NCSC issues new guidelines warning against Russian anti-virus products

The National Cyber Security Centre (NCSC) has warned against using antivirus products from Russian vendors, issuing new guidelines for organisations that use cloud-enabled services.

The guidelines set out precautions on how to mitigate risks associated with cloud services, particularly within departments dealing with national security, foreign policy and other democratically-sensitive matters.

It follows statements by Prime Minister Theresa May that Russia is “acting against the UK’s national interest in cyberspace”.

The NCSC pointed out that anti-virus software presents a significant cyber-attack vector due to the high level of access it requires to the network. It added that an anti-virus product under the control of a hostile force could be used to extract highly sensitive information from that network.

“In drawing this guidance to your attention today, it is our aim to enable departments to make informed, risk-based decisions on your choice of AV provider,” Ciaran Martin, CEO of NCSC, said in a statement.

“To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen.”

In the wake of the recommendations, the NCSC has entered into discussions with Russian anti-virus provider Kaspersky Lab about their involvement in the UK market.

Kaspersky Lab has a significant presence in the UK with its popular anti-virus software, which could be threatened in wake of the NCSC’s latest guidance.

“In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state,” Martin said.

“We will be transparent about the outcome of those discussions with Kaspersky Lab and we will adjust our guidance if necessary in the light of any conclusions.”

Barclays bank has since stopped offering Kaspersky Lab’s anti-virus software to new customers.  A spokesperson from the firm said they see no compelling case at present to extend that advice to the wider public sector, more general enterprises, or individuals…”We really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense.”

The NCSC has published a list of recommendations for organisations to help them mitigate the risks of cloud-based services.

This includes considering whether to allow remote access to the network, reviewing what information the product can access and carrying out independent investigations to identify information flows can’t be accounted for.

The NCSC also recommended reviewing contractual agreements with vendors, pointing out that software permissions could “give them scope to do whatever they wish to your systems and data in future”.

The new guidance specifically targets central government organisation dealing with classified information related to national security or critical national infrastructure. However, an NCSC spokesperson said it had written to all government departments, including the Department of Health, to warn against using Russia-based anti-virus providers.

Speaking to Digital Health News, Dan Taylor, director of NHS Digital’s Data Security Centre, said: “We are reviewing the National Cyber Security Centre’s latest guidance on cloud-enabled products against our own guidance in this area. We will update our guidance if necessary to ensure it aligns with the NCSC’s recommendations.

“We are also planning to review our cloud guidance against the new Data Protection Bill (2018) and the EU directive on the security of Networks and Information Systems, known as the NIS Directive, when they are issued next year.”

Since being established in October 2016, NCSC has been working closely with NHS Digital to help it deal with cyber security threats more effectively.

Martin said that the most important thing for departments to protect against threats in cyberspace is getting the basics right.

“Care in the selection of AV providers is just one part of an overall approach to managing risks to national security, but what will determine the success or otherwise of departments against the full range of cyber threats is keeping patching up to date, having good monitoring mechanisms, and all the other basics of good cyber hygiene we are promoting with your teams.”