When the BSI warned against the use of Kaspersky's anti-virus software after the Russian invasion of the Ukraine, this was mainly due to political considerations. This emerges from internal documents that Bayerischer Rundfunk and Spiegel received about a request for information freedom law.
According to the reports, the documents show how lengthy the internal discussions were and how heavily involved the Federal Ministry of the Interior was. As the IT security authority, the Federal Office for Information Security (BSI) reports to the Ministry of the Interior. One of the problems: The warning was given less for technical reasons and more for political reasons.
On March 2nd, just over a week after the start of the Russian invasion, a management committee met within the BSI, in which BSI President Arne Schönbohm was also involved. At that point, there seemed to be a will to warn the public about Kaspersky. At this meeting it was decided that “any findings/technical reasons” to compile that justify such a step.
Russian state as a risk
The reasons – which are also mentioned later in the warning – are the far-reaching possibilities for attackers that anti-virus software offers. This is fundamentally deeply rooted in the system and has far-reaching authorizations. It is therefore “danger ahead” that attacks are to be expected and Kaspersky also has no chance of positively influencing the risk assessment through “technical or other measures” – according to the BSI's assessment to date. That was the internal start. However, the process that ultimately led to the warning was not easy.
A vote was taken in many cases, as can be seen from the documents. For example, internal reference was made to the fact that Kaspersky servers had moved to Switzerland. In addition, no technical security gap has been identified so far. The BSI therefore had no concrete indications of vulnerabilities such as a back door in the Kaspersky software.
However, the lack of confidence in the remoteness of the state remains problematic. The location of the servers is irrelevant, the decisive factor is who can inject code. And Kaspersky is owned by Russian citizens, employees also have family in Russia. The company is therefore “exposed to the direct influence and pressure of the authorities,” according to the report by Bayerischer Rundfunk. So the Russian government can hijack the software and get a powerful attack tool.
A crypto technician explains in the internal correspondence that the task of the BSI is to protect the German IT infrastructure from attacks. “We don't have to wait for the possible and probable occurrence of such an event,” Der Spiegel quotes from the internal letter. Because this is a “strategic positioning”, the further procedure was apparently closely coordinated with the Ministry of the Interior. The public warning then followed on March 15, which is particularly relevant for companies and operators of critical infrastructures. Kaspersky – which itself had previously approached the BSI – hardly had time to comment in advance.
Perhaps the BSI should have issued a general warning about Russian software
However, it remains unclear to what extent the BSI is allowed to proceed in this way. First the warning was decided, then the search for reasons began. This is how the BSI worked based on the result, says Dennis-Kenji Kipker, professor for IT security law at the University of Bremen, in Der Spiegel. In his opinion, however, this contradicts the mandate of the BSI, which, according to the BSI law, must work on the basis of scientific and technical knowledge. This means: First the analysis, then the decision as to whether a warning is issued.
According to Kipker, the BSI should only have warned about Russian products in general because there were no technical clues. In an article on the legal portal LTO, he specifies the criticism. Basically, the question arises – again – to what extent the BSI is objective enough as an IT security authority. If warnings are issued in coordination with the Federal Ministry of the Interior for geopolitical reasons, it weakens trust in the authority's technical analyses. This also applies, for example, to the handling of reported security gaps with regard to the state Trojan.
With the latest findings of the BSI warning about Kaspersky we need to conclude whether our cybersecurity architecture is really any good. Companies' concerns about sharing sensitive information with the BSI/BMI are not unfounded. I write about this in the LTO https://t.co/yc4PIolrn7
— Prof. Dr. Dennis-Kenji Kipker (@Dennis_Kipker) August 5, 2022
With the findings from the documents now published, according to Kipker, it is now also open whether the warning will remain in main proceedings . When asked by Spiegel, the BSI itself said it was right. The authority also refers to the existing court judgment.