Investigative reporter: This is how the BSI warning about Kaspersky came about

A team of investigative reporters is trying to clarify the circumstances that led to the warning about the Russian antivirus specialist Kaspersky by the Federal Office for Information Security (BSI) in the spring.

It looks as if the result of pronouncing a warning was already certain before the actual investigation – at least that’s how the summary of the research can be seen.

Of the Bavarian radio had in common with the mirror attempted to shed some light on the decision-making process that ultimately led to the Kaspersky warning. It is now apparent that the BSI and the Ministry of the Interior were in close contact and that political aspects played an important role. The politics stood above a direct technical assessment.

The BSI held a first “crisis meeting” on how to deal with Kaspersky about a week after the first attacks from Russia on Ukraine.
Infographic: Targeted by Russian hackers

It is decided, so it goes loud from the log to compile “any findings/technical reasons” that justify a warning. “The fact that a warning should be given seems to have already been decided,” it says.

However, the research also shows that it was not a unanimous decision. Not everyone in the Federal Office was convinced, there were some objections: According to the documents that BR saw, it was pointed out that Kaspersky had relocated servers to Switzerland and had taken other measures to minimize Russia’s influence. A “technical security gap” is not recognizable or verifiable. The BSI therefore comes to the conclusion that the warning will be reworded.

Political flanking “desired”

You ask for help. An e-mail says: “On the part of the BSI, we are interested in strong political support from the BMI.” The warning was later supplemented by the addition “all assumptions made by the BSI about Kaspersky are invalid with the war”.

After the initial research, the team of journalists brought Dennis-Kenji Kipker, Professor of IT Security Law in Bremen, on board. Kipker comes to the conclusion that the BSI “clearly worked on the result”. “This contradicts the BSI’s mandate to act on the basis of scientific and technical knowledge, as it says in paragraph 1 of the BSI law. This working method actually requires that you don’t have the result first and then think about how I can do it derive”. This design should now be put to the test again.

Kaspersky’s first reaction to the new media report

Kaspersky has already issued a comprehensive statement on this. It states that Kaspersky welcomes the fact that the media has made use of the opportunities offered by the Federal Freedom of Information Act, researched the 370-page BSI files and informed the public of their findings.

Kaspersky is now making it clear once again that the company has made extensive information offers to the BSI since February and invited it to tests and audits. The BSI did not respond to any of these offers.

The statement concludes with the assurance of its willingness to work with the BSI: “Kaspersky remains assuring its partners and customers of the quality and integrity of its products and seeks to work with the BSI to clarify its decision and the BSI’s concerns and other regulators.”

See also:

Germany, Bsi, Federal Office f

Germany, Bsi, Federal Office for Information Security
Federal Office for Security in Information Technology

Leave a Comment