Government told ‘Step away from anything Kaspersky’

Guidance ‘agreed with MI5’, which is the responsible authority for investigating Russian espionage in the UK and is the NCSC’s key partner on protective security advice to the British state

Posted 4 December 2017 at 8:44am by

Though framed as a general warning about limiting risk in the government supply chain, there’s no doubt what the biggest takeaway is from new government advice to the public sector:

Stop using Kaspersky security software – or, more formally, that it is “in discussions with Kaspersky Lab, by far the largest Russian player in the UK, about whether we can develop a framework that we and others can independently verify, which would give the government assurance about the security of their involvement in the wider UK market”.

On Friday, the National Cyber Security Centre issued a set of guidelines for Permanent Secretaries around what it dubs “the issues of supply chain risk in cloud-based products”.

In it, the body’s CEO Ciaran Martin says anti-virus (AV) software as a possible source of danger “is receiving a lot of attention at the moment”. For that reason, he says, the NCSC is issue “specific guidance” that is applicable to every organisation in the UK, which it will be promoting within both Whitehall and and stakeholder organisations.
And the bottom line, give the way that AV products need to be both highly intrusive within a network so it can find malware and also be able to communicate back to the vendor so it knows what it is looking for and what needs to be done to defeat the infiltration, “We need to be vigilant to the risk that an AV product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself.”
And as the NCSC sees Russia as “a highly capable cyber threat actor which uses cyber as a tool of statecraft”, including “espionage, disruption and influence operations”- as well as the fact that it believes  Russia “has the intent to target UK central Government and the UK’s critical national infrastructure, for government systems processing information classified SECRET and above, a Russia-based provider should never be used.
This will also apply to some Official tier systems as well, for a small number of Departments which deal extensively with national security and related matters of foreign policy, international negotiations, defence and other sensitive information, the guidance adds, but this initial guidance is aimed only at central government, it states, and “we are not recommending action beyond central gGovernment at this preliminary stage”.
It adds that this guidance has been agreed with MI5, the responsible authority for investigating Russian espionage in the UK and is the NCSC’s key partner on protective security advice to the British states.
The Centre has also published a detailed blog by its Technical Director, Ian Levy,which gives more technical background to the decision.
The NCSC was set up to help protect our critical services from cyber attacks, manage major incidents, and improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisations, and has a vision is to “help make the UK the safest place to live and do business online”.