NCSC: Not necessarily wise to ditch Kaspersky

The UK’s National Cyber Security Centre (NCSC) has issued refreshed guidance on UK organisations’ use of technology originating from Russian companies, saying it is not at this time necessary, or necessarily wise, to discontinue use of products such as Kaspersky antivirus (AV) products.

Five years ago, the NCSC published guidance on how it approaches, understands and manages the risk behind using technology products – including cloud-enabled services – when said product or service supply chains include states hostile to the UK’s national security, such as Russia.

At that time, the NCSC said it had advised relevant departments within government to ensure they were not using Kaspersky – and its then CEO, Ciaran Martin, wrote to Westminster’s various permanent secretaries to advise them of this – and said the most pressing risks to the average enterprise were: not keeping software up to date, poor network configuration management and poor credential management.

However, NCSC technical director Ian Levy said that since the outbreak of the war in Ukraine, the context surrounding such technologies has changed, and the organisation has fielded multiple enquiries from people using Kaspersky products and services.

“We’ve had enquiries from people worried about their home IT,” said Levy. “It almost certainly remains the case that nearly all individuals in the UK, and many enterprises, are not going to be targeted by Russian cyber attack, regardless of whether they use Russian products and services.

“If your personal laptop uses Kaspersky AV or other products, it is highly unlikely to be directly targeted and it is safe to turn on and use at the moment.

“However, you may need to move to a new AV product if Kaspersky itself becomes subject to sanctions, since the AV product would likely stop getting updates, and AV software is only effective if it is updated regularly.”

Levy said there was no evidence that Russia intends to suborn Russian commercial products and services to cause damage to British interests, but that “absence of evidence is not evidence of absence”.

He added: “The war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them.”

The NCSC is advising public sector organisations, any organisations providing services to Ukraine, high-profile enterprises that, if compromised, would “represent a PR win for Russia”, operators of critical national infrastructure (CNI), or any organisation doing work that could be perceived as counter to Moscow’s interests, for example charities and NGOs, to reconsider their risk exposure to technology of Russian origin, including Kaspersky.

The NCSC said it recognised that organisations may need to make tough choices, perhaps removing Russian products and services proactively, waiting until their contracts expire, or even choosing to live with the risk.

“Whatever you choose, remember that cyber security, even in a time of global unrest, remains a balance of different risks,” said Levy. “Rushing to change a product that is deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.

“Regardless of whether you are a likely target, ongoing global sanctions could mean that Russian technology services, and support for products, may have to be stopped at a moment’s notice. This would bring a new set of risks. Enterprises should consider how such an event would affect their resilience and consider plans for mitigation.”

The NCSC’s new guidance follows similar guidance from Germany’s cyber authorities, which drew an angry response from Kaspersky.

The longstanding company, which pioneered antivirus technology in the 1990s, said that it was being unfairly targeted for political reasons. Founder Eugene Kaspersky branded the insinuation that the company’s products were a source of risk as insulting, and pointed to its network of global transparency centres as proof positive that the company was not operating at the Kremlin’s behest.

Computer Weekly understands the NCSC has not engaged with Kaspersky through its global transparency centres on the basis that when such initiatives are run by the company in question, they can too easily be manipulated and there is no guarantee that the code you are seeing is the code being released.

Also, analysing and reviewing the code in an AV product which receives frequent updates is an arduous task that would require as many people to work on it as Kaspersky requires to develop it.

Levy added: “When we look at risk, we try to take reasonable steps to mitigate that – a transparency centre looking at hundreds of millions of lines of code, with no way to verify that is what is actually running, isn’t a useful mitigating step.”