Jochen Michels, Director Public Affairs Europe, Kaspersky
The findings are clear: we are experiencing increasing and ever more sophisticated cyber threats from cybercriminals and state actors – also using new attack vectors in the age of artificial intelligence. For security solutions used by companies and public institutions, this means that the highest security requirements must be set in accordance with risk assessment. Antivirus software, which serves as the basis of the IT security architecture in most organizations, is an important, central element of a holistic, tailored security architecture. In the dynamic environment of digitalization and cybersecurity, security measures must be constantly questioned and reviewed to adapt them to the changing threat landscape and increasing security requirements.
Transparency, Compliance with International Standards, Involvement of Independent Third Parties
Several factors must be considered when assessing the trustworthiness and security of cybersecurity providers. The country of origin is one of these factors. In Germany and Europe, the term "risk countries" is often used in this context.
Vendors can counter the perceived geopolitical risk with verifiable, efficient, and effective security measures. Transparency, comprehensive risk management, and the involvement of independent third parties are particularly important. They are crucial for building trust between vendors, their customers, and cybersecurity authorities. Vendors should provide clear information about their products, including source code, information on development and update processes, and vulnerability disclosure policies.
Compliance with international standards such as ISO 27001, SOC 2, or Common Criteria (CC) is necessary to ensure the security and quality of products, solutions, services, and processes. These standards provide a framework for implementing and maintaining a robust information security management system, which is essential for protection against cyber threats. Independent third-party testing and validation are another essential basis for an objective assessment of a product's effectiveness and security. This can include penetration tests, vulnerability analyses, and other forms of evaluation. Independent testing helps manufacturers identify potential weaknesses and ensure that products continuously improve and meet the required security standards.
What Role Should Geopolitical Factors Play? – The Example of the BSI Warning Against Kaspersky Antivirus Software
An example of the complexity of cybersecurity policy and the need for an evidence-based approach is the warning issued by the German Federal Office for Information Security (BSI) on March 15, 2022, against the use of Kaspersky antivirus software. Issued due to geopolitical concerns in the wake of the military conflict in Ukraine, it raised questions about the technical security of antivirus software and had legal and economic repercussions. More than three and a half years after the publication of this warning, isn't it time for an objective reassessment? What has become of the risk assumptions of the original warning? Have the assumptions underlying the decision been confirmed? Have cybersecurity and resilience actually been strengthened?
The Origins of the BSI Warning and the Geopolitical Context
The BSI warning against Kaspersky antivirus software was published shortly after the outbreak of the conflict. The threat to IT infrastructures posed by Russian cyber operations was considered one of the greatest dangers to the security of Western states at the time. The BSI (Federal Office for Information Security) assumed that the Russian government might be able to influence software development and distribution. The technical basis for the warning is that all antivirus software has deep access rights to the operating system. A compromised antivirus program could take control of a system and expose sensitive data.
Three years later: What has happened since then?
In more than three and a half years since the warning was issued, there have been no incidents indicating that Kaspersky antivirus software has been manipulated by a state actor or cybercriminals or that it has been involved in a security incident. Neither in Germany nor in Europe, nor in any other region of the world has there been any evidence of misuse or interference that would have substantiated the BSI warning. On the contrary, it has been shown that the security processes implemented by Kaspersky are effective and that the software reliably meets security standards, even in a challenging geopolitical environment. In addition, Kaspersky has implemented a wide range of supplementary security measures that minimize potential risks and make unauthorized manipulation of the software virtually impossible. These include comprehensive certifications (such as ISO 27001), regular audits by independent testing bodies, and the implementation of modern security architectures based on zero-trust principles. This continuous improvement of security measures, along with the company's Global Transparency Initiative, which provides insights into source code and software deployment processes at its own transparency centers worldwide, underscores its commitment to high security standards.
Is it justified to maintain the original warning unchanged? Even if the initial risks may have seemed plausible and understandable at the time of the warning, the past few years have shown that the anticipated threats have not materialized. Given Kaspersky's ongoing efforts to optimize its security practices, the question arises as to the proportionality of such a warning.
Why the BSI warning should be reassessed
For a high level of cybersecurity, it is important that cybersecurity warnings are regularly reviewed and, if necessary, updated or lifted. If security warnings are maintained for extended periods without concrete risks being confirmed, they risk losing their original effectiveness. This could lead to uncertainty in the market. Furthermore, economic, financial, and social damage is possible, such as an increase in cyber incidents, job losses, and financial losses.
A transparent, evidence-based approach to risk assessment is of central importance in cybersecurity. Kaspersky's steps and measures to date demonstrate that it has not only effectively addressed security concerns but also actively contributes to strengthening the global cybersecurity infrastructure, for example, through partnerships with international organizations such as INTERPOL and AFRIPOL. This underscores the company's commitment to actively and effectively contributing to a safer digital world within a global cybersecurity community.
The European Union has also adopted an evidence-based approach to cybersecurity with the NIS 2 Directive. Important and critical infrastructure (CI) entities are required to implement appropriate risk management. Uniform criteria have been defined for this purpose, which all providers in each category must meet. The German Federal Legislature has also comprehensively implemented this in the implementing legislation for the NIS 2 Directive. Furthermore, significant amendments have been made to the BSI Act. Since the amended law came into force, the BSI has been required to perform all its tasks based on scientific and technical findings. Political considerations are therefore not suitable as decision-making criteria. Furthermore, BSI warnings must be removed after six months to ensure their proportionality.
Call for an Evidence-Based Cybersecurity Policy
It is time to return to an evidence-based approach in cybersecurity policy, moving away from a strongly geopolitically motivated one. The BSI warning, which was originally based on geopolitical assumptions, may have been justified at the time of its publication due to risk precautions and the uncertain situation. In practice, however, a different picture has emerged since then. The measures taken by Kaspersky in the years following the warning, the continuous review and improvement of its security practices, and the fact that the assumed risks did not materialize all argue for a reassessment of the warning. In the interest of an effective, fair, transparent cybersecurity policy based on facts and scientific and technical knowledge, the BSI should therefore reassess the warning issued more than three and a half years ago and analyze the security situation based on current information from cyberspace. This is also required by the new BSI Act. This ensures that security measures address actual threats. An evidence-based approach strengthens cybersecurity and, at the same time, fosters trust in security solutions.
Kaspersky also directly addressed this approach to the BSI (Federal Office for Information Security). The letters outlining Kaspersky's arguments and the BSI's response can be found here.
