A guidance note published
last Friday and distributed to permanent secretaries of government departments,
addressed “The issue of supply chain risk in cloud-based products, including
anti-virus (AV) software” and explained “how departments should approach the
issue of foreign ownership of AV suppliers.”
The advice is simple:
“… where it is assessed that access to the information by the
Russian state would be a risk to national security, a Russia-based AV company
should not be chosen. In practical terms, this means that for systems
processing information classified SECRET and above, a Russia-based provider
should never be used.”
The guidance stated that its decision “will also
apply to some Official tier systems as well, for a small number of departments
which deal extensively with national security and related matters of foreign
policy, international negotiations, defence and other sensitive information.”
The letter added that the National Cyber
Security Centre is “in discussions with Kaspersky Lab … about whether we can
develop a framework that we and others can independently verify, which would
give the Government assurance about the security of their involvement in the
wider UK market.”
“In particular we are seeking verifiable
measures to prevent the transfer of UK data to the Russian state.”
The guidance continued: “We will be transparent
about the outcome of those discussions with Kaspersky Lab and we will adjust
our guidance if necessary in the light of any conclusions.”
The guidance quickly caused other problems for
Kaspersky's UK outfit, as British banking giant Barclays has written to
customers to advise it's discontinuing an offer of free Kaspersky software for
users of its online banking services.
The letter, shared with The Register by
a reader explains the decision as follows:
The UK Government has been advised by the National Cyber Security
Centre to remove any Russian products from all highly sensitive systems
classified as secret or above.
We've made the precautionary decision to no
longer offer Kaspersky software to new users, however there's nothing to
suggest customers need to stop using Kaspersky.
The letter said customers need take no action
and should ensure they run AV software.
Kaspersky Lab said, in a statement sent to The
Register, that it "appreciates the collaborative, risk
management-based approach taken by the NCSC with regards to identifying and
mitigating any potential information security risks involved in the sourcing of
IT products."
"Kaspersky Lab fully agrees that supply
chain risk management is critical to information security, and therefore, we
look forward to continuing our dialogue with the NCSC to develop a framework
that can independently verify and provide assurance of the integrity of
Kaspersky Lab’s products and services."
We have also sought comment regarding Barclays'
actions and will update this story if further information becomes available.
Culled from: The
Register
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDelete