In March, the BSI issued a warning about Kaspersky’s security software. As it turned out, there were no technical clues.
According to a report by Bayerischer Rundfunk, the warning was from the BSI before Kaspersky software in March, politically motivated. As a result, there were no technical clues. Kaspersky itself had no say in this, although the company always signaled a high willingness to cooperate.
First the decision, then the search for the reason
Last March, the Federal Office for Information Security (BSI) warned against using antivirus software from Russian cybersecurity expert Kaspersky. Documents available to Bayerischer Rundfunk (BR) indicate lengthy internal discussions. In addition, the Federal Ministry of the Interior (BMI) is said to have exerted a great deal of influence. Accordingly, the warning is said to have had less technical and more political reasons.
Around a week after the Russian army invaded Ukraine, a leadership meeting is said to have taken place. The BSI President Arne Schönbohm was also involved in this. The resolution of this meeting was to compile “any findings/technical reasons” on the basis of which the warning against Kaspersky could be justified. That there should be a warning at all was no longer in question.
Kaspersky as a Russian tool for digital warfare
The reasons given were the far-reaching possibilities that anti-virus software offers to potential attackers. Because such security software is often deeply rooted in the system and has far-reaching system authorizations.
And although Kaspersky could not detect any vulnerabilities in the form of a back door in the software and has moved the company’s servers to Switzerland were, trust fell by the wayside due to its Russian roots.
The BSI therefore sees too great a risk that the company “dem direct influence and pressure from the authorities ” of Russia. This allows the Russian government to hijack the software and thereby obtain a powerful tool for digital warfare. Kaspersky has “no way to positively influence the risk assessment through technical or other measures“.
And since it is the task of the BSI to protect the German infrastructure, this took place on 15. March the public warning against Kaspersky products.
Kaspersky: Yesterday friend, today enemy
Kaspersky did not have a say in this. In a press release, the company asserts that “the BSI has been offering extensive information since February and has invited it to tests and audits“. But the BSI is on “none of these offers received during the alert.
The company also emphasizes that it assures “its partners and customers continues to ensure the quality and integrity of its products and is committed to working with the BSI to clarify its decision and address the concerns of the BSI and other regulators.
Still 15 the BSI praised the “trustful cooperation” with Kaspersky, as BR reports.
Trust in the BSI is on the brink
The order in which the BSI acted remains questionable. Because first the decision to warn against Kaspersky was made and only then was the search for reasons made. According to Dennis-Kenji Kipker, a professor for IT security law at the University of Bremen, according to the BSI law, the BSI must work on the basis of scientific and technical knowledge.
However, this means that only an analysis must be carried out on the basis of which a decision is then made. Since there were no technical clues at the time the warning was issued, the BSI should only have given a general warning about Russian products. By issuing warnings based on geopolitical reasons in coordination with the BMI, the authority only weakens confidence in its own technical analyses. According to Kipker, this leaves the question “whether our cybersecurity architecture is really any good.