Update: Kaspersky statement added 10:30 a.m. March 15.
Germany’s computer and communication security agency is advising users of Kaspersky’s antivirus software to find alternatives to the Russia-based company’s products.
In a short alert Tuesday, the Federal Office for Information Security, or BSI, did not accuse Kaspersky of any specific violations of customers’ trust, but it referred to Russia’s hostility toward the European Union, NATO and Germany itself as the invasion of Ukraine continues.
“A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers,” the BSI said, according to a translation of the statement.
Kaspersky has always said that it operates separately from Russia’s government, and company founder Eugene Kaspersky maintained an air of neutrality about the Ukraine invasion in a tweet in early March. The German warning, however, echoes the concerns that led the U.S. government to ban Kaspersky products from federal agencies in 2017.
“Companies and authorities with special security interests and operators of critical infrastructures are particularly at risk,” when IT products are potentially compromised by foreign governments, the BSI said.
Kaspersky responded Tuesday with a statement saying that “the continued implementation of concrete measures to demonstrate our enduring commitment to integrity and trustworthiness to our customers” is its top concern.
“We believe this decision is not based on a technical assessment of Kaspersky products — that we continuously advocated for with the BSI and across Europe — but instead is being made on political grounds,” Kaspersky said. “We will continue to assure our partners and customers in the quality and integrity of our products, and we will be working with the BSI for clarification on its decision and for the means to address its and other regulators’ concerns.”
The company said in 2020 that it had moved all its data-processing from Russia to Switzerland. Since then, “malicious and suspicious files voluntarily shared by users of Kaspersky products in Germany are processed in two data centers in Zurich that provide world-class facilities, in compliance with industry standards, to ensure the highest levels of security,” Kaspersky said.
The company also has opened “transparency centers” in Canada, Europe and elsewhere, for customers to review its code.
Kaspersky’s reputation for cyberthreat research remains strong, and it employs analysts from countries far beyond Russia. One of those researchers, Ivan Kwiatkowski, posted a defense of the company and its work on his personal website on March 9.
Kaspersky has faced pressure on other fronts: Last week it was forced to deny rumors that its source code had been stolen in a hack.
Updated 3/15/22: to include additional Kaspersky comment.