The UK’s National Cyber Security Centre (NCSC) has issued a new guidance for how the country’s various ministries should closely manage their use of antivirus software supplied by a foreign nation, such as Russia’s Kaspersky Lab.
In a letter to to heads of government ministries, NCSC CEO, Ciaran Martin said that organizations need to be vigilant to the risk that an [antivirus] product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself. He went on to specifically call out Russia, noting that the country is a highly capable cyber threat actor which uses cyber as a tool of statecraft and that in instances where government agencies have information that would pose a threat to national security should it be accessed by Russian agents, antivirus products from Russian companies should not be used.
Specifically, Martin warns that systems containing information classified as SECRET and above while some systems containing material classified as Official, should not use products that originated in Russia. Martin goes on to explain that his center is in discussions with Kaspersky Lab to develop additional, independently verifiable measures to ensure that data from the UK isn’t transmitted to Russian government.
In an accompanying blog post, the center’s technical director, Ian Levy explains that while foreign actors do pose a threat to UK national interests, it’s a complicated issue, and that in most instances, systems are weakened by avoidable risks, such as out-of-date software, poor network management, and poor credential management. He goes on to note that there’s almost no installed base of Kaspersky AV in central government and that beyond that small existing number they see no compelling case at present to extend to the general public.
The new guidance follows concerns raised in the US about the use of Kaspersky software in government agencies. In October, The Wall Street Journal reported that Russian agents obtained classified materials from the NSA by way of the software, while in May, the heads of six major intelligence agencies told the Senate Intelligence Committee that they weren’t comfortable using the software on their computers.