EU flag

In a plenary session of the European Parliament that will be held today in Strasbourg, France, members of the European Parliament (MEPs) will vote on a motion for resolution which includes a clause that may be used by EU institutions ban the use of software programs "that have been confirmed as malicious, such as Kaspersky Lab."

This particular ban clause is included in A8-0189/2018 [1, 2, 3], a motion proposed to the European Parliament by its Foreign Affairs Commission.

The motion's purpose is to establish general guidelines for an EU-wide strategy on cyber defense. In the motion's lengthy body, there is a clause that addresses public-private partnerships.

According to clause #76, if the motion passes as proposed by the Foreign Affairs Commission, EU states are expected to review software programs that may be or have been confirmed as malicious.

Motion explicitly mentions Kaspersky as malicious software

The motion's text matter-of-factly refers to Kaspersky products as "confirmed as malicious," following a lead set by the US last year.

76. Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab;

"The wording ('confirmed') is interesting, but to fully appreciate it you need to be aware this report has its origins in the Foreign Affairs Committee where words like that matter," Dr. Lukasz Olejnik, an independent cybersecurity and privacy policy advisor, told Bleeping Computer yesterday.

"However, in context of 'cyber-activity', the wording also has a specific meaning in technology context. So you may have an impression of a deep insight. But more likely, it may be as simple as a reactive response to public press reports," Dr. Olejnik added. "If so, this wording would further emphasize the need of informed technology policy advice in policy-making process, even at the Foreign Affairs commission. That said, performing a detailed accountancy and audit of institution and organisation should always be part of security hygiene. This includes actionable decisions after obtaining credible input regarding potential weakness."

EU following the US, UK, and Netherlands' lead

Today's EU Parliament vote comes after three other countries have taken steps against Kaspersky Lab. Previously, the US has banned the use of Kaspersky Lab products on government computers; the UK has warned state agencies and private companies against using Kaspersky software on systems storing sensitive information; and the Dutch government decided to phase out the use of Kaspersky products on government networks.

"Policy-making process is lengthy, and at European Parliament, it takes even longer," Dr. Olejnik said.

"The continued string of action might be a cascading measure in response to the already known data, but it may as well be a consequence to the continuous pressure by the public opinion."

Kaspersky's transparency program fell on deaf ears

All the cascading bans come after US authorities have accused the Moscow-based antivirus vendor of collaborating with Russian intelligence agencies.

Kaspersky Lab has vehemently denied all accusations for the past year. The Russian company even launched a transparency program last fall through which it intended to let governments inspect the source code of its products in the hopes of clearing its reputation.

Last month, Kaspersky announced the first details about this transparency program, together with plans to move the data of its EU customers to a "Transparency Center" in Switzerland, along with its "software assembly line."

But despite Kaspersky's constant denial of spying on behalf of the Russian government, the company's reputation took a nosedive recently, as Best Buy and Office Depot pulled Kaspersky products off their stores' shelves, the company had to shut down its Washington office, and Twitter banned the company from advertising on its network.

But to be clear, the proposed EU cyber defense strategy, if approved, applies only to the use of "dangerous programs" inside EU institutions and does not target the EU commercial software market.

Future of Kaspersky-Europol partnership uncertain

In the EU, the biggest repercussion of today's cyber defense strategy vote will be Kaspersky's relationship with Europol, which in the past has resulted in the arrest of countless cybercriminals and the creation of the NoMoreRansom project.

It is unclear if this partnership will be allowed to continue. Europol and Kaspersky Lab spokespersons were not available for comment on the proposed ban and the future of the partnership between the two organizations.

Eurozone experts expect a positive vote on today's A8-0189/2018 motion, mainly because the document is laden with crucial NATO cooperation clauses, cyber defense strategies, and other more important propositions. Nonetheless, even if the motion passes, the document is purely a recommendation only, and has no legislative power. It will still be at each EU states' discretion if they decide to act on it.

The A8-0189/2018 motion was the subject of a public plenary debate yesterday, June 12. The EU Parliament online portal did not contain an update indicating that the motion's text was somehow edited to remove the mention to Kaspersky as "confirmed as malicious," meaning the AV vendor is most likely the subject of an impending ban.

Another company that could face an impending ban under the same joint EU cyber defence strategy, even if not named in the motion directly, is ZTE, since the same clause also references "devices" and not software programs alone. ZTE has been accused for years of allowing the Chinese government access to its customers' data, a reason why US authorities have tried to ban it earlier this year (ZTE ban was later reversed).

UPDATE [June 13, 15:05 ET]: As expected, the EU passed the A8-0189/2018 motion. As a result of the positive vote, Kaspersky Lab announced it was pulling from its Europol partnership and the NoMoreRansom project. More in our coverage, here.

Correction: Article title and text updated to reflect that today's motion has no actual legislative power, and is only a guideline/strategy.

Related Articles:

Google’s Android Apps Are No Longer Free for European Smartphone Makers

New Reports Show Increased CyberThreats, User Risks Remain High

Nearly 1,200 US News Sites Still Not Available for EU Users After GDPR

Bitdefender Disables Anti-Exploit Monitoring in Chrome After Google Policy Change