Trust in the reliability and self-protection of a manufacturer.
The Federal Office for Information Security (BSI)warns according to 7 BSI law before using virus protection software from the Russian manufacturer Kaspersky. The BSI recommends replacing applications from Kaspersky’s virus protection software portfolio with alternative products.
Antivirus software, including the associated real-time capable cloud services, has extensive system authorizations and, due to the system (at least for updates), must maintain a permanent, encrypted, and non-verifiable connection to the manufacturer’s servers. Therefore, trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.
The actions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, NATO, and the Federal Republic of Germany during the current military conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation or be misused as a tool for attacks against its own customers.
All users of antivirus software can be affected by such operations. Companies and authorities with special security interests and operators of critical infrastructures are particularly at risk. You have the option of obtaining advice from the BSI or the responsible authorities for the protection of the constitution.
Companies and other organizations should carefully plan and implement the replacement of essential components of their IT security infrastructure. If IT security products and in particular virus protection software were to be switched off without preparation, one might be vulnerable to attacks from the Internet. Switching to other products is associated with temporary losses in comfort, functionality, and safety. The BSI recommends carrying out an individual assessment and consideration of the current situation and, if necessary, consulting IT security service providers certified by the BSI.
We believe this decision is not based on a technical assessment of Kaspersky products – that we continuously advocated for with the BSI and across Europe – but instead is being made on political grounds. We will continue to assure our partners and customers in the quality and integrity of our products, and we will be working with the BSI for clarification on its decision and for the means to address its and other regulators’ concerns.
At Kaspersky, we believe that transparency and the continued implementation of concrete measures to demonstrate our enduring commitment to integrity and trustworthiness to our customers is paramount. Kaspersky is a private global cybersecurity company and, as a private company, does not have any ties to the Russian or any other government.
We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone.
Our data processing infrastructure was relocated to Switzerland in 2018: since then, malicious, and suspicious files voluntarily shared by users of Kaspersky products in Germany are processed in two data centres in Zurich that provide world-class facilities, in compliance with industry standards, to ensure the highest levels of security. Beyond our cyberthreat-related data processing facilities in Switzerland, statistics provided by users to Kaspersky can be processed on the Kaspersky Security Network’s services located in various countries around the world, including Canada and Germany. The security and integrity of our data services and engineering practices have been confirmed by independent third-party assessments: through the SOC 2 Audit conducted by a ‘Big Four’ auditor, and through the ISO27001 certification and recent re-certification by TÜV Austria.
Kaspersky has set the industry benchmark for digital trust and transparency. Our customers can run a free technical and comprehensive review of our solutions, allowing them to:
- Review our secure software development documentation including threat analysis, secure review, and application security testing processes.
- Review the source code of our leading solutions including Kaspersky Internet Security (KIS), our flagship consumer product; Kaspersky Endpoint Security (KES), our flagship enterprise product; and Kaspersky Security Centre (KSC), a control console for our enterprise products.
- Review all versions of our builds and AV-database updates, as well as the types of information which Kaspersky products send to our cloud-based Kaspersky Security Network (KSN).
- Rebuild the source code to make sure it corresponds to publicly available modules.
- Review the results of an external audit of the company’s engineering practices conducted by one of the ‘Big Four’ accounting firms.
- Review the Software Bill of Materials (SBOM) for Kaspersky Internet Security (KIS), Kaspersky Endpoint Security (KES), and Kaspersky Security Centre (KSC).