The decree arrives on Friday evening directly from the Council of Ministers e puts Kaspersky out of action for fear that its software could be used against the same customers it serves in Italy. Obviously in the provision, pending the publication in the Official Journal of the final version, Kaspersky is not mentioned, but it speaks of how the cyber security of the country could be put at risk by the use of Russian software – of which Kaspersky is the leading producer -, because the companies in Moscow could stop providing updates and, therefore, expose Italian customers to greater risks, and ask for their replacement .
In the decree that in art. 28 of Chapter II speaks of Strengthening of the regulation on cybersecurity the motivation can be read: “In order to prevent damage to the security of networks, information systems and IT services of public administrations, these proceed promptly to diversify the products in use, also through negotiated procedures. The purchase procedures will concern certain categories of sensitive products and services such as antivirus, antimalware, endpoint detection and response (EDR) applications and web application firewall (WAF). The same words from the recommendation of the National Cybersecurity Agency that we had already reported. A “technical” motivation, therefore, which, however, fails to hide the political meaning of the choice.
In the communiqué of the Prime Minister’s Office, the decree is aimed at strengthening the discipline of the control of foreign investments in Italy and at reformulating the exercise of the special powers vested in the Government (the so-called “golden power”), in light of the increased strategic value of some sectors and the need to strengthen the administrative structures involved and therefore concerns both the cloud and 5G.
A big blow, not only for Kaspersky which in Italy has fifty employees and a significant portion of its business, but for the complexity of implementing an action of this kind, both for the long times it implies, and for the risk of making the Italy temporarily more vulnerable to attack within the time frame of its software replacement. We talked about it with those directly involved, interviewing Cesare D’Angelo, general manager of Kaspersky in Italy.
Dr. D’Angelo, the Italian authorities consider Russian technologies and therefore also your IT protection systems a danger. Agree?
“No one has ever demonstrated our specific responsibilities in this regard. Unfortunately, the geopolitical scenario has also affected our technologies but we want to reaffirm our willingness to work with the institutions and continue to protect Italy from current threats. We are the ones who have discovered the largest number of APTs (the ‘advanced persistent threats’, ed.) Of Russian origin and we are a fundamental player for national and global security ”.
However, the decree announced yesterday aims to replace your products in the PA. Do you consider the move by the Italian authorities to be an understandable gesture?
“This news leaves us apprehensive because it would create an anti-competitive precedent in a free market like the Italian one.
There is no objective fact that makes us believe our products worthy of such attention. But these events risk having an impact also for customers and suppliers. Since operations are not planned, a period of vulnerability is to be expected from this replacement
Our customers are concerned about the economic and social impact of this choice. The country would do without a major player. We are deciding how to react in the face of this economic and reputational damage ”.
Could you calculate the economic damage of the loss of the Italian market?
“A huge damage but less than the reputational damage which is incalculable. Kaspersky, indicated as an enemy when we have been on the market for twenty-five years and in Italy for 14, is really ugly ”.
But how long does it take to eliminate Kaspersky from Italy?
Not short. With the migration of administrations to other protection platforms, especially without tests and verifications, Italy would be left less defended. The publicity of this initiative is already attracting the attention of cybercriminals and could make the Italian PA more vulnerable.
Is it possible to spy on a user through a security solution such as an antivirus?
“Antivirus solutions, by themselves, do not need functions to spy on the user and indeed, they are designed to do the opposite. If a product contained them, it would be something additional not strictly necessary for the detection functions.
As far as our products are concerned, the absence of these features is verifiable from the source code.
The security software have privileged access to the various objects present in a system, but they exploit these privileges to analyze the objects, categorize them and in case of detections they notify the detection information to the servers (in our case only if authorized by the users).
Our services are protected following the best practices in the field of information security and the procedures are verified by third party entities. We are not leaders or monopolists and our prices are made in the races, sometimes we win or lose, but we are not the only player. We are always ready to show our work and our products. “
Is it possible to engineer an antivirus to make it ignore some malware?
“In our software there are mechanisms that automatically identify the threat, both at the client and cloud level and there are algorithms developed and refined through years of research and improved by years of activity with machine learning. It is not possible to modify them without bypassing the verification and integrity mechanisms that are upstream and on whose protection the company has invested a lot, segregating the software development, testing and compilation processes, having them certified by independent consultants and also relocating geographically around the world. Furthermore, the consistency of the verification and integrity mechanisms is verifiable in the Transparency Centers such as the one in Zurich.
A more plausible scenario is that the attackers try to circumvent the automatic mechanisms, which all criminals try to do on a daily basis, but we also do manual analysis of the code and this work is carried out by analysts located in various countries around the world. and not influenced by the interests of a single country “.
Do you spy on the data of Italians and European users in any other way? The Privacy Guarantor has opened an investigation on your products.
“Absolutely not. The initiative of the Guarantor is legitimate and is a good opportunity to respond officially to the doubts raised “.
Are user data transferred outside the European Union (for example to the Russian Federation) or in any case made accessible to third countries?
“Italian data is managed by Zurich, Switzerland, a non-EU European country but compliant with the GDPR with the highest levels of privacy in the world“.
Have you had requests for the acquisition or communication of personal data, referring to Italian users, by government authorities of third countries?
“We do not make information about our customers available to third governments.”
How do you get out of this situation? Is there a direction behind your criticisms?
“For several years, Kaspersky has been appointed by some governments and competitors to question the validity and credibility of the company in an instrumental way. However, they are isolated cases. Today the historical moment is different and we need to have a more attentive eye than before. We are not a government company and have no ties to the Russian government. I don’t know if there is a direction against us, in fact I know what we have done and what we have responded to the clients ”.
Critics argue that in order to try to mitigate the certain loss of important market shares and the brain drain from the company, you should carry out a transfer of the company to European Community territory, perhaps with a listing on a Community stock exchange. Have you thought about it?
“No, we didn’t think about it, ours is a global company with 30 offices in 200 countries and 80% of Kaspersky’s business is outside Russia. The holding’s headquarters are in London and most of the colleagues are Russian because that country allows access to an expert market. In Moscow there is the headquarters with the top management while the Great Team is spread over 20 countries with 40 people and most of the team is in Europe “.
Relocating from Russia in a professional way could affect the competitive nature of your economic offer
“There is no such hypothesis. There is a business continuity that guarantees the autonomy of local structures as in Italy, where we pay taxes and are very competitive because we have an organizational model on our side that takes us away from the logic of the stock market and dividends to be paid to shareholders “.
Your founder in one open letter he told the German government that ‘war is a tragedy that has already brought suffering to innocent people and repercussions in our hyper-connected world‘. Has Russian President Vladimir Putin asked you to intervene with your assets in the ongoing war?
“Eugene Kaspersky said his answer would be no.”