The warning from the Federal Office for Information Security (BSI) against the use of virus protection software from Kaspersky is legitimate. That was decided by the Higher Administrative Court. This second decision is no longer contestable for Kaspersky.
The Higher Administrative Court has now spoken and with it the complaint of the German subsidiary of Kaspersky against the emergency decision of the Cologne Administrative Court of April 1.4.2022, XNUMX. On March 15.3.2022, XNUMX, the BSI issued a warning about the virus protection software from the manufacturer Kaspersky. Virus protection software is an exposed target of offensive operations in cyberspace. The actions of military and/or intelligence forces in Russia and the threats recently made by Russia against the EU, NATO and the Federal Republic of Germany in the course of the current armed conflict are associated with a considerable risk of a successful IT attack with far-reaching consequences.
BSI vs. Kaspersky: Court recognizes the danger
Manipulations of the software or access to data stored by Kaspersky could lead to, or at least support, reconnaissance or sabotage actions against Germany, individuals or specific companies or organizations. All antivirus software users could be affected by malicious operation depending on their strategic importance. It is recommended to replace the anti-virus software from Kaspersky with alternative products, whereby an individual assessment and consideration of the current situation is advised. The German subsidiary, which sells Kaspersky's virus protection software, opposed this. The urgent application was unsuccessful in both instances.
To justify its decision, the 4th Senate of the Higher Administrative Court stated: The warning and recommendation is lawful according to Section 7 Paragraphs 1 and 2 BSIG. As a prerequisite, the regulation requires sufficient indications that a product poses a risk to the security of information technology due to a security gap. Virus protection programs already have security gaps within the meaning of the law because of the way they work. In the past there have been numerous incidents at all manufacturers of virus protection programs in which malfunctions have blocked IT systems and data has been transmitted to the manufacturer unnoticed.
“Significant risk of a successful IT attack”
According to the findings of the BSI, the system-related authorization to access the IT infrastructure – which is actually to be protected by the virus protection program – can be misused for malicious activities. According to the findings compiled by the BSI, there are also sufficient indications that the use of Kaspersky's virus protection software currently poses a risk to information technology security. The BSI's assumption that the actions of military and/or intelligence forces in Russia and the threats made in this context against the Federal Republic of Germany are associated with a considerable risk of a successful IT attack with far-reaching consequences, especially when using Kaspersky's virus protection software on sufficient knowledge of the current cyber security situation.
The complete decision can be read as a PDF on the website of the Higher Administrative Court of North Rhine-Westphalia.
Resolution as a PDF at OVG.NRW.de