In a recent report, Kaspersky is asking the BSI to adapt the warning from March 15, 2022 or to withdraw it altogether. At that time, the BSI warned against the use of Kaspersky solutions. Since then, Kaspersky has made extensive information available to the BSI, which has not yet been taken into account.
On March 15, 2022, the BSI published a warning about Kaspersky antivirus software. This warning is legally and technically controversial. To date, the BSI has not been able to identify any security gaps in the AV software in the warning or in the wake of it. It also failed to show sufficient evidence of a cybersecurity threat. From the original files of the BSI, which were made public by an application under the Freedom of Information Act (IFG) by Bayerischer Rundfunk, the discussion process in the BSI becomes transparent and it is also clear that the warning was published on the basis of geopolitical considerations. Kaspersky is an ethical, responsible, independent and transparent company and has now suffered considerable reputational and economic damage as a result of this warning.
Request to the BSI
The role of the BSI was also publicly discussed and commented on. Many media, such as Netzpolitik.org, Deutschlandfunk, Golem.de, Stern or WirtschaftsWoche discuss the different standards applied at Kaspersky. From a legal point of view, Prof. Dr. Kipker, who specializes in IT law and IT security law, comes to one conclusion: "What we don't need, however, are clandestinely operating state bodies that make political decisions with significant legal effects under the guise of cyber security, and thereby affect both citizens and companies in our country and thus not only damage the reputation of the BSI, but cyber security as a whole." (1).
Against this background, Kaspersky points out the following facts and calls on the BSI to fulfill its legal obligation:
- Despite numerous requests von Kaspersky, the BSI has still not given any factual justifications for the warning and its maintenance in the past seven months that would be suitable to prove the fulfillment of the factual requirements for the warning with legal certainty.
- The IFG file, which the BSI handed over to Bayerischer Rundfunk and which the BSI also handed over to the company four weeks after Kaspersky's IFG request, documents numerous assumptions and statements by the BSI that have subsequently turned out to be incorrect. Kaspersky points out that the BSI has so far neither adjusted the warning nor informed the public and thus does not appear to be fulfilling its immediate obligations under the BSI Act.
- According to § 7 paragraph 2 sentence 2 BSIG must inform the BSI immediately if the information provided to the public subsequently turns out to be incorrect or the underlying circumstances are reported as incorrect. This is undoubtedly the case here. On the one hand, Kaspersky has provided the BSI with a great deal of information about the technical and organizational measures taken since February 2022 and invited the authority to check the source code of the Kaspersky AV and to check the software development and distribution processes. On the other hand, Kaspersky informed the BSI comprehensively about certifications and audits according to the international standards recognized by the BSI and already proposed on March 15, 2022 to develop a technical and organizational framework that would eliminate the BSI's concerns. The BSI has not reacted to any of these suggestions and measures for many months. The first meeting between the BSI and Kaspersky only took place at the end of August. This discussion is being continued, although Kaspersky would like the BSI to act much more quickly.
- Almost seven months after the warning there has been no cyber incident involving Kaspersky software. The BSI's assessment of March 14.03.2022, XNUMX that there was imminent danger proved to be wrong in retrospect.
- Kaspersky had based on the Freedom of Information Act (IFG) asked for access to information, "which security measures/properties/criteria for ensuring sufficient security through Kaspersky products were missing or expressed positively which security measures Kaspersky has to implement so that they are considered sufficient by the BSI in the current situation." A sufficient answer Kaspersky has not received it to date.
- Arne Schönbohm, President of the BSI in his role as head of the agency, makes claims that are not true and for which there is neither a technical nor a legal basis. That's how it happened in his June 23, 2022 speech at the Potsdam Conference on National Cyber Security 2022 On which he said: "Anyone who continues to use Kaspersky antivirus software, for example in critical infrastructures or in state parliaments, is acting negligently.", and "Kaspersky is a threat to national security."
Constanze Kurz from Netzpolitik.org and spokeswoman for the Chaos Computer Club demands in her comment of October 10, 2022: "We need reliable facts from the BSI, well-founded assessments and strategic ideas on questions of IT security." Kaspersky has nothing to add to this.
"Kaspersky has provided the BSI with extensive information since February, invited the BSI to technical and organizational evaluations and has always constructively pursued the goal of strengthening cyber security and resilience in Germany and Europe, which is also the task of the BSI. Regardless of its legal opinion that the warning was illegal and technically inappropriate, Kaspersky is still working with the highest priority to provide the BSI with all the information so that the BSI can adjust or withdraw the warning based on this information. Kaspersky has constructively and comprehensively named all measures that fully take into account the legitimate cyber security interests of the Federal Republic of Germany, meet the legal requirements of the BSIG in the best possible way and that actually strengthen cyber security and resilience in Germany and Europe. said Jochen Michels, Head of Public Affairs Europe at Kaspersky, and Marco Preuss, Deputy Director, Global Research & Analysis Team at Kaspersky.
(1) The The question of whether the BSI's warning of Kaspersky is illegal or legal has not yet been conclusively clarified (Decision of the Federal Constitutional Court of June 10, 2022).
More at Kaspersky.de
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/
Matching articles on the topic
More at Sophos.com