The BSI may warn against virus protection software from Kaspersky. This has now been finally determined by a higher administrative court. No appeal is possible against the judgment.
© Alexey Smyshlyaev/Shutterstock.com
Update April 29th:
Kaspersky has once again failed in court with its attempt to have the BSI’s warning about Kaspersky’s antivirus software banned. The North Rhine-Westphalian Higher Administrative Court (OVG) has now ruled against Kaspersky (Az.: 4 B 473/22) and rejected the appeal by the German subsidiary of Kaspersky against the urgent decision of the Cologne Administrative Court of April 1, 2022 and thus at the same time the previous decision of the Administrative Court Cologne (see below) confirmed. This means that the Federal Office for Information Security (BSI) can issue warnings about software from the Russian IT security company Kaspersky.
The Higher Administrative Court justified its decision as follows: ”
Virus protection programs already have security gaps within the meaning of the law due to the way they work. In the past there have been numerous incidents at all manufacturers of virus protection programs in which malfunctions have blocked IT systems and data has been transmitted to the manufacturer unnoticed. According to the findings of the BSI, the system-related authorization to access the IT infrastructure – which is actually to be protected by the virus protection program – can be misused for malicious activities. According to the findings compiled by the BSI, there are also sufficient indications that the use of Kaspersky’s virus protection software currently poses a risk to information technology security. The BSI’s assumption that the actions of military and/or intelligence forces in Russia and the threats made in this context against the Federal Republic of Germany are associated with a considerable risk of a successful IT attack with far-reaching consequences, especially when using Kaspersky’s virus protection software on sufficient knowledge of the current cyber security situation. The BSI also took into account the Russian government’s documented influence in the past on IT companies operating in Russia, especially on Kaspersky. It understandably concluded that there were sufficient indications of the danger that the Russian government would use Russian software companies to carry out a cyber attack not only on Ukrainian but also on other Western targets as part of the war of aggression it was waging against Ukraine. The security precautions that Kaspersky has taken are not sufficient in the current situation to adequately counteract the threats.
The court continues: ”
The BSI made the decision to issue the warning without any errors of judgment and, in particular, observed the principle of proportionality. The warning was not issued based on irrelevant considerations or even arbitrarily. In particular, it was not politically motivated and does not represent purely symbolic politics. In view of the threat situation presented, it serves solely to reduce the risk of possible attacks on information technology security
The decision is incontestable, the court finally states.
Update end, beginning of the original message from April 4, 2022:
Success for the Federal Office for Information Security (BSI): The Administrative Court of Cologne has confirmed (Az.: 1 L 466/22) that the BSI may warn against virus protection software from Kaspersky (the BSI expressly warned PC-WELT repeated ). At the same time, the court rejected the urgent application of a company from the Kaspersky Group based in Germany.
Alternatives to Kaspersky: The best antivirus tools in the test
On March 21, 2022, Kaspersky Labs GmbH, which sells anti-virus products from the Russian manufacturer, applied for an interim injunction to cease and desist and revoke the warning from the BSI. Kaspersky justified its application by saying that the BSI’s warning was “a purely political decision with no relation to the technical quality of the virus protection software”. Kaspersky emphasized that “a security gap in the sense of a technical vulnerability that has become known does not exist. Indications for there is also no influence of state bodies in Russia on Kaspersky” – claims Kaspersky, which was not only founded by a Russian entrepreneurial couple and is managed by a Russian IT expert, namely Eugene Kaspersky, but also has its headquarters in Moscow.
This is how the court justified its decision
However, the court sees the situation differently than Kaspersky and emphasizes: “The legislator has formulated the concept of security gaps, which entitle the BSI to issue a warning, in broad terms. Virus protection software basically meets all the requirements for such a security gap due to the far-reaching authorizations to access the respective computer system.”
In order to still recommend the use of such software, a high degree of trust in the company is required. If this trust is no longer given, then this actually represents a security gap. The court continues:
“This (that there is no longer any trust in the company, editor’s note) is currently the case with Kaspersky. The company is headquartered in Moscow and employs a large number of people there. In view of the Russian war of aggression in Ukraine, which is also being waged as a ‘cyber war’, it cannot be ruled out with sufficient certainty that Russian developers, of their own accord or under pressure from other Russian actors, will also exploit the technical possibilities of virus protection software for cyber attacks on German targets. Nor can it be assumed that state actors in Russia will comply with laws in accordance with the rule of law, according to which Kaspersky is not obliged to pass on information. In addition, the massive restrictions on press freedom in Russia in the course of the war with Ukraine have shown that the corresponding legal basis can be created quickly.
The court continues:
“The security measures cited by Kaspersky do not offer sufficient protection against state interference. It cannot be ruled out that programmers based in Russia can access the data of European users stored in data centers in Switzerland. On the other hand, permanent monitoring of the source code and updates seems practically impossible due to the amount of data, the complexity of the program code and the necessary frequency of updates.”
Kaspersky can lodge an appeal against the decision, which would then be decided by the Higher Administrative Court in Münster.
USA blacklists Kaspersky
Eugene Kaspersky criticizes BSI: Attack on German consumers
Eintracht Frankfurt throws Kaspersky out as a sponsor