The United Kingdom's National Cyber Security Centre has effectively banned the use of Russian anti-virus products from government departments and revealed it is trying to “prevent the transfer of UK data to the Russian state” from Kaspersky Labs software.
A guidance note published last Friday and distributed to permanent secretaries of government departments, addressed “The issue of supply chain risk in cloud-based products, including anti-virus (AV) software” and explained “how departments should approach the issue of foreign ownership of AV suppliers.”
The advice is simple:
“… where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen. In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.”
The guidance stated that its decision “will also apply to some Official tier systems as well, for a small number of departments which deal extensively with national security and related matters of foreign policy, international negotiations, defence and other sensitive information.”
The letter added that the National Cyber Security Centre is “in discussions with Kaspersky Lab … about whether we can develop a framework that we and others can independently verify, which would give the Government assurance about the security of their involvement in the wider UK market.”
“In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state.”
The guidance continued: “We will be transparent about the outcome of those discussions with Kaspersky Lab and we will adjust our guidance if necessary in the light of any conclusions.”
The guidance quickly caused other problems for Kaspersky's UK outfit, as British banking giant Barclays has written to customers to advise it's discontinuing an offer of free Kaspersky software for users of its online banking services.
The letter, shared with The Register by a reader explains the decision as follows:
The UK Government has been advised by the National Cyber Security Centre to remove any Russian products from all highly sensitive systems classified as secret or above.
We've made the precautionary decision to no longer offer Kaspersky software to new users, however there's nothing to suggest customers need to stop using Kaspersky.
The letter said customers need take no action and should ensure they run AV software.
Kaspersky Lab said, in a statement sent to The Register, that it "appreciates the collaborative, risk management-based approach taken by the NCSC with regards to identifying and mitigating any potential information security risks involved in the sourcing of IT products."
"Kaspersky Lab fully agrees that supply chain risk management is critical to information security, and therefore, we look forward to continuing our dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab’s products and services."
We have also sought comment regarding Barclays' actions and will update this story if further information becomes available. ®