Bayerischer Rundfunk and SPIEGEL have published an investigative report on the BSI's decision-making process in relation to the March Kaspersky warning. Even an IT security lawyer comes to the conclusion that the result (the warning) was first determined and then the arguments were sought in cooperation with the Federal Ministry of the Interior.
After Warning about Russian Kaspersky software in mid-March this year followed statements by the BSI, open letters from Eugene Kaspersky and various court hearings. Again and again Kaspersky tries to refute the motives of the BSI for the warning, but failed again and again in court. Many experts called the BSI warning politically motivated because it was not aimed at any other company.
Bayrischer Rundfunk and Spiegel report
As reported by Bayerischer Rundfunk (BR)., the editors have almost 370 pages that allow a look inside the BSI and show how difficult the federal office responsible for IT security was with the decision-making process. The documents also show that political aspects played an important role and that the Federal Ministry of the Interior was heavily involved. The BR and the mirror made a request for research under the Freedom of Information Act and thus received the documents.
Kaspersky had 3 hours to respond
The BR further reports that the BSI wanted to coordinate the warning. The BSI then informed Kaspersky on March 14 and gave the company three hours to react. The e-mail should then have gone to two functional mailboxes (group mailboxes). Kaspersky did not respond within the specified time, which is not surprising.
The BR der Spiegel submitted the documents to the Bremen professor for IT security law Dennis-Kenji Kipker for evaluation. His assessment: the BSI worked “clearly based on the result”. This contradicts the BSI's mandate to act "on the basis of scientific and technical knowledge", as stated in paragraph 1 of the BSI law. This "working method actually presupposes that you don't have the result first and then think about how I can derive it". But that is exactly what happened. According to Kipker, it would have been better "to warn against Russian products in general" rather than "using Kaspersky as an example".
Kaspersky's comment on the content of the reports
Kaspersky has accepted the research by BR and Spiegel with a little satisfaction. Finally, the evaluation proves most of Kaspersky's counter-arguments and shows how the warning came about. The statement by IT security law Dennis-Kenji Kipker is particularly interesting: it was explicitly warned against Kaspersky and not globally against Russian software.
Here is Kaspersky's official statement on the investigative research by Bayerischer Rundfunk and SPIEGEL on the decision-making process at the BSI in relation to the Kaspersky warning.
The official statement
“Kaspersky appreciates the detailed research and assessment by Bayerischer Rundfunk and SPIEGEL on the decision-making process of the Federal Office for Information Security (BSI) regarding the warning about Kaspersky. The company strives to continue the long-standing constructive dialogue with the BSI in order to work together on the basis of fact-based assessments for the highest level of cyber security for our German and European citizens and companies.
Kaspersky welcomes the fact that the media have made use of the opportunities provided by the Federal Freedom of Information Act, researched the 370-page BSI files and informed the public about their findings. The research also includes an analysis by the renowned IT security lawyer Prof. Kipker. According to him, it is clear from the files that the publication of the warning was certain from the outset and the reasons and arguments for this were only compiled afterwards. The Federal Constitutional Court also found that the legality of the BSI warning is unclear and must be clarified in the main proceedings.
BSI was also invited to tests and audits, but declined
Kaspersky got the same impression when studying the files for the summary proceedings; technical arguments and facts played no role. Kaspersky has made extensive information offers to the BSI since February and invited it to tests and audits. The BSI did not respond to any of these offers during the warning.
Kaspersky believes that transparency and the continued implementation of concrete actions that demonstrate our ongoing commitment to integrity and trustworthiness to our customers are of the utmost importance. As early as 2017, the company announced its Global Transparency Initiative and since then, as a pioneer of transparency in the cybersecurity industry, has continuously implemented concrete measures to promote its principles of trustworthiness, integrity, risk management and international cooperation.
Kaspersky continues to reassure its partners and customers of the quality and integrity of its products and is committed to working with the BSI to clarify its decision and address the concerns of the BSI and other regulators."
More at Kaspersky.com Research at BR.de mirror + S+ at Spiegel.de