Russian AV

A branch of the UK intelligence forces has sent out a letter to UK government departments and agencies about the use of Russian antivirus software to protect computers that store classified information.

Ciaran Martin, CEO of the UK National Cyber Security Centre (NCSC) has signed the letter. The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the country's official intelligence and security agency.

Letter warns against software made in hostile states

Martin made the letter publicly available on Friday, December 1, in which it warned government departments about "the issue of supply chain risk in cloud-based products, including anti-virus (AV) software."

Specifically, Martin urges that unwittingly, some agencies might have included products in their software portfolios from companies residing in "hostile states."

Martin then references a speech from the UK Prime Minister, and says that "Russia is acting against the UK’s national interest in cyberspace."

As such, UK government agencies should be wary of using software products from Russia. Out of all products, Martin highlights antivirus software because of the intrusive and full access an antivirus needs on installed computers.

Letter contains an advice, not a ban

The official stopped short of calling for an outright ban of Russian software on UK government computers but said that for some systems, choosing a Russian antivirus product may not be wise, and recommended against it.

To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen.  In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.  This will also apply to some Official tier systems as well, for a small number of departments which deal extensively with national security and related matters of foreign policy, international negotiations, defence and other sensitive information.

Martin didn't tiptoe around the elephant in the room and said the NCSC is currently having discussions with Kaspersky Lab. The talks were confirmed by Eugene Kaspersky, Kaspersky's Lab CEO.

"Let me stress: there is *no* ban for KL products in the UK. We are in touch with NCSC regarding our Transparency Initiative, and I am sure we will find the way to work together," Kaspersky said on Friday.

Letter sent out after the US' recent Kaspersky ban

The Kaspersky Lab CEO is referencing the company's Transparency Initiative, a program it set up in late October that allows government agencies to review the company's security software for backdoors.

Kaspersky set up the program after the US government has been stressing that Kaspersky cooperated with Russian cyberspies, who used a backdoor in the antivirus product to steal classified material.

Kaspersky always denied the accusations, but in mid-September, the DHS issued a directive that banned Kaspersky software on US DOD systems.

Ironically, on Friday, the US DOJ charged a former NSA employee with taking NSA-developed cyber-weapons home. Kaspersky hinted that this was the actual source of the leak of US secret documents. The company issued a report claiming the man most likely ran a Kaspersky antivirus on his home PC, which did its job and flagged the suspicious NSA files, uploading the malware to its servers.

Martin's email warning shows a balance that lacked in US government communications.

The NCSC CEO said that "the vast majority of organizations and individuals are more likely to face cyber attack from criminals, against which AV products provide important protection."

Instead, it's probably not a wise idea to use software developed in your enemy's country to protect your deepest secrets. This train of thought makes more sense than a blanket ban on just one product.

UPDATE [November 3, 2017]: A Bleeping Computer reader has shared an email he received from British bank Barclays on the topic:

We wanted to let you know about some information relating to Kaspersky anti-virus software following the information that’s been shared in the news today. We felt it was important to share with you the decisions we’ve made, as well as some key facts.

What you need to know

The UK Government has been advised by the National Cyber Security Centre to remove any Russian products from all highly sensitive systems classified as secret or above. We’ve made the precautionary decision to no longer offer Kaspersky software to new users, however there’s nothing to suggest that customers need to stop using Kaspersky.