The head of the UK National Cyber Security Centre (NCSC) has sent an open letter to government agencies in the UK wanrng them against using Russian IT security products.
According to the letter, Ciaran Martin, CEO of the NCSC, said that there was an “issue of supply chain risk in cloud-based products, including anti-virus (AV) software."
He added that agencies “need to be vigilant to the risk that an AV product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself.”
Martin singled out Russia in his letter. “As the Prime Minister's Guildhall speech set out, Russia is acting against the UK's national interest in cyberspace. The NCSC advises that Russia is a highly capable cyber-threat actor which uses cyber as a tool of statecraft. This includes espionage, disruption and influence operations.
“Russia has the intent to target UK central Government and the UK's critical national infrastructure. However, the overwhelming majority of UK individuals and organisations are not being actively targeted by the Russian state, and are far more likely to be targeted by cyber-criminals,” he said.
The letter did not call for a complete ban on using security products from Russia, but added that when choosing products, it recommended against using any products from the country.
“In drawing this guidance to your attention today, it is our aim to enable departments to make informed, risk-based decisions on your choice of AV provider. To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen. In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used,” said Martin.
He added that this would also apply to some Official tier systems as well, for a small number of departments which deal extensively with national security and related matters of foreign policy, international negotiations, defence and other sensitive information.
Martin also mentioned Russian IT security vendor Kaspersky Lab. He said that his organisation was in discussion with the firm over the development of a framework that can be independently verified and “which would give the Government assurance about the security of their involvement in the wider UK market.
“In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state. We will be transparent about the outcome of those discussions with Kaspersky Lab and we will adjust our guidance if necessary in the light of any conclusions,” he said.
The news comes as it was announced by Barclays that it has stopped offering Kaspersky anti-virus products to new online banking customers following the warning.
It said in a statement that it has “made the precautionary decision to no longer offer Kaspersky software to new users, however there's nothing to suggest that customers need to stop using Kaspersky.”
In a statement to the press, a Kaspersky spokesperson said that the firm “fully agrees that supply chain risk management is critical to information security, and therefore, we look forward to continuing our dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab's products and services."