Kaspersky: Either the BSI withdraws its warning, or…

Contents

The IT security firm Kaspersky has a problem – and that problem is its country of origin: Russia. When the Federal Office for Information Security (BSI) first publicly warned about the complete product segment of a manufacturer in March 2022, it was a novelty. To this day, the warning about Kaspersky's virus software is the only public product warning issued by the BSI – and the company wants it gone, it demands.

Kaspersky lobbyists recently contacted members of the responsible interior committee, as first reported by Der Spiegel. In the emails, the company outlined its request that the BSI should withdraw the product warning. Kaspersky believes the BSI has a duty to do so: documents from the Bonn authority are said to prove that the BSI found no indications of danger. The company claims to have already suffered damages in the triple-digit millions due to the warning. In the USA and other countries, various Kaspersky business units, including Kaspersky Lab and its management personnel such as founder Eugene Kaspersky, have been sanctioned.

BSI stands by its warning

The authority appears unimpressed by the company's demands, having only recently discussed the classification internally again – warnings must be reviewed regularly. "The BSI continues to maintain the warning against AV products from the manufacturer Kaspersky," a spokesperson told heise online on Tuesday afternoon in response to an inquiry. "The reasons for the warning are sufficiently explained in the warning itself and, from the BSI's perspective, have not changed." The BSI does not comment on the manufacturer's communication.

In parliament, Kaspersky's initiative is causing more irritation than support for the company. "Kaspersky always has recourse to the legal system in our German rule of law," says CDU digital politician and IT security specialist Henri Schmidt. And he appeals: "Anyone who still uses Russian software in the current situation has not understood the seriousness of the situation." Russia has been conducting hybrid attacks against Germany for years. "The Russian Federation is a dictatorship and a self-declared enemy of the EU, which uses or will use every available lever against Europe," says CDU politician Schmidt. "No company in today's Russia can operate independently of Putin's regime." This also applies to Kaspersky, headquartered on Leningradskoye Highway in Moscow.

Political or scientific-technical decision?

The events are being closely monitored, says Konstantin von Notz, Green Party interior politician and deputy chairman of the German Bundestag's intelligence oversight committee. "As parliament, we are primarily interested in the federal government's position in the now long-standing conflict between Kaspersky and the BSI, which continues to exercise technical and legal supervision over the federal office." This primarily targets the Federal Ministry of the Interior, led by Alexander Dobrindt, to which the BSI is subordinate. The new Digital Ministry is only responsible for those parts of the BSI that are directly relevant to the federal administration.

Since the warning was issued, there have been repeated suspicions that the BSI did not issue the warning based on technical assessments, but that political reasons played a role. However, this has not been substantiated to date, even though the BSI acted in close coordination with the Federal Ministry of the Interior at the time. Others, on the other hand, had criticized the BSI for delaying the product warning about Kaspersky for far too long. The BSI is an unusual federal authority regarding its decision-making basis: "The Federal Office carries out its tasks based on scientific and technical findings," according to the BSI Act. In other words, unlike other authorities, it is not allowed to be politicized if this contradicts the state of knowledge.

No legal proceedings pending

Kaspersky has so far failed in all attempts to take legal action against the BSI's warning. The company asserted its rights through both preliminary legal protection and a constitutional complaint, but could not convince the judges that the BSI had acted disproportionately. However, the company had not yet initiated any further legal clarification – i.e., a main proceeding.

At the Administrative Court of Cologne, which is responsible for the BSI, no such proceedings are currently known, a spokesperson for the court announced upon request. Thus, there is still no indication that Kaspersky would now initiate main proceedings four years after the product warning was issued. A Kaspersky spokesperson emphasizes that Kaspersky is not threatening the BSI with a lawsuit, but merely reserves the right to take legal action.

(vbr)