After Russia’s military attack on Ukraine, the BSI abruptly blocked communication with Kaspersky and coordinated with the Ministry of the Interior.
Internal documents from the Federal Office for Information Security (BSI) show how difficult it was for the cyber security authority to deal with the start of Russia’s war of aggression against Ukraine at the end of February. The documents also suggest that the late warning issued in mid-March against the use of virus protection software from the Russian manufacturer Kaspersky was political rather than technical. The Federal Ministry of the Interior (BMI) was also closely involved.
According to the approximately 370-page printed documents that the Bayerischer Rundfunk (BR) and the “Spiegel” received on the basis of inquiries about the Federal Freedom of Information Act, a management team met at the BSI on March 2nd. In it, BSI President Arne Schönbohm discussed “dealing with Kaspersky” with the deputy house management. According to the protocol, from which the two media quote, the result is: “Any findings / technical reasons” should be compiled to justify a warning that was apparently already planned at this point in time.
Kaspersky wanted support from the BSI
According to the reports, the BSI received a high-priority email from Kaspersky at the same time. The company’s customers are wondering why “there are no statements from the BSI on Kaspersky’s security”. The Russian group is therefore hoping for support: In the mail, he describes the BSI as an “internationally recognized and excellently networked technical and scientific” authority that has always worked very carefully and made “fact-based, comprehensible decisions”.
At Schönbohm, however, the overture does not go down well. Two hours later, according to the BR, the BSI boss writes in an internal e-mail, apparently under time pressure and with typos: “Unfortunately, I don’t think I’ll answer at all”.
It was not until March 14 that Kaspersky heard from the BSI: the antivirus manufacturer was about to be informed about the upcoming publication of the warning. He has three hours to respond. The authority did not receive an answer within this mini period. At the beginning of March, politicians from the SPD and FDP, among others, had called for a reassessment of Russian security software: Russia’s illegal war had called almost all security into question.
Possibilities of abuse by Russia in case of war
In the published justification, the BSI emphasized the necessary trust in the “reliability” and the “authentic ability to act” of a producer of anti-virus software. In view of the military conflict, that is no longer the case: “A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on as a victim of a cyber operation without its knowledge, or be used as a tool for attacks against its own customers are abused.”
According to reports, previous versions said that Russia was “not a democratic constitutional state” and viewed Germany as an enemy because of the sanctions imposed. It is therefore “not certain that Kaspersky still has complete control over its software and IT systems or will not lose them in the near future”. There is “imminent danger” and “hostile attacks on German institutions, companies and IT infrastructures” to be expected: “Hackers could have already completed their preparations and are only waiting for an order to use them.”
Not everyone at the BSI is said to have agreed with this. A department head, for example, pointed out that Kaspersky had moved servers to Switzerland in recent years and taken other measures to minimize Russia’s influence. In any case, a “technical security gap” cannot be proven. The alarmed BSI side is said to have countered that the locations of data centers are irrelevant. There are many connections to Russia beyond the company headquarters. The group is “therefore exposed to the direct influence and pressure of the authorities”. The warning is indicated “in order to act preventively in good time”.
Involving the Ministry of the Interior in important security issues
The involvement was not formally necessary, but it took place anyway and was also strongly supported politically by the BSI. At the request of BR and “Spiegel”, the BSI justified this circumstance by saying that it was “a normal procedure” to involve the highest federal authorities in the decision-making process in such cases of high political importance. Otherwise a “holistic and coordinated (security) policy of the federal government could not be guaranteed”. The BMI declined to comment.
The Bremen information lawyer Dr. Dennis-Kenji Kipker, to whom the reporters gave the documents to review, concludes that the BSI worked “clearly based on the results”. This contradicts the authority’s mandate to act “on the basis of scientific and technical knowledge”, as stated in paragraph 1 of the BSI law. The junior professor had previously considered it a mistake to “indiscriminately distribute sanctions against Russian IT companies or to rule out the use of Kaspersky products per se and without thinking.”
So far unsuccessful legal fight against the classification
Kaspersky feels discredited by the BSI’s move as an “international, independent private company with no ties to any government”. The software house, on the other hand, took legal action. So far, however, the statements of the highest German IT security authority have been valid in all instances: Recently, the Federal Constitutional Court also did not accept an urgent application from the German Kaspersky subsidiary for a decision. According to the Karlsruhe judges, the actual circumstances of the security of the software must be clarified further in the main proceedings by the competent specialist courts.
Based on the reports, the company made an effort to “continue the long-standing constructive dialogue with the BSI in order to work together on the basis of fact-based assessments for the highest level of cyber security for our German and European citizens and companies”. Since February, the BSI has been “extensively offered information and invited to tests and audits”. The office “did not respond to any of these offers during the warning”. Schönbohm had recently followed up and spoke of a “danger to national security”. If someone continues to use the group’s virus protection software, for example in critical infrastructures, this is negligent.
