A branch of the UK intelligence forces has sent out a letter to UK government departments and agencies about the use of Russian antivirus software to protect computers that store classified information.
Ciaran Martin, CEO of the UK National Cyber Security Centre (NCSC) has signed the letter. The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the country's official intelligence and security agency.
Martin made the letter publicly available on Friday, December 1, in which it warned government departments about "the issue of supply chain risk in cloud-based products, including anti-virus (AV) software."
Specifically, Martin urges that unwittingly, some agencies might have included products in their software portfolios from companies residing in "hostile states."
Martin then references a speech from the UK Prime Minister, and says that "Russia is acting against the UK’s national interest in cyberspace."
As such, UK government agencies should be wary of using software products from Russia. Out of all products, Martin highlights antivirus software because of the intrusive and full access an antivirus needs on installed computers.
The official stopped short of calling for an outright ban of Russian software on UK government computers but said that for some systems, choosing a Russian antivirus product may not be wise, and recommended against it.
Martin didn't tiptoe around the elephant in the room and said the NCSC is currently having discussions with Kaspersky Lab. The talks were confirmed by Eugene Kaspersky, Kaspersky's Lab CEO.
"Let me stress: there is *no* ban for KL products in the UK. We are in touch with NCSC regarding our Transparency Initiative, and I am sure we will find the way to work together," Kaspersky said on Friday.
The Kaspersky Lab CEO is referencing the company's Transparency Initiative, a program it set up in late October that allows government agencies to review the company's security software for backdoors.
Kaspersky set up the program after the US government has been stressing that Kaspersky cooperated with Russian cyberspies, who used a backdoor in the antivirus product to steal classified material.
Kaspersky always denied the accusations, but in mid-September, the DHS issued a directive that banned Kaspersky software on US DOD systems.
Ironically, on Friday, the US DOJ charged a former NSA employee with taking NSA-developed cyber-weapons home. Kaspersky hinted that this was the actual source of the leak of US secret documents. The company issued a report claiming the man most likely ran a Kaspersky antivirus on his home PC, which did its job and flagged the suspicious NSA files, uploading the malware to its servers.
Martin's email warning shows a balance that lacked in US government communications.
The NCSC CEO said that "the vast majority of organizations and individuals are more likely to face cyber attack from criminals, against which AV products provide important protection."
Instead, it's probably not a wise idea to use software developed in your enemy's country to protect your deepest secrets. This train of thought makes more sense than a blanket ban on just one product.
UPDATE [November 3, 2017]: A Bleeping Computer reader has shared an email he received from British bank Barclays on the topic: