judgements
Court: BSI warning about Kaspersky virus protection was legal
The headquarters of the IT security specialist Kaspersky in Moscow. Photo: Pavel Golovkin/AP/dpa
© dpa-infocom GmbH
Does virus protection software already represent a possible “security gap”? Was the BSI’s warning about the Russian Kaspersky software politically motivated? A decision has now been made.
The Russian virus protection manufacturer Kaspersky has failed in an attempt to lift a warning against the use of its software.
In mid-March, against the background of the Ukraine war, the Federal Office for Information Security (BSI) pointed out the “considerable risk” of a successful IT attack by Russia and advised replacing Kaspersky software with alternatives.
The company that sells Kaspersky in Germany then went before the Cologne administrative court. She wanted to overturn the warning and ban the BSI from making such statements in the future. But the court rejected the company’s request on Friday.
Kaspersky Labs GmbH had presented the BSI’s decision as purely political, with no reference to the technical quality of the virus protection. There are no security gaps or technical weaknesses, nor are there any indications of Russian state interference.
However, the court did not follow the company’s arguments. As can be seen from a notification, the legislator has broadly defined the concept of a security gap that justifies a warning. Virus protection software basically meets all the requirements for such a security gap, after all, the software has extensive authorization to intervene in the computer system. If the necessary high degree of trust in the manufacturer is no longer guaranteed, there is a security gap – and this is the case with Kaspersky according to the decision of the Cologne judges.
In view of the Russian war of aggression in Ukraine, which is also being waged as a “cyber war”, “it cannot be ruled out with sufficient certainty that Russian developers of their own accord or under pressure from other Russian actors will also exploit the technical possibilities of virus protection software for cyber attacks on German targets”. , according to the statement from the court. In addition, it cannot be assumed that state actors in Russia adhere to laws according to which Kaspersky is not allowed to pass on any data. From the point of view of the court, the security measures, which the company claims to have carried out, do not offer “sufficient protection against state interference”.
The company can appeal against the decision (reference number 1 L 466/22) and go to the Higher Administrative Court in Münster.