The United Kingdom’s national cyberthreat monitoring agency is advising some of the country’s agencies to quit using Russian anti-virus software.
The warning from the National Cyber Security Centre does not single out any specific company, following the agency’s longstanding position that it does not mandate or ban any products.
NCSC head Ciaran Martin sent a public letter on Friday to the U.K.’s permanent secretaries about the “supply chain risk in cloud-based products.” Moscow-based cybersecurity company Kaspersky Lab has been under particular scrutiny in the United States for supposedly enabling Russians to steal information from intelligence authorities through software backdoors. The U.S. Department of Homeland Security ordered in September that all federal agencies purge Kaspersky software from their networks.
“The specific country we are highlighting in this package of guidance is Russia,” Ciaran writes. “The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft. This includes espionage, disruption and influence operations. Russia has the intent to target UK central Government and the UK’s critical national infrastructure.”
Ciaran recommends that national agencies should consider discontinuing their use of Russian anti-virus software if they currently store data about national security threats — which would be of obvious interest to the Kremlin.
The letter stops short of banning Russian software outright. An NCSC spokesperson told Cyberscoop in October that it is not a regulator and as such, does not ban or mandate products. The agency did not signal if there was an event that prompted the change in stance. In a separate NCSC blog post, Technical Director Ian Levin wrote that the timing is tied to requests for information that agencies have been receiving from other U.K. organizations.
“We have seen an increase in Russian activity in cyberspace designed to undermine the UK,” an NCSC spokesperson told Cyberscoop by email. “NCSC judged it timely to put out some expert, evidence-based technical guidance to help enterprises make good, risk informed decisions about how to choose their software. We judged it was an opportune moment to give good expert advice for enterprises in general and to provide some very specific advice to central government departments.”
The NCSC letter does not mention Kaspersky. Currently, the NCSC is working with the Russian company to receive assurances that the company’s software is in fact safe to use in the general British market.
“We are in discussions with Kaspersky Lab, by far the largest Russian player in the UK, about whether we can develop a framework that we and others can independently verify, which would give the Government assurance about the security of their involvement in the wider UK market. In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state,” Ciaran wrote.
Kaspersky CEO and founder Eugene Kaspersky sent a tweet Friday night to drive this point home.
Let me stress: there is *no* ban for KL products in the UK. We are in touch with @NCSC regarding our Transparency Initiative and I am sure we will find the way to work together
— Eugene Kaspersky (@e_kaspersky) December 2, 2017
Levin underscored that the new guidance on Russian software only applies to certain agencies and shouldn’t affect its use in other parts of government or private market.
“Many departments already manage these risks well; there’s almost no installed base of Kaspersky AV in central government. Beyond this relatively small number of systems, we see no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals,” Levin writes.
Nevertheless, Barclays, a major British bank, has reportedly halted a deal offering free Kaspersky Lab software subscriptions to its customers.
“The UK Government has been advised by the National Cyber Security Centre to remove any Russian products from all highly sensitive systems classified as secret or above. We’ve made the precautionary decision to no longer offer Kaspersky software to new users, however there’s nothing to suggest that customers need to stop using Kaspersky,” Barclays said in an email to its customers.
According to the Financial Times, 250,000 Barclays customers have downloaded Kaspersky since the bank started the deal in 2008. The newspaper reported last month that Barclays was seeking to end the deal for commercial reasons, differing from the reasons the bank stated more recently.