Russian security software company Kaspersky Lab has been having a bad few months amid allegations its signature anti-virus software scans for and identifies files of interest to Russian cyber spies. Kaspersky publicly contends a high-profile incident in which it allegedly stole classified files from a National Security Agency contractor’s computer was due to dumb mistakes on that individual’s part, but that hasn’t stopped the U.S. government from banning the use of the company’s products at federal agencies.
Now, it seems the UK is following suit too. On Friday, the Verge reported, the National Cyber Security Centre issued new guidance on the risk posed by “cloud-enabled products.” In a separate letter to government ministry leadership, NCSC CEO Ciaran Martin specifically name-checked “Russian antivirus companies” and wrote that agencies “need to be vigilant to the risk that an [antivirus] product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself.”
“To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen,” Martin wrote. “In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.”
In another post, NCSC security expert Ian Levy reminded staff that while foreign hackers pose a threat, the biggest security risk remained out-of-date software, poorly configured networks, and loss of passwords.
“In general, we should concentrate on getting those fixed before worrying about really clever and risky supply chain interdictions from other states,” Levy wrote.
It’s not clear whether Kaspersky is just the victim of extremely bad P.R. during a time when much of the West is at odds with its home country, but the company would obviously prefer not to be seen as an extension of the Russian security state. As Reuters noted, it has strongly denied any allegations of government control and says it looks forward to working with the NCSC to resolve the issue, and it’s previously committed to having its code reviewed by an independent third party as well. But that didn’t stop Barclays Bank from following the government’s advice and dropping Kaspersky products this week, and it sounds like other clients are likely to follow. [The Verge]