Yana Toom. Cyber defence: Paet in a china shop

05/07/2018

At the last Strasbourg plenary session, with 476 votes in favour, the European Parliament approved the report on cyber defence of Urmas Paet (Reform Party).

A day later, Kaspersky Lab stopped its cooperation with Europol and the NoMoreRansom initiative that Kaspersky had co-founded and that revealed several major cybercrime cases in Europe, including blackmailing of over a billion euros.

What is the connection? It is simple: the text of Paet´s report contained an amendment by the Polish MEP Anna Fotyga (EPP) calling for a ban on the use of malicious software by the EU, „such as Kaspersky Lab's products”.

Despite of the position of the ALDE group and my colleague Paet on this issue, I did not support the report, inter alia, because of the mentioning of Kaspersky Lab. In a written explanation of vote * (enclosed below), I noted that there is no evidence that the company itself has created or distributed malicious software, and we have no right to destroy the reputation of a business on a political whim. As somebody later wrote on Twitter: "Seen Kaspersky getting flagged in several places due to being Russian. Really sad to see actually..".

But as it turned out later, Paet´s report did not only harm the reputation of Kaspersky Lab, but also the cyber security of the European Union. The fact is that for several years Kaspersky cooperated with Europol in the field of cyber defence and co-founded the NoMoreRansom initiative (that has uncovered a number of major cybercrime cases), but after the report, Kaspersky Lab announced the end of all cooperation. It came as no surprise, for it would have been strange to continue charity for those who, flared up by political vigilance, sling mud at you.

It is noteworthy that the European Commission has previously stated that they do not have any information about any risk related to Kaspersky Lab.

Kaspersky Lab is an international company with headquarters in Moscow, operating in more than 200 countries around the world. The company specializes in cybersecurity and anti-virus software development. The founders of the NoMoreRansom project were the Dutch police (cybercrime unit), Europol cybercrime division, and two companies - Kaspersky Lab and McAfee. The purpose of the initiative was to help victims of cybercrime recover their encrypted data without having to pay the perpetrators.

On Monday, 2 June, I sent a request to Executive Director of Europol Catherine de Bolle, to find out her position on this matter. Despite the fact that the report lacks legislative power (this is a so-called initiative file, which is a series of non-binding recommendations), it already has serious consequences. Urmas Paet and his political allies may be celebrating hitting the target, but in reality, in football terms, they scored an "own goal."

MEP Yana Toom´s explanation of the vote on (Cyber defence (A8-0189/2018):

The report contains accusation which are not always well-founded.

For example, in cases of public-private partnerships, the report suggests that the EU needs review software to exclude malicious software from use in institutions. It is logical that public institutions should not use potentially dangerous programmes, but unfortunately the report makes a direct reference to Kaspersky Lab and deems its software as malicious, which is an incorrect accusation. The problem of Kaspersky Lab lies in the fact that it is a company subject to Russian jurisdiction. Russian legislation allows for the government to ask companies to perform tasks for the secret service. This creates a potential risk of interference from a foreign government, rather than the software being malicious.

To mention Kaspersky Lab in the context of malicious software is not only inaccurate, it is also damaging the reputation of the company without a real purpose.

For these reasons, I could not vote in support of this report and have abstained. I proceed from the fact that the report of the Parliament cannot include groundless accusations, assumptions and guesses. Considering our fight against fake news, any report should be based on publicly available and verifiable information.