In a plenary session of the European Parliament that will be held today in Strasbourg, France, members of the European Parliament (MEPs) will vote on a motion for resolution which includes a clause to ban the use of software programs “that have been confirmed as malicious, such as Kaspersky Lab.”
This particular ban clause is included in A8-0189/2018 [1, 2, 3], a motion proposed to the European Parliament by its Foreign Affairs Commission.
The motion’s purpose is to establish general guidelines for an EU-wide strategy on cyber defense. In the motion’s lengthy body, there is also a clause that addresses public-private partnerships.
According to clause #76, if the motion passes as proposed by the Foreign Affairs Commission, EU states will be called upon and expected to review and ban software programs that have been confirmed as malicious.
Motion explicitly mentions Kaspersky as malicious software
The motion’s text matter-of-factly refers to Kaspersky products as “confirmed as malicious,” following the lead set by the US last year.
“The wording (‘confirmed’) is interesting, but to fully appreciate it you need to be aware this report has its origins in the Foreign Affairs Committee where words like that matter,” Dr. Lukasz Olejnik, an independent cybersecurity and privacy policy advisor, told Bleeping Computer yesterday.
“However, in context of ‘cyber-activity’, the wording also has a specific meaning in technology context. So you may have an impression of a deep insight. But more likely, it may be as simple as a reactive response to public press reports,” Dr. Olejnik added. “If so, this wording would further emphasize the need of informed technology policy advice in policy-making process, even at the Foreign Affairs commission. That said, performing a detailed accountancy and audit of institution and organisation should always be part of security hygiene. This includes actionable decisions after obtaining credible input regarding potential weakness.”
EU following the EU, UK, and Netherlands’ lead
Today’s EU Parliament vote comes after three other countries have taken steps against Kaspersky Lab. Previously, the US has banned the use of Kaspersky Lab products on government computers; the UK has warned state agencies and private companies against using Kaspersky software on systems storing sensitive information; and the Dutch government decided to phase out the use of Kaspersky products on government networks.
“Policy-making process is lengthy, and at European Parliament, it takes even longer,” Dr. Olejnik said.
“The continued string of action might be a cascading measure in response to the already known data, but it may as well be a consequence to the continuous pressure by the public opinion.”
Kaspersky’s transparency program fell on deaf ears
All the cascading bans come after US authorities have accused the Moscow-based antivirus vendor of collaborating with Russian intelligence agencies.
Kaspersky Lab has vehemently denied all accusations for the past year. The Russian company even launched a transparency program last fall through which it intended to let governments inspect the source code of its products in the hopes of clearing its reputation.
Last month, Kaspersky announced the first details about this transparency program, together with plans to move the data of its EU customers to a “Transparency Center” in Switzerland, along with its “software assembly line.”
But despite Kaspersky’s constant denial of spying on behalf of the Russian government, the company’s reputation took a nosedive recently, as Best Buy and Office Depot pulled Kaspersky products off their stores’ shelves, the company had to shut down its Washington office, and Twitter banned the company from advertising on its network.
But to be clear, the proposed EU ban, if approved, applies only to the use of “dangerous programs” inside EU institutions and does not target the EU commercial software market.