EU Claims Kaspersky Lab Software 'Confirmed as Malicious'In Response, Software Firm Pauses Work With Europol and 'No More Ransom' Portal
The anti-Kaspersky Lab rhetoric continues to heat up in Europe, with the European Parliament passing a motion branding the Moscow-based anti-virus firm's software as being "confirmed as malicious."
In response, Russia-based Kaspersky Lab says it's halted all work with European institutions, including Europol - the EU's law enforcement intelligence agency - until it receives clarification from the European Parliament. The company says it's also paused its work with the No More Ransom project, which provides free decryption tools to ransomware victims (see Police Bust Five Ransomware Suspects in Romania).
On Wednesday, members of the European Parliament voted 476 to 151 to approve a nonbinding cyber defense motion that seeks to improve Europe's ability to defend itself against online attacks, hire more cybersecurity experts and get better and sharing information.
The motion also singles out Kaspersky Lab. An amendment reportedly added by Polish MEP Anna Elzbieta Fotyga "calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programs and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab."
It's unclear what, if any, evidence MEPs might be referencing. Kaspersky Lab has continued to deny that it works with any government.
Neither Fotyga nor the motion's primary backer, Estonian MEP Urmas Paet, could immediately reached for comment.
But Paet has urged EU member states to dramatically improve their cyber defense posture. "We have to be ready to go on the offensive," Paet said this week. "It is not enough to simply defend, sometimes it's important to get active, for example, when you know where the attacks come from."
Transparency Center: Switzerland
The European Parliament motion comes despite Kaspersky Lab having said that it "has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts."
"Kaspersky Lab and its CEO Eugene Kaspersky believe that the decision of the European Parliament encourages cybercrime in Europe," the company tells Information Security Media Group in a statement. "We believe that it does not contribute toward building an open and secure digital single market but rather make it more fragmented and less competitive."
The company adds: "Our 400 million users around the globe trust us to protect their data. We will continue to successfully work with institutions and organizations to deliver a tangible positive impact by fighting cybercrime and defending European and global citizens from cyber threats. Indeed, in April the European Commission officially stated that "the commission has no indication for any danger associated with this anti-virus engine."
In a bid to combat allegations that Kaspersky Lab may have been suborned by the Russian government, the firm on May 15 announcing that by the end of this year, it will be moving many of its operations to Zurich, where it would open its first "transparency center." The company also said its "build systems - or 'assembly line' - which work on the compilation and creation of Kaspersky Lab products and threat detection rule updates" would occur in Zurich.
In addition, all information processing for users in Europe, North America, Australia, Japan, South Korea and Singapore - "with more countries to follow" will only occur in Zurich, and be independently audited and reviewed.
Kaspersky Lab said that by 2020, it plans to open further transparency centers in North America and Asia.
Allegations, But No Public Evidence
Despite the firm's transparency push, however, multiple governments have signaled their unease with using the firm's products, at least for sensitive operations. Some of those misgivings may be in response to the New York Times last year reporting that Israeli spies had hacked into Kaspersky Lab's network and discovered that the Russian government was using the company's widely installed anti-virus software to attempt to spy on U.S. intelligence agencies (see Will Kaspersky Lab Survive the Russia Hacking Scandal?).
No evidence has been produced publicly to support those assertions, but then intelligence agencies don't typically publicly release their findings, and governments typically refrain from doing so except for diplomatic purposes or if there's a risk that poses a clear and present danger (see British Security Services Tie North Korea to WannaCry).
Dutch Government Orders Phase-Out
On May 14, Dutch Justice Minister Ferdinand Grapperhaus wrote to the lower house of the Dutch parliament, saying that the government would be phasing out the use of Kaspersky Lab anti-virus software as a "precautionary measure" because of the risk it might pose.
Because anti-virus software hooks into the inner workings of operating systems, "there is a risk of digital espionage and sabotage at the central government and the Dutch vital infrastructure," Grapperhaus wrote, although he noted that he knew of no cases in which Kaspersky Lab software had been abused.
But he said Russian law compelled domestic firms to assist Russian intelligence services upon their request.
"The [Dutch] cabinet has carried out an independent review and analysis and made a careful decision on that basis," Grapperhaus said. "Although there are no concrete cases of misuse known in the Netherlands, it cannot be excluded."
Anna Sophia Posthumus, a spokeswoman for Grapperhaus, said the justice minister wasn't recommending that Dutch businesses stop using Kaspersky Lab software, but was speaking in broader terms. "It is about a summary of developments in the field of cyber threats," she told NL Times, adding that the government had no timeline for switching to other products. "That depends on various issues, such as ongoing contracts with Kaspersky and finding and implementing a suitable alternative."
Trump Bans Software
The Dutch government's move followed the Trump administration last July moving to restrict Kaspersky Lab technology from U.S. government networks (see Trump Administration Restricts Kaspersky Lab Product Use).
In December, the Trump administration went even further, ordering a full ban on the company's products from government networks by this coming October.
In response, Kaspersky Lab sued the U.S. government to overturn the ban. But that bid, at least so far, has been unsuccessful.
Last December, the U.K.'s National Cyber Security Center, which advises organizations on cybersecurity matters and is part of intelligence agency GCHQ, said that no official-tier organizations or anyone who handles information classified as "secret" or higher - in short, anyone in the national security space - should use software built in Russia. But it took a much more balanced view of Kaspersky Lab, saying that for most users, cybercrime was much more of a concern than potential Russian intelligence operations.
"We really don't want people doing things like ripping out Kaspersky software at large, as it makes little sense," Ian Levy, NCSC's technical director, wrote at the time.
NCSC said there was almost no Kaspersky Lab software in use by U.K. government agencies.
Risk Management Questions
Some security professionals say governments' focus on Kaspersky Lab products has been short on facts, especially because - in theory - any endpoint security software built by any vendor could be exploited to seize control of a system (see Anti-Virus Conspiracy Theories Cut Both Ways).
Jaya Baloo, CISO for KPN, a Dutch landline and mobile telecommunications company, says there's been no evidence produced to substantiate any of the claims - or worries - concerning Kaspersky Lab.
"We're not sure what's really going on," she tells ISMG.
Politics vs. Technology
Baloo says that KPN carefully evaluates all software that it uses - including penetration tests and source code verification - to ensure that it's behaving as advertised, but says the political rhetoric around Kaspersky Lab has been devoid of such technical nuance.
"There hasn't been a lot of account taken of the actual technical setup, the architecture of how you can use an anti-virus product," she says. "You could theoretically use a detection of an AV vendor without having to send information back to them, whether or not you detected something they may have observed, and there's ways to configure your setup where that you can verify that in practice.
"What I feel is, we can figure this out technically, but it's not a technical issue; it's a political issue."