invalidate and rescind the BOD and the December 6 2017 Final Decision maintaining the BOD and preliminarily enjoin DHS from enforcing the BOD and the Final Decision 25 Case 1 17-cv-02697-CKK Document 15 Filed 02 12 18 Page 32 of 32 Dated February 12 2018 Respectfully submitted s Ryan P Fayhee Ryan P Fayhee Bar No 1033852 Steven Chasin Bar No 495853 Baker McKenzie LLP 815 Connecticut Avenue NW Washington D C 20006 Tel 202 452 7024 Ryan Fayhee@bakermckenzie com Steven Chasin@bakermckenzie com Attorneys for Kaspersky Lab Inc and Kaspersky Labs Limited This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu