Russian security software company Kaspersky Lab has been having a bad few months amid allegations its signature anti-virus software scans for and identifies files of interest to Russian cyber spies. Kaspersky publicly contends a high-profile incident in which it allegedly stole classified files from a National Security Agency contractor's computer was due to dumb mistakes on that individual's part, but that hasn't stopped the US government from banning the use of the company's products at federal agencies.
AU Editor's note: Kaspersky Lab reached out to Gizmodo Australia this morning with the following statement.
“Kaspersky Lab appreciates the collaborative, risk management-based approach taken by the National Cyber Security Centre (NCSC) with regards to identifying and mitigating any potential information security risks involved in the sourcing of IT products. Kaspersky Lab fully agrees that supply chain risk management is critical to information security, and therefore, we look forward to continuing our dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab’s products and services. As stated in the company’s Global Transparency Initiative announcement, Kaspersky Lab continues to partner with its stakeholders globally, including governments, as part of its ongoing commitment to protect customers from cyber threats.”
It’s also important to note that the NCSC is not encouraging consumers or businesses against using Kaspersky Lab software from this sentence: “…we see no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals.” Taken from here.
Now, the UK appears to be warning its own workers to steer clear of Kaspersky. On Friday, the Verge reported, the U.K.'s National Cyber Security Centre issued new guidance on the risk posed by "cloud-enabled products." In a separate letter to government ministry leadership, NCSC CEO Ciaran Martin specifically name-checked "Russian antivirus companies" and wrote that agencies "need to be vigilant to the risk that an [antivirus] product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself."
"To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen," Martin wrote. "In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used."
In another post, NCSC security expert Ian Levy reminded staff that while foreign hackers pose a threat, the biggest security risk remained out-of-date software, poorly configured networks, and loss of passwords.
"In general, we should concentrate on getting those fixed before worrying about really clever and risky supply chain interdictions from other states," Levy wrote.
It's not clear whether Kaspersky is just the victim of extremely bad PR during a time when much of the West is at odds with its home country, but the company would obviously prefer not to be seen as an extension of the Russian security state. As Reuters noted, it has strongly denied any allegations of government control and says it looks forward to working with the NCSC to resolve the issue, and it's previously committed to having its code reviewed by an independent third party as well. But that didn't stop British bank Barclays from following the U.K. government's advice and dropping Kaspersky products this week, and it sounds like other clients are likely to follow.