In a plenary session of the European Parliament that will be held today in Strasbourg, France, members of the European Parliament (MEPs) will vote on a motion for resolution which includes a clause that may be used by EU institutions ban the use of software programs "that have been confirmed as malicious, such as Kaspersky Lab."
The motion's purpose is to establish general guidelines for an EU-wide strategy on cyber defense. In the motion's lengthy body, there is a clause that addresses public-private partnerships.
According to clause #76, if the motion passes as proposed by the Foreign Affairs Commission, EU states are expected to review software programs that may be or have been confirmed as malicious.
The motion's text matter-of-factly refers to Kaspersky products as "confirmed as malicious," following a lead set by the US last year.
"However, in context of 'cyber-activity', the wording also has a specific meaning in technology context. So you may have an impression of a deep insight. But more likely, it may be as simple as a reactive response to public press reports," Dr. Olejnik added. "If so, this wording would further emphasize the need of informed technology policy advice in policy-making process, even at the Foreign Affairs commission. That said, performing a detailed accountancy and audit of institution and organisation should always be part of security hygiene. This includes actionable decisions after obtaining credible input regarding potential weakness."
Today's EU Parliament vote comes after three other countries have taken steps against Kaspersky Lab. Previously, the US has banned the use of Kaspersky Lab products on government computers; the UK has warned state agencies and private companies against using Kaspersky software on systems storing sensitive information; and the Dutch government decided to phase out the use of Kaspersky products on government networks.
"Policy-making process is lengthy, and at European Parliament, it takes even longer," Dr. Olejnik said.
"The continued string of action might be a cascading measure in response to the already known data, but it may as well be a consequence to the continuous pressure by the public opinion."
All the cascading bans come after US authorities have accused the Moscow-based antivirus vendor of collaborating with Russian intelligence agencies.
Kaspersky Lab has vehemently denied all accusations for the past year. The Russian company even launched a transparency program last fall through which it intended to let governments inspect the source code of its products in the hopes of clearing its reputation.
Last month, Kaspersky announced the first details about this transparency program, together with plans to move the data of its EU customers to a "Transparency Center" in Switzerland, along with its "software assembly line."
But despite Kaspersky's constant denial of spying on behalf of the Russian government, the company's reputation took a nosedive recently, as Best Buy and Office Depot pulled Kaspersky products off their stores' shelves, the company had to shut down its Washington office, and Twitter banned the company from advertising on its network.
But to be clear, the proposed EU cyber defense strategy, if approved, applies only to the use of "dangerous programs" inside EU institutions and does not target the EU commercial software market.
In the EU, the biggest repercussion of today's cyber defense strategy vote will be Kaspersky's relationship with Europol, which in the past has resulted in the arrest of countless cybercriminals and the creation of the NoMoreRansom project.
It is unclear if this partnership will be allowed to continue. Europol and Kaspersky Lab spokespersons were not available for comment on the proposed ban and the future of the partnership between the two organizations.
Eurozone experts expect a positive vote on today's A8-0189/2018 motion, mainly because the document is laden with crucial NATO cooperation clauses, cyber defense strategies, and other more important propositions. Nonetheless, even if the motion passes, the document is purely a recommendation only, and has no legislative power. It will still be at each EU states' discretion if they decide to act on it.
The A8-0189/2018 motion was the subject of a public plenary debate yesterday, June 12. The EU Parliament online portal did not contain an update indicating that the motion's text was somehow edited to remove the mention to Kaspersky as "confirmed as malicious," meaning the AV vendor is most likely the subject of an impending ban.
Another company that could face an impending ban under the same joint EU cyber defence strategy, even if not named in the motion directly, is ZTE, since the same clause also references "devices" and not software programs alone. ZTE has been accused for years of allowing the Chinese government access to its customers' data, a reason why US authorities have tried to ban it earlier this year (ZTE ban was later reversed).
UPDATE [June 13, 15:05 ET]: As expected, the EU passed the A8-0189/2018 motion. As a result of the positive vote, Kaspersky Lab announced it was pulling from its Europol partnership and the NoMoreRansom project. More in our coverage, here.
We have protected the EU for 20 years working with law enforcement leading to multiple arrests of CYBERCRIMINALS. Based upon today’s decision from the EU Parliament, we are forced to freeze our cooperation with orgs including @Europol & #NoMoreRansom pic.twitter.com/7dSGn9Bycw— Eugene Kaspersky (@e_kaspersky) June 13, 2018
Correction: Article title and text updated to reflect that today's motion has no actual legislative power, and is only a guideline/strategy.