- Nov 15, 2016
- 867
After US Allegations Against Kaspersky Lab, UK Responds
Consider Country of Origin For Some AV Use Cases, British Government Advises
The British government has taken a cue from the U.S. government's concern about Kaspersky Lab's anti-virus software. The U.K.'s National Cyber Security Center, which advises organizations on cybersecurity matters and is part of intelligence agency GCHQ, now recommends that British government agencies that handle certain types of classified information not use anti-virus software developed by any Russia-based organization.
See Also: How to Scale Your Vendor Risk Management Program
But in a step that goes beyond the NCSC's advice, banking giant Barclays says it will no longer give its customers free copies of Kaspersky's anti-virus software.
The NCSC, however, has stressed that most organizations should carefully consider their own potential risks before opting to ditch Kaspersky's software. Its advice differs from the United States, where the government first advised against procuring Kaspersky and then completely banned it from government networks in early September (see Kaspersky Software Ordered Removed From US Government Computers).
The NCSC's warning will have little immediate effect on Kaspersky Lab. Ian Levy, NCSC's technical director, notes in a blog post that there's almost "no installed base of Kaspersky AV in [U.K.] central government."
But the new guidance could further dim Kaspersky Lab's opportunities for future U.K. sales, both in the government and for large contracts, such as with banks. And the NCSC's recommendation represents yet more bad news for Kaspersky Lab, which has strongly refuted allegations that the Russian government may have co-opted its software to serve as a search engine for other governments' secrets.
Tarnished Darling
Kaspersky Lab's anti-virus product is widely regarded as one of the most capable offerings on the market. Led by the gregarious Eugene Kaspersky, a software engineer turned entrepreneur, the company has a research team that has uncovered some of the world's most sophisticated hacking groups, including Equation, which is widely believed to be the U.S. National Security Agency's offensive hacking team.
But the software company's reputation has been tarnished after anonymous U.S. officials suggested that using its software might put users at risk. In October, Israeli intelligence agents reportedly told the U.S. government that they had hacked into Kaspersky Lab's infrastructure and found that Russian hackers were already there, monitoring the company's communications with endpoints.
Because anti-virus software has deep access to an operating system and the ability to copy files, such applications remain attractive targets for hackers (see Yes Virginia, Even Security Software Has Flaws).
The Kaspersky Lab saga became more complex after the company said that its consumer anti-virus software had flagged and collected four classified documents and NSA-developed malware from the home computer of an NSA analyst in 2014. The analyst, Nghia Hoang Pho, pleaded guilty to mishandling classified material (see Spy Whose Files Were Plucked by Kaspersky Pleads Guilty).
Kaspersky has said that it detected malware on the home PC that it thought might be connected with the Equation Group. As with other anti-virus software, Kaspersky Lab's software collected the suspicious files and sent them back to headquarters for analysis.
When researchers realized what had been collected and informed Eugene Kaspersky, he says that he ordered the material to be deleted, the company said last month following an in-depth investigation into the incident. But the U.S. government alleges that the material ended up in the hands of the Russian government after the analyst's computer was further targeted (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software).
Recommendation: Not For Secrets
The British government has now reacted to these allegations.
"There's been a lot of speculation about foreign involvement in the U.K. supply chain recently," Ian Levy, technical director of the U.K. National Cyber Security Center, says in a blog post.
In a letter to the permanent secretaries of U.K. government bodies, Ciaran Martin, head of the NCSC, writes that Russian anti-virus products should not be used for certain official-tier organizations or anyone handling information classified as "secret" or higher. But most systems, he says, are not at risk.
"Russia has the intent to target U.K. central government and the U.K.'s critical national infrastructure," Martin writes. "However, the overwhelming majority of U.K. individuals and organizations are not being actively targeted by the Russian state, and are far more likely to be targeted by cybercriminals."
Because of the "highly intrusive" nature of anti-virus software and the fact that most products send data and information back to a vendor, "that's why the country of origin matters," Martin writes.
"It isn't everything, and nor is it a simple matter of flags - there are Western companies who have non-Western contributors to their supply chain, including from hostile states," he writes. "But in the national security space there are some obvious risks around foreign ownership."
Don't Panic
In a separate blog post, Levy - the NCSC's technical director - says that the agency's advice is "a bit complex and nuanced" but stresses that no one should panic. "For example, we really don't want people doing things like ripping out Kaspersky software at large, as it makes little sense," he writes.
Future efforts may also ease any lingering concerns. Martin says that the NCSC is in discussions with Kaspersky Lab that are focused on developing a framework that could be used to verify that U.K. data isn't transferred to the Russian state.
"We will be transparent about the outcome of those discussions with Kaspersky Lab, and we will adjust our guidance if necessary in the light of any conclusions," Martin writes.
In a statement, Kaspersky Lab says it "looks forward to continuing our dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab's products and services."
Barclays Bails
Some British users of Kaspersky Lab products, however, have already cut ties with the company. British bank Barclays, for example, has withdrawn an offer to its customers to receive a free copy of Kaspersky Lab's anti-virus software, Reuters reports.
Many banks have deals with anti-virus companies to offer free security software, which reduces the risk of bank-related fraud that starts with malicious software infections.
In response to the Barclays move, Kaspersky Lab says it is "disappointed Barclays has decided to discontinue offering Kaspersky Lab anti-virus to new customers. It's very important to note that the NCSC is not encouraging consumers or businesses against using Kaspersky Lab software."
Consider Country of Origin For Some AV Use Cases, British Government Advises
The British government has taken a cue from the U.S. government's concern about Kaspersky Lab's anti-virus software. The U.K.'s National Cyber Security Center, which advises organizations on cybersecurity matters and is part of intelligence agency GCHQ, now recommends that British government agencies that handle certain types of classified information not use anti-virus software developed by any Russia-based organization.
See Also: How to Scale Your Vendor Risk Management Program
But in a step that goes beyond the NCSC's advice, banking giant Barclays says it will no longer give its customers free copies of Kaspersky's anti-virus software.
The NCSC, however, has stressed that most organizations should carefully consider their own potential risks before opting to ditch Kaspersky's software. Its advice differs from the United States, where the government first advised against procuring Kaspersky and then completely banned it from government networks in early September (see Kaspersky Software Ordered Removed From US Government Computers).
The NCSC's warning will have little immediate effect on Kaspersky Lab. Ian Levy, NCSC's technical director, notes in a blog post that there's almost "no installed base of Kaspersky AV in [U.K.] central government."
But the new guidance could further dim Kaspersky Lab's opportunities for future U.K. sales, both in the government and for large contracts, such as with banks. And the NCSC's recommendation represents yet more bad news for Kaspersky Lab, which has strongly refuted allegations that the Russian government may have co-opted its software to serve as a search engine for other governments' secrets.
Tarnished Darling
Kaspersky Lab's anti-virus product is widely regarded as one of the most capable offerings on the market. Led by the gregarious Eugene Kaspersky, a software engineer turned entrepreneur, the company has a research team that has uncovered some of the world's most sophisticated hacking groups, including Equation, which is widely believed to be the U.S. National Security Agency's offensive hacking team.
But the software company's reputation has been tarnished after anonymous U.S. officials suggested that using its software might put users at risk. In October, Israeli intelligence agents reportedly told the U.S. government that they had hacked into Kaspersky Lab's infrastructure and found that Russian hackers were already there, monitoring the company's communications with endpoints.
Because anti-virus software has deep access to an operating system and the ability to copy files, such applications remain attractive targets for hackers (see Yes Virginia, Even Security Software Has Flaws).
The Kaspersky Lab saga became more complex after the company said that its consumer anti-virus software had flagged and collected four classified documents and NSA-developed malware from the home computer of an NSA analyst in 2014. The analyst, Nghia Hoang Pho, pleaded guilty to mishandling classified material (see Spy Whose Files Were Plucked by Kaspersky Pleads Guilty).
Kaspersky has said that it detected malware on the home PC that it thought might be connected with the Equation Group. As with other anti-virus software, Kaspersky Lab's software collected the suspicious files and sent them back to headquarters for analysis.
When researchers realized what had been collected and informed Eugene Kaspersky, he says that he ordered the material to be deleted, the company said last month following an in-depth investigation into the incident. But the U.S. government alleges that the material ended up in the hands of the Russian government after the analyst's computer was further targeted (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software).
Recommendation: Not For Secrets
The British government has now reacted to these allegations.
"There's been a lot of speculation about foreign involvement in the U.K. supply chain recently," Ian Levy, technical director of the U.K. National Cyber Security Center, says in a blog post.
In a letter to the permanent secretaries of U.K. government bodies, Ciaran Martin, head of the NCSC, writes that Russian anti-virus products should not be used for certain official-tier organizations or anyone handling information classified as "secret" or higher. But most systems, he says, are not at risk.
"Russia has the intent to target U.K. central government and the U.K.'s critical national infrastructure," Martin writes. "However, the overwhelming majority of U.K. individuals and organizations are not being actively targeted by the Russian state, and are far more likely to be targeted by cybercriminals."
Because of the "highly intrusive" nature of anti-virus software and the fact that most products send data and information back to a vendor, "that's why the country of origin matters," Martin writes.
"It isn't everything, and nor is it a simple matter of flags - there are Western companies who have non-Western contributors to their supply chain, including from hostile states," he writes. "But in the national security space there are some obvious risks around foreign ownership."
Don't Panic
In a separate blog post, Levy - the NCSC's technical director - says that the agency's advice is "a bit complex and nuanced" but stresses that no one should panic. "For example, we really don't want people doing things like ripping out Kaspersky software at large, as it makes little sense," he writes.
Future efforts may also ease any lingering concerns. Martin says that the NCSC is in discussions with Kaspersky Lab that are focused on developing a framework that could be used to verify that U.K. data isn't transferred to the Russian state.
"We will be transparent about the outcome of those discussions with Kaspersky Lab, and we will adjust our guidance if necessary in the light of any conclusions," Martin writes.
In a statement, Kaspersky Lab says it "looks forward to continuing our dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab's products and services."
Barclays Bails
Some British users of Kaspersky Lab products, however, have already cut ties with the company. British bank Barclays, for example, has withdrawn an offer to its customers to receive a free copy of Kaspersky Lab's anti-virus software, Reuters reports.
Many banks have deals with anti-virus companies to offer free security software, which reduces the risk of bank-related fraud that starts with malicious software infections.
In response to the Barclays move, Kaspersky Lab says it is "disappointed Barclays has decided to discontinue offering Kaspersky Lab anti-virus to new customers. It's very important to note that the NCSC is not encouraging consumers or businesses against using Kaspersky Lab software."