[German]Can antivirus products from the Russian based company Kaspersky be used in companies and government agencies without risk? After Russia's invasion of Ukraine, this question has becomehot. After hesitating for some time, the German Federal Office for Information Security (BSI) has now issued a recommendation. In short, the BSI recommends replacing applications from the Kaspersky anti-virus software portfolio with alternative products.
Advertising
Long time to decide
"Finally", was what popped into my head when I read Gerold's comment (thanks for that) about that recommendation of the German Federal Office for Information Security (BSI). Because I had already pointed out various implications regarding the use of these products in the blog post Can Kaspersky still be used as security solution? Security software runs at the system level with the highest privileges and can doa lot of damage. Even if Kaspersky always denies a connection to the Russian government and the relevant intelligence services, at the latest since Russia's invasion and invasion of Ukraine, one can no longer rely on "good faith". Rather, it can be assumed that Kaspersky will also have to cooperate if Russia exerts the necessary pressure. The consequences could be far-reaching, ranging from espionage and surveillance to sabotage and the paralysis of computer systems.
In May 2017 various U.S. authorities had stopped using security software from the Russian company Kaspersky Lab. The background to this was the suspicion that the software contained backdoors that Russia could use to spy on US authorities. The manufacturer Kaspersky denied any spying or cooperation with Russian. Then at the end of 2017 came the decision in the US that the use of Kaspersky products in US agencies was banned. And also in the Netherlands has released ab government directive to ban Kaspersky products on government systems.
BSI: Replace Kaspersky products
Now, however, the German Federal Office for Information Security (BSI) has come to a clear position. In accordance with §7 of the BSI Act, the BSI warns against the use of antivirus software from the Russian manufacturer Kaspersky. The authority now recommends replacing applications from Kaspersky's portfolio of antivirus software with alternative products. The BSI's reasoning makes sense to me, because:
Antivirus software, including the associated real-time cloud services, has extensive system authorizations and must maintain a permanent, encrypted, and unauditable connection to the manufacturer's servers for system-related reasons (at least for updates). Therefore, trust in a manufacturer's reliability and self-protection, as well as its authentic ability to act, is critical to the secure use of such systems. If there are doubts about the manufacturer's reliability, antivirus software poses a particular risk to an IT infrastructure that is to be protected.
The actions of military and/or intelligence forces in Russia, as well as the threats made by the Russian side against the EU, NATO and the Federal Republic of Germany in the course of the current armed conflict, are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer may itself carry out offensive operations, be forced to attack target systems against its will, or itself be spied upon as a victim of a cyber operation without its knowledge or be misused as a tool for attacks against its own customers.
This is clear in a way I would not have expected from the BSI (experts, on the other hand, have always been seen the risk using Kaspersky products). All users of Kaspersky antivirus software can be affected by such operations. But a stalled computer from Aunt Anna, that has been crippled by Kaspersky, has limited implications.
But the situation is different for companies and public authorities with special security interests and operators of critical infrastructures (CRITIS). These are particularly at risk. And it is precisely there that the BSI recommendation now sets standards, if Kaspersky products are still used there. According to the BSI, the aforementioned addressees have the option of seeking advice from the BSI or the relevant constitutional protection authorities.
Advertising
The BSI's warning is now crystal clear: Companies and other organizations should carefully plan and implement the replacement of essential components of their IT security infrastructure. If IT security products and, in particular, antivirus software were to be switched off without preparation, they might be left defenseless against attacks from the Internet. Switching to other products involves temporary losses in convenience, functionality and security.
The BSI recommends making an individual assessment and weighing up the current situation and, if necessary, consulting IT security service providers certified by the BSI. The question remains for me: Is Kaspersky still being used at all in this area, or have these AV products already been replaced for some time?
