German authorities warn on Kaspersky but stop short of ban

Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), has made a formal recommendation that Kaspersky users in Germany replace the supplier’s antivirus (AV) protection software with alternative products, but will not enact an outright ban on the Russian firm.

The BSI said that because Kaspersky’s AV software and its associated real-time capable cloud services must maintain a connection to its servers, it was important that trust in its reliability was maintained, and this trust was now broken given Russia’s actions in Ukraine.

“A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers,” said the BSI in a statement.

“All users of antivirus software can be affected by such operations. Companies and authorities with special security interests and operators of critical infrastructures are particularly at risk.”

The BSI is advising users to plan and implement the replacement of what it described as “essential components” of their security infrastructure, noting that if products such as antivirus tools are simply switched off, this can in fact heighten risk.

A Kaspersky spokesperson accused the Germans of making politically motivated decisions, saying: “We believe this decision is not based on a technical assessment of Kaspersky products – that we continuously advocated for with the BSI and across Europe – but instead is being made on political grounds.

“We will continue to assure our partners and customers in the quality and integrity of our products, and we will be working the BSI for clarification on its decision and for the means to address its and other regulators’ concerns.

“We believe that transparency and the continued implementation of concrete measures to demonstrate our enduring commitment to integrity and trustworthiness to our customers is paramount. Kaspersky is a private, global cyber security company and, as a private company, does not have any ties to the Russian or any other government.

“We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone,” they added.

The spokesperson pointed out that the firm’s data processing infrastructure has been located in Switzerland since 2018, and that any data relating to entities in Germany is held and processed at datacentres there. More widely, it has established a network of a Global Transparency Centres where its product code may be examined, and is conducting frequent security audits with one of the Big Four accountancy houses.

For organisations in the UK, the National Cyber Security Centre’s (NCSC’s) present guidance on the use of Kaspersky software at key organisations remains that set out by the agency’s technical director Ian Levy in 2017.

Given the NCSC assesses – then and now – that the Russian state has and continues to conduct cyber attacks on UK targets, Levy said it was important to focus attention on how an AV product could be abused, and the impact if it was.

The NCSC approaches this task in two ways by managing product-based risks and managing national-scale risks.

In the first instance, this means it discussed some time ago with Kaspersky a means to provide the UK with assurance about how secure its involvement in the wider UK market is. Given that Kaspersky is not the subject of UK bans or sanctions, one can assess with confidence that few if any problems were found – note again that Kaspersky has been an active promoter of transparency in its work, and currently neither holds nor processes UK data in Russia.

In the second instance, NCSC leadership has previously engaged with all UK government departments on the topic of Kaspersky and advised that systems with a national security purpose should not use products that could be interfered with by the Russian government. Levy said that there was almost no installed base of Kaspersky AV in central government in any case.

“Our advice in this space is a bit complex and nuanced. That’s because it’s a complex problem with lots of nuances. Whatever you do, don’t panic. For example, we really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense,” Levy wrote at the time.

“As we’ve said before, people and enterprises have a finite budget for security, whether that’s money, time, change or whatever. Let’s use this budget wisely and concentrate on fixing the things that we know are responsible for successful compromises.”

Any updates to this guidance from the NCSC will be publicised should they be made.

Kaspersky has remained studiously neutral throughout the war on Ukraine, although as previously reported its founder Eugene Kasperky was extensively criticised for remarks made on the subject. Earlier in March, the company had to forcefully deny the Anonymous hacktivist collective had stolen and leaked its product source code.