Following the NCSC advice, will the UK follow suit of the US and ban Kaspersky software?
Barclays bank has followed suit of the US and stopped offering Kaspersky security software after an official warning from the National Cyber Security Centre.
Emailing a total of 290,000 online banking customers the bank said the action was a ‘precautionary measure’ on the grounds that Kaspersky’s software could have connections to the Russian Government, posing security risks to firms.
Within the email the bank outlined its advice to remove any Russian products from highly sensitive systems, classified as secret or above, and Barclays removed the option for customers to obtain free Kaspersky software, but advised those with the software already that they did not need to take any action.
Following security threats and concerns over Kaspersky’s products, the NCSC has offered advice against the use of Kaspersky’s products from Government departments in a bid to prevent the transfer of UK data to the Russian state.
The NCSC has concerns around Kaspersky Lab having a connection with Russian Intelligence and worries Russian bodies could get hold of sensitive information that could either be exploited or used against companies.
The NCSC issued a warning to the British Government and government organisations not to use the software, telling them Kaspersky’s software could be exploited by Kremlin.
“In the national security space, there are some obvious risks around foreign ownership. It is therefore obvious why this matters in terms of national security. We need to be vigilant to the risk that an AV product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself,” said Ciaran Martin, CEO the NCSC, said.
After growing concerns Kaspersky Lab has connections with Russian Intelligence, seen as a major threat to Government organisations and bodies, it has been advised not to continue using the software and is no longer being offered by companies who have a history of offering it to customers.
The NCSC has been in talks with Kaspersky Lab hoping to develop an alternative framework. In this development the NCSC wants the ability to verify the software and its safety, giving the Government promise about the security with the wider market.
A document from NCSC said: “In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.”
Such allegations have been somewhat damaging for Kaspersky already after the security company’s anti-virus software was banned from U.S. government networks in September this year over concerns Kaspersky Lab has close connections to Russian Intelligence and its software could be used to allow spying.
“We are concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian Networks,” the Department of Homeland Security (DHS) in the US said.
Ahead of the NCSC’s document against the anti-virus software in the US the DHS said: “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”
Following allegations Kaspersky could have connections with Russian Intelligence agencies, Kaspersky’s CEO, Eugene Kaspersky, has denied these cases and any involvement or connection through the software stating that any connection with Russian Intelligence would “kill the business”.
After the NCSC document was published this weekend and Barclays withdrawing offering the software Eugene Kaspersky tweeted:
Let me stress: there is *no* ban for KL products in the UK. We are in touch with @NCSC regarding our Transparency Initiative and I am sure we will find the way to work together
— Eugene Kaspersky (@e_kaspersky) December 2, 2017
During a time that is already politically tense between the US and Russia, allegations over Kaspersky’s software further issues on both sides. Concerns and tension have spread across to the UK, as Barclays remove software offerings for customers and the NCSC offers a recommendation in light of concerns.
Martin said: “The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft. This includes espionage, disruption, and influence operations. Russia has the intent to target UK central Government and the UK’s critical national infrastructure. “
Regarding the UK the NCSC continues to aim for a solution to the problem to bring a better more secure framework to Government bodies in a bid to better protect organisations, especially following the series of cyber-attacks across organisations and businesses such as the extensive malware overhaul of WannaCry against the NHS, Uber’s data breach along with the likes of Yahoo! and Equifax.
NCSC said: “Conclude: We will be transparent about the outcome of those discussions with Kaspersky Lab and we will adjust our guidance if necessary in the light of any conclusions.”