Eugene Kaspersky Labels BSI Decision ‘Unfair, And Outright Wrong’

Kaspersky Lab founder Eugene Kaspersky has hit back strongly at Germany’s decision to recommend the uninstallation of Kaspersky antivirus (AV) products in the country.

This week the Germany’s Federal Office for Information Security (BSI) warned users and organisations that the anti-virus software developed by Moscow-based Kaspersky Lab poses a serious risk of a successful hacking attack.

Kaspersky Lab immediately hit out at the ‘political decision’ in an official response, but now Eugene Kaspersky has published an open letter on the matter, in which he strongly defends his firm’s independence and points to the lack of time given to respond to the “unfounded allegations.”

Open letter

In his open letter, Eugene Kaspersky wrote that “the war in Ukraine has shattered the world we knew,” and besides shattering families, relations and partnerships, it has also impacted his company as well.

“This week the German Federal Office of Information Security (BSI) issued a warning about Kaspersky products, citing potential risks for IT security of those using Kaspersky products and solutions,” wrote Kaspersky.

“Without going into details I can say that these claims are speculations not supported by any objective evidence nor offering technical details,” he wrote. “The reason is simple. No evidence of Kaspersky use or abuse for malicious purpose has ever been discovered and proven in the company’s twenty-five years’ history notwithstanding countless attempts to do so.”

“Without such evidence, I can only conclude that BSI’s decision is made on political grounds alone,” wrote Kaspersky. “It is sadly ironic that the organisation advocating for objectivity, transparency, and technical competence – the very same values Kaspersky supported for years together with BSI and other European regulators and industry bodies – decided or was forced to drop its principles literally overnight.”

Read also : Russia Already Meddling In US Election, Microsoft Warns

Kaspersky pointed out that his firm was a long-time partner and contributor of BSI and German cybersecurity industry, and that it “was given mere hours to address these bogus and unfounded allegations. This is not an invitation for dialogue — it is an insult.”

Kaspersky also said that despite continuous calls from the firm to conduct a deep audit of its source code, updates, architecture and processes at Kaspersky Transparency Centers in Europe, BSI has never done so.

“This decision also conveniently omits the fact that Kaspersky has for years pioneered greater transparency with a multi-million euro effort of relocating the threat data of our European customers to Switzerland as a part of our Global Transparency Initiative,” wrote Kaspersky.

Business damage

“That is why I consider the BSI decision as an unwarranted and unjust attack on my company and specifically on Kaspersky employees in Germany and Europe,” Kaspersky wrote. “More importantly this is also an attack on the large consumer base in Germany trusting Kaspersky, which two weeks ago was awarded as the best security offering (by AV-Test).”

“It is also an attack on the jobs of thousands of German IT security professionals, on law enforcement officers we have trained to combat cutting-edge cybercrime, on German computer science students we have helped obtain job-ready skills, on our partners in research projects in the most critical areas of cybersecurity, and on tens of thousands of German and European businesses of all sizes which we have been protecting from the whole spectrum of cyberattacks,” he wrote.

Kaspersky admitted that the reputational and business damage of the BSI decision is already quite significant.

And he questioned whether the BSI decision to not have Kaspersky in Germany would make Germany or Europe safer.

“Quite the contrary. The BSI decision means that German users are strongly advised to immediately uninstall the only antivirus that according to AV-Test, an independent German IT-Security Institute, guarantees 100% protection from ransomware,” wrote Kaspersky.

Read also : Russian Hackers Lure German Politicians With Fake Dinner Party Invite

“This means that the leading German industrial equipment manufacturers will no longer receive information about critical vulnerabilities in their software and hardware from Kaspersky ICS-CERT,” he wrote. “This means that German automotive giants will remain oblivious to the bugs that may allow an attacker to overtake the entire on-board computer system and change its logic. This means a huge blind spot on the attack surface for European incident responders and SOC operators, who will no longer be able to receive threat data from across the globe – and from Russia in particular.”

Kaspersky wrote BSI now seems to be avoiding contacts with Kaspersky’s German team, and the firm considers “this decision to be unfair and outright wrong.”

“Nonetheless, we remain open to addressing any concerns you may have in an objective, technical, and honest manner,” wrote Kaspersky. “The war in Ukraine can only end through diplomacy, and we are all hoping for a cessation of hostilities and continuing dialogue. This war is a tragedy that has already brought suffering to innocent people and repercussions across our hyper-connected world.”

US, UK actions

Some may feel sympathy for the position of Eugene Kaspersky and Kaspersky Lab, while others will point to the previous actions of the United States and United Kingdom against the firm.

The United States in 2017 banned government departments and the US military from using Kaspersky’s products, and the FBI has reportedly advised a wide range of private companies not to use the tools.

That same year the UK’s National Cyber Security Centre (NCSC) also warned government departments not to use antivirus products with links to Russia for systems related to national security and those which are “critically important”.

Since that time, Kaspersky Lab relocated its data processing infrastructure to Switzerland in 2018, and Eugene Kaspersky has repeatedly said that if he was ever asked to provide data to the Russian government he would move his company out of the country.