Some insights about the warning of German BSI against Kaspersky antivirus software

Sicherheit (Pexels, allgemeine Nutzung)[German]I am once again taking up a difficult topic in a review, which has triggered numerous discussions within my Germanblog. It is about the German , BSI's (Federal Office for Information Security) warning against the use of products of the Russian provider Kaspersky. In the meantime, the Higher Regional Court has clarified that the BSI was allowed to warn and that this also falls within its scope. It should be clear to everyone that at least parts of the decision was also politically motivated. Now, in an article for the German broadcasting service Tagesschau, and Bavarian TV service BR has traced how difficult it was for the BSI to make its assessment.


Advertising

The BSI warning against Kasperky

In view of the Russian invasion of Ukraine and due to the ongoing hostilities, the question was also raised in February 2022 whether software from Russian companies can and should still be used in Germany – especially in the area of computer security. I had raised the issue in the article Can Kaspersky still be used as security solution?

After assessing the situation, the Federal Office for Information Security (BSI) issued a warning against the use of antivirus software from the Russian manufacturer Kaspersky on March 15, 2022. The BSI recommended replacing applications from Kaspersky's portfolio of antivirus software with alternative products (see also my blog post German Cyber Guard BSI warns now against the use of Kaspersky antivirus products). 

At least this is a political decision, but it was justified. The BSI warning was then challenged by the Kaspersky company via the company's German office and litigated in a regional court and then in a chamber of a higher regional court. In both cases, the BSI's warning was deemed admissible (see also OLG court ruling: German BSI was allowed to warn against Kaspersky antivirus software in the link list at the end of the article). 

How the decision was made

It is interesting to learn about the background, how the warning came about and how difficult it was for the BSI to deal with the situation – they were probably sitting on the fence and did not want to touch the politically explosive iron. In this German Tagesschau article (thanks to the reader for pointing it out), editors of the Bavarian Broadcasting Corporation have traced the events that led to the BSI's warning. The editors had accessed the internal documents of the BSI's communications with Kaspersky and other agencies via a Freedom of Information Act request (probably close to 370 pages in total, they say). The short facts:

  • The BSI began considering how to deal with the Russian vendor's antivirus products barely a week after Russia invaded Ukraine.
  • Suddenly, an email from vendor Kaspersky trickled into the BSI, asking for the BSI's backing, as customers were also asking the question "how to deal with Kaspersky products?".

Kaspersky was hoping for a recommendation from the BSI – which is legitimate, but imho could not be provided by the BSI. This put the BSI under pressure, and its president Arne Schönbohm replied in an internal e-mail that his institution should not respond to this request. The BSI's warning finally came a weekend after receiving the Kaspersky request by e-mail, namely on March 15, 2022. According to the Tagesschau report, the BSI's e-mail exchanges with other German agencies, which were analyzed by BR's editors, show that there was no decision based solely on technical considerations.


Advertising

But anyone who assumed that must be naive. Of course, it is a political assessment. The BSI had justified its assessment (Kaspersky's headquarters in Moscow, many potentially blackmailable employees or family members in Russia, possibility of the Russian government exerting influence) in its warning, which is also reflected again in the Tagesschau article.

The Tagesschau article then traces the development up to the warning on the basis of internal communication. There are references to the classification that there was "imminent danger" because it was not certain whether Kaspersky was still in control of its software because Russia was not a constitutional state. The danger was also seen that attacks from Russia could be carried out via such software on German companies, users and organizations, and that Kaspersky software could be used. This was countered by the fact that Kaspersky had launched an initiative in 2017 and opened several transparency centers (one in Switzerland).

In the course of the vote, the German Ministry of the Interior (BMI) became involved, which probably pushed for a warning. Anyone who recalls the events shortly after Russia's invasion, and is familiar with such decision-making processes, will be able to understand these discussions, the involvement of the BMI, and then the decision to issue a warning. What was clumsy is the 3 hours response time for Kaspersky to react to the draft BSI warning.

The Tagesschau article draws the process to the final decision embellished with some prose. Dennis-Kenji Kipker Professor of IT Security Law in Bremen, who reviewed the documents, concludes, according to the article, that the BSI "clearly worked from the result". That contradicts the BSI's mandate to act "on the basis of scientific and technical knowledge," as stated in Paragraph 1 of the BSI Act, the professor said. This "working method actually presupposes that you just don't have the result first and then think, how can I derive it." Kipker says it would have been better to warn "generally against Russian products" instead of "using Kaspersky as an example."

It might have been clear to every observer that a political evaluation also plays a role. The decision for or against the use of Kaspersky was made by every user or administrator or IT decision-maker anyway (because there was no ban on the products). The fact that it is a problem for Kaspersky is another matter. But I don't want to know what the shit storm would look like, if the BSI had issued no or a "soft-washed general warning" and there had been a cyber incident in this environment afterwards. So I see the process as a difficult factual balancing. Legally, it was confirmed that the BSI was allowed to issue the warning as it did.

Similar articles:
Can Kaspersky still be used as security solution?
German Cyber Guard BSI warns now against the use of Kaspersky antivirus products
Kaspersky on US FCC list & banned from HackerOne's bug bounty
USA: Sanctions against Kaspersky could increase cyber risk from Russia
OLG court ruling: German BSI was allowed to warn against Kaspersky antivirus software


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.