Kaspersky Lab Inc. failed to convince an appeals court to vacate Congress’s government-wide ban on its software and cybersecurity products because of Russian spying concerns.

The National Defense Authorization Act for fiscal 2018 (P.L. 115-91) officially prohibited government use of Kaspersky products on Oct. 1.

The law isn’t an unconstitutional bill of attainder because it addresses a national security vulnerability in the federal government’s information systems, the U.S. Court of Appeals for the D.C. Circuit affirmed Nov. 30.

A bill of attainder is a legislative punishment without trial and prohibited by the U.S. Constitution.

The ban is a reasonable response to a security risk based on testimony to Congress about how Kaspersky’s ties to Russia could jeopardize the integrity of the government’s systems, with or without the company’s cooperation, Judge David S. Tatel wrote.

The company may suffer financial costs, and damage to its reputation, from the ban, but just because a sanction is severe, doesn’t mean it was imposed as as punishment, the court said.

The ban is “prophylactic, not punitive” because of the “not insignificant probability that Kaspersky’s products could have compromised federal systems and the magnitude of the harm such an intrusion could have wrought,” it said.

Kaspersky remains free to sell its cybersecurity products and services around the world despite losing this “important client,” the court said.

Keep on Fighting?

“Kaspersky Lab regrets that the Court of Appeals has upheld the lower court’s decision,” the company told Bloomberg Law Nov. 30.

“Despite this development, Kaspersky Lab remains committed to providing industry-leading cybersecurity solutions to its customers in the United States and around the world,” Kaspersky Lab said in an emailed statement.

“Whether or not Kaspersky Lab decides to pursue further legal relief, the company will continue on its mission of saving the world from cyber threats,” the statement said.

Kaspersky could petition the U.S. Supreme Court to review its constitutional challenge.

The Department of Homeland Security issued a directive telling government agencies to cease using Kaspersky software in September 2017.

President Trump signed the defense law with the Kaspersky ban provision on Dec. 12, 2017.

The ban came after U.S. officials determined the Russian government could use Kaspersky’s anti-virus software as an entry point for espionage and other hostile acts against U.S. federal information systems.

A trial judge held May 30 that Congress reasonably acted to protect the government’s information systems from Russian cyber intrusion.

Hughes Hubbard & Reed LLP represented Kaspersky Lab.

Judges Harry T. Edwards and Douglas H. Ginsburg joined in the decision.

The case is Kaspersky Lab Inc. v. United States Dep’t of Homeland Sec., D.C. Cir., No. 18-5176, 11/30/18.