AOn March 15, 2022, the Federal Office for Information Security (BSI) published a warning against the use of virus protection software from the Russian manufacturer Kaspersky and recommended replacing this software with alternative products. The BSI justified its warning with the fact that Russian manufacturers could be forced by Russian authorities to become tools for cyber attacks against their own customers. In view of the actions of the Russian military and the intelligence services and the current threats by Russia against the EU, NATO and Germany, the BSI considers this risk to be considerable.
The risk of misuse emanating from virus protection software is exceptionally high, since due to the way it works, it has full access to the monitored IT systems and must be able to communicate with its manufacturer. Backdoors – i.e. undocumented access to an IT system built in especially for cyber attacks – in virus protection software are therefore particularly explosive. However, if a corresponding manufacturer cooperates with cyber attackers, there is no need for back doors at all.
The BSI surprised many
The BSI surprised many at the time with its warning. Because previously it had followed a very narrow interpretation of the relevant paragraph in the BSI Act and only issued such warnings if there were concrete technical findings, such as technical weaknesses found. However, all previous attempts by Kaspersky to take legal action against the warning have failed. On April 28, the Münster Higher Administrative Court declared the BSI warning to be legal and rejected an urgent application by Kaspersky in the second instance; the judges thus made it clear that the BSI law supports a broader view of the term “security gap” beyond purely technical risk factors. On June 2, the Federal Constitutional Court then rejected an appeal against the decision from Münster.
However, there is still heated debate as to whether the BSI was entitled to issue this warning. Critics complain that the BSI is obliged to take a purely technical approach and may only issue warnings if there are technical security gaps. They sometimes see the close coordination between the Federal Ministry of the Interior and the BSI as inappropriate exerting political influence – even though such agreements are expressly required in related areas. And finally, they complain that the BSI uses double standards because it has not warned against any other Russian manufacturer; here referred and they refer to the company Protelion (formerly Infotecs). Protelion is also a Russian manufacturer of security software, but with a different focus than Kaspersky and – as far as we know – hardly represented in the German market.
Surprisingly, there is hardly any discussion on the question, which is much more important for Germany’s cyber security, to what extent the warning was justified in terms of content: there were no objections to the BSI’s argument that virus protection software poses a potentially high security risk simply because of its technical functionality. It is also undisputed that Russian state authorities can exert a corresponding influence on companies in Russia – even Kaspersky did not contradict this. This would also not be credible, since this possibility of influence is even regulated by law in Russia.