The world’s third-largest vendor of IT security is still not safe enough for use in Whitehall, a senior government security official has told NS Tech.
Over the summer, British government officials met with Kaspersky Lab to set out their concerns about using the Russian company’s antivirus products, following claims Kremlin spies had exploited the software to steal data from the US National Security Agency. (Kaspersky denies claims it collaborated with Russia.)
But NS Tech understands the discussions, and Kaspersky’s plans, have so far failed to allay the government’s key concern: that Kaspersky’s staff in Russia could use the software to access data on a target’s computer in the UK.
The senior government security source told NS Tech: “We’re grateful to Kaspersky for working with us and being transparent. We’re aware of [the new Swiss data centre] opening and we see it as a really good step in the right direction. At the moment, that step isn’t far enough for us to change our advice.”
Sign up to Emerging Threats, our weekly cyber security newsletter
In May, Kaspersky announced a £12m transparency centre designed to relocate customer data from Moscow to Zurich. Due to open in 2019, the Swiss centre will also be home to the company’s software programming tools, which will be subjected to analysis by independent regulators – a first for a major antivirus (AV) vendor.
Anton Shingarev, Kaspersky’s head of public affairs, said in a statement the objective of the centre “is to address the publicly stated concerns regarding trustworthiness and transparency in the cybersecurity industry, an initiative we are committed towards”.
In December last year, Ciaran Martin, the CEO of the National Cyber Security Centre, wrote to senior civil servants, cautioning against using Kaspersky and other Russian software in central government systems. “We advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen,” Martin wrote. “In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.” Martin added that the advice extended to some “official” tier systems.
However, the NCSC did not discourage wider industry from using Kaspersky’s software. In an accompanying blog, the NCSC’s technical director, Ian Levy, said “we see no compelling case at present to extend [Martin’s] advice to wider public sector, more general enterprises, or individuals”. At the organisation’s annual review last week, Levy reiterated the statement, saying that “for most people in the country, Kaspersky is a perfectly good AV product that protects them from cyber crime”.
Shingarev said the company “is very pleased to hear that the NCSC considers Kaspersky a good product to protect people in the country from cybercrime. The latter has also been demonstrated by the numerous independent tests of our consumer and corporate products.”
“Kaspersky Lab regularly meets with NCSC representatives and is grateful for their feedback on the activities the company does; while improving our IT infrastructure and security of its products,” he added. “That feedback – along with guidance from other regulators – helped to shape our Global Transparency Initiative (GTI) aimed at increasing the trustworthiness of our products and technologies. We regularly update NCSC on developments of the GTI.”
The NCSC’s advice came after the US government announced plans to ban the company’s software from federal agencies last year. The move followed reports Russia had used its antivirus software to steal hacking tools from an NSA contractor’s home computer. Eugene Kaspersky, the company’s CEO, said the firm had never cooperated with Russia, but explained that Russian hackers may have infiltrated the company’s systems and found the NSA’s tools. Its antivirus software had allegedly correctly identified the tools as malware before uploading a copy for analysis – a routine process for AV providers.
“Even though we have an internal security team and run bug bounty programs, we can’t give a 100% guarantee that there are no security issues in our products; name another security software vendor that can,” Kaspersky said in a blogpost at the time.
The company is now seeking to overturn the US ban in court. The NSA contractor in question was sentenced to five and a half years in prison in September.
Kaspersky’s Shingarev added: “It is also important to note that Kaspersky Lab fully agrees that supply chain risk management is crucial to information security, especially when it comes to protecting critical government networks. Therefore we appreciate the collaborative, risk management-based approach taken by the NCSC with regards to identifying and mitigating any potential information security risks involved in the sourcing of IT products.
“We look forward to continuing our dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab’s products and services. As stated in the company’s GTI initiative, Kaspersky Lab continues to partner with its stakeholders globally, including governments, as part of its ongoing commitment to protect customers from cyber threats. Trust and transparency are a challenge for the whole industry and with GTI, Kaspersky Lab is setting the benchmark.”