Britain’s National Cyber Security Center has advised all UK government departments to avoid using Russia-based anti-virus software, warning that it could be exploited by the Russian government.
The guidance was issued in an open letter to all UK permanent secretaries and released to the public on Saturday.
NCSC chief executive Ciaran Martin cautioned in the letter that in cases where access to the information by Russia “would be a risk to national security, a Russia-based (anti-virus) company should not be chosen.”
The guidance goes further, adding that “for systems processing information classified SECRET and above, a Russia-based provider should never be used.”
US drops Kaspersky Lab
The UK government step follows a similar move by the United States in September, when the Department of Homeland Security ordered government agencies to remove any products from Moscow-based Kaspersky Lab because of security concerns.
The company has been battling allegations that it has links to Russian spy agencies. It rejects the allegations and said in September that it doesn’t have “unethical ties or affiliations with any government, including Russia” and “has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.”
Martin, of the NCSC, said the nature of anti-virus software gave cause for extra concern.
In order to work properly, anti-virus (AV) software must “be highly intrusive within a network so it can find malware” and “be able to communicate back to the vendor,” Martin said.
“We need to be vigilant to the risk that an AV product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself,” he said. “That’s why the country of origin matters.”
Consumers told ‘don’t panic’
The NCSC said it was in discussions with Kaspersky Lab — the largest Russian anti-virus software player in the United Kingdom — with the aim of developing a framework that it can “independently verify” in order to ensure security.
“We are seeking verifiable measures to prevent the transfer of UK data to the Russian state,” Martin said.
Martin said the guidance was for the time being directed only toward government departments because the center’s “analysis of Russian state intent is that it targets national security interests.”
The agency saw “no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals” and urged people not to be alarmed, said its technical director, Ian Levy.
“Whatever you do, don’t panic,” Levy said. “We really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense.”