Kaspersky Lab software could put state secrets at risk, warns NCSC
Image credit: PA
The UK’s National Cyber Security Centre is telling Whitehall chiefs to avoid using the firm's antivirus software on computers dealing with sensitive information – but the Moscow-based company denies it has ties to the Kremlin
Cyber-security products from Russian-based firms should never be used by government computer systems processing the most sensitive types of information, the National Cyber Security Centre (NCSC) has said.
Russian-based firms’ software, including popular anti-virus protection from the Moscow-based provider Kaspersky Lab, has not been verified as safe to use by the NCSC and might potentially be being used to extract sensitive data and relay it to the Kremlin.
The decision to single out a particular nation state in a warning note issued shortly before the start of the weekend marks a change of tone from the NCSC, whose technical director Ian Levy refused to be drawn on which countries were in the frame for cyber mischief when he was interviewed by E&T about the subject earlier this year.
Though Levy has stressed the issue is “complex and nuanced” and has urged people to stay calm, a letter to permanent secretaries - the civil service heads of government departments - from his boss, Ciaran Martin, makes clear: “The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft. This includes espionage, disruption and influence operations. Russia has the intent to target UK central government and the UK’s critical national infrastructure.”
Martin said the NCSC “advise[s] that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based antivirus company should not be chosen”. The warning does not apply to the public at large, only to government departments.
In a succinct explanation for his decision to issue the warning, Martin said that in order to do its job effectively, antivirus software had, by its very nature, to be “highly intrusive within a network” and able to “communicate back to the vendor” – whose operatives, in the case of Kaspersky Lab, are headquartered in the Russian capital.
He added: “That’s why the country of origin matters. It isn’t everything, and nor is it a simple matter of flags – there are Western companies who have non-Western contributors to their supply chain, including from hostile states. But in the national security space there are some obvious risks around foreign ownership.”
Trade in military hardware between the UK and Russia is already banned, and the latest concerns around transactions in the cybersecurity sphere follow Prime Minister Theresa May’s Guildhall speech on 13 November, in which she warned Russia: “We know what you’re doing.”
Kaspersky Lab has strongly denied allegations about the lack of safety of its products or ties to the Russian government, saying it has become a scapegoat in the midst of rising tensions between Washington and Moscow.
British bank Barclays said on Saturday it had stopped offering Kaspersky antivirus products to customers as a precautionary measure. In terms of antivirus software, Kaspersky Lab is by far the largest Russian player in the UK marketplace.
The NCSC says it is currently in discussions with Kaspersky Lab about the possibility of developing a “framework” allowing for the agency and others to independently verify the firm’s technology in order to give the UK government assurance about security.