Germany's BSI warns against Kaspersky AV over spying concerns

The warning renews global concerns about using Russian-made software as the country continues its assault on Ukraine.

Binary Russian flag
LPETTET / Getty Images

Germany’s Federal Office for Information Security (BSI) has warned businesses against using Kaspersky virus protection products amid concerns of Russian technology being coerced by Russian government agents and forced to attack target systems against its will or spied on. The BSI did not raise any concrete allegations against Kaspersky products but recommended replacing them with alternatives due to the Russian-Ukraine conflict. The Russian vendor responded in an official statement suggesting the BSI’s actions have been made on political rather than technological grounds.

The warning echoes earlier unconfirmed claims by U.S. intelligence agencies about ties between Kaspersky and the Russian government. Those claims led to the removal of Kaspersky Lab products of approved vendors for U.S. federal agencies in 2017.

Risk of attacks considerable, organizations urged to switch products with caution

The BSI wrote that antivirus software “must for systemic reasons (at least for updates) maintain a permanent, encrypted and non-verifiable connection to the manufacturer’s servers.” BSI clearly considers this connection to pose a potential risk and identifies a conceivable scenario in which Kaspersky itself is attacked, impacting its customers. “All users of the virus protection software can be affected by such operations,” it stated. However, BSI also urged organizations switching products to do so with caution because, “If IT security products and in particular virus protection software were switched off without preparation, one might be exposed to attacks from the internet without protection.”

Kaspersky claims no ties to Russian government

In a statement published on its website, Kaspersky responded to the BSI’s warning, claiming its actions are politically motivated. “We believe this decision is not based on a technical assessment of Kaspersky products – that we continuously advocated for with the BSI and across Europe – but instead is being made on political grounds. We will continue to assure our partners and customers in the quality and integrity of our products, and we will be working with the BSI for clarification on its decision and for the means to address its and other regulators’ concerns.”

It added that the company believes that transparency and the continued implementation of concrete measures to demonstrate its commitment to integrity and trustworthiness to customers is paramount. “Kaspersky is a private global cybersecurity company and, as a private company, does not have any ties to the Russian or any other government. We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone.” The security and integrity of its data services and engineering practices have been confirmed by independent third-party assessments, the statement read, while customers can run a free technical and comprehensive review of Kaspersky solutions.

The question of whether businesses should continue to use Russian-made security products and technology along with the risks associated is one of notable significance given Russia’s continued invasion of Ukraine, and one that continues to raise discussions across the industry.

Update: On March 17, Kaspersky Lab founder and CEO Eugene Kaspersky posted an open letter in response to the BSI’s warning in which he stated that the reputational and business damage of the decision is “quite significant.” He also claimed that, despite continuous calls from Kaspersky to conduct a deep audit of its source code, updates, architecture, and processes at Kaspersky Transparency Centers in Europe, BSI is yet to do so.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.