Kaspersky CEO: Ukraine war must end through diplomacy

Eugene Kaspersky, the founder and CEO of cyber security giant and antivirus pioneer Kaspersky Lab, has called for a diplomatic end to the war in Ukraine as he responds to repeated allegations over the eponymous company’s ties to Moscow, branding warnings over his products’ security an “insult” and reaffirming his commitment to transparency and the wider industry.

Kaspersky, who was earlier criticised for referring to the war as a “situation” on his social media channels, said the war had “shattered the world we knew”.

“Families, relations, partnerships and ties were affected dramatically in Ukraine, Russia, Europe and the entire world. The avalanche of these tragic events catches us all,” he said in an open letter.

“The war in Ukraine can only end through diplomacy, and we are all hoping for a cessation of hostilities and continuing dialogue. This war is a tragedy that has already brought suffering to innocent people and repercussions across our hyper-connected world. The global cyber security industry that has been built on the basis of trust and cooperation to protect the digital links connecting us with each other may well be its collateral damage – and thus leave everyone even less safe.”

Kaspersky spoke out after the German Federal Office of Information Security (BSI) issued a warning about Kaspersky products. The BSI said: “Trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.

“The actions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, Nato and the Federal Republic of Germany in the course of the current military conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers.”

Responding to this, Kaspersky said: “These claims are speculations not supported by any objective evidence nor offering technical details. The reason is simple. No evidence of Kaspersky use or abuse for malicious purpose has ever been discovered and proven in the company’s 25-year history, notwithstanding countless attempts to do so.

“Without such evidence, I can only conclude that BSI’s decision is made on political grounds alone. It is sadly ironic that the organisation advocating for objectivity, transparency and technical competence – the very same values Kaspersky supported for years together with BSI and other European regulators and industry bodies – decided, or was forced, to drop its principles literally overnight. Kaspersky, the long-time partner and contributor of BSI and German cyber security industry, was given mere hours to address these bogus and unfounded allegations. This is not an invitation for dialogue – it is an insult.”

Kaspersky claimed that he had repeatedly called on the BSI to conduct a “deep audit” of its source code, updates, architecture and processes, as any of the firm’s customers can do at one of its network of global Transparency Centres, but he said the BSI had never bothered to do so, nor did the organisation recognise the firm’s Global Transparency Initiative – under the auspices of which the Transparency Centres are operated.

He said Kaspersky had pioneered transparency efforts in cyber by opening itself up, and had spent millions of euros in doing so, as well as on new facilities in Switzerland to house customer data beyond the potential grasp of the Kremlin.

“That is why I consider the BSI decision as an unwarranted and unjust attack on my company and specifically on Kaspersky employees in Germany and Europe,” said Kaspersky. “More importantly, this is also an attack on the large consumer base in Germany trusting Kaspersky. It is also an attack on the jobs of thousands of German IT security professionals, on law enforcement officers we have trained to combat cutting-edge cyber crime, on German computer science students we have helped obtain job-ready skills, on our partners in research projects in the most critical areas of cyber security, and on tens of thousands of German and European businesses of all sizes which we have been protecting from the whole spectrum of cyber attacks.

“The BSI decision means that German users are strongly advised to immediately uninstall the only antivirus that, according to AV-Test, an independent German IT security institute, guarantees 100% protection from ransomware. This means that the leading German industrial equipment manufacturers will no longer receive information about critical vulnerabilities in their software and hardware from Kaspersky ICS-CERT – an organisation hailed for its responsible disclosure work by these very same manufacturers.

“German automotive giants will remain oblivious to the bugs that may allow an attacker to overtake the entire on-board computer system and change its logic. This means a huge blind spot on the attack surface for European incident responders and SOC operators, who will no longer be able to receive threat data from across the globe – and from Russia in particular.”

Kaspersky went on to issue a message to the BSI, which he noted appears to be rebuffing attempted outreach from the firm’s team in Germany. He said that while he considers its decision to be unfair and wrong, the firm remains open to addressing concerns in an objective and honest manner.

“We are thankful to the European regulators and industry experts who have taken a more balanced approach by calling for additional technical analysis and scrutiny of security solutions and the IT supply chain, and I am fully committed to providing all the information and cooperation that is required from Kaspersky throughout this process,” he said.