On 14 May 2018, the Dutch cabinet instructed the central government to stop using and phasing out Kaspersky Lab’s antivirus software. Organisations that fall under the General Security Requirements for Defence Assignments (ABDO) or that fall under vital services and processes are advised to do the same. The advice does not apply to other organizations. The Cabinet also makes it clear that it only concerns the antivirus software, not the other Kaspersky Lab products and services. The Cabinet has three reasons for making this decision:
- Antivirus software has extensive and in-depth access to a computer. Such access can be misused for espionage and sabotage.
- As a Russian company, Kaspersky Lab is required by Russian law to cooperate with the government if requested to do so by the Russian intelligence services.
- The Russian Federation has an offensive cyber program. The latter means that the country is actively engaged in espionage and sabotage with the use of computers.
In a letter to the Dutch Parliament, the Cabinet refers to a precautionary measure based on fear of espionage and sabotage. In this context, the Cabinet writes that it has made its own, more stringent assessment in the context of national security. In essence, the Cabinet’s fear is that the anti-virus software of Kaspersky Lab, a company that fights malware, will itself be used as a Trojan horse or malware.
The Netherlands does not have any examples showing that Kaspersky Lab’s antivirus software has been abused. No examples are known to other (European) countries or the European Commission either. If public broadcaster KRO-NCRV successfully invokes the Government Information (PublicAccess) Act (or Wet openbaarheid van bestuur (Wob) in the Netherlands and the Freedom of Information Act (FOIA) in the USA) during a journalistic investigation, further documents become available.
Brenno de Winter of De Winter Information Solutions was asked by Kaspersky Lab to make a reconstruction of the cabinet’s precautionary measure and to analyse the three observations of the cabinet. In a time of digital operations it is logical and appropriate that the cabinet is alert to the dangers of espionage and sabotage. In terms of content and procedure, this report examines how the cabinet’s argumentation came about, to what extent Kaspersky Lab does indeed pose a threat on the basis of this argumentation, and what steps would be necessary to deal with such a threat.