UK NCSC Chief Warns of Supply Chain Risk from Anti-Virus (AV) Software Products
The UK’s National Cyber Security Center (NCSC) has warned against the use of UK government and government agencies using Kaspersky Lab products. The ban is not as forthright or as explicit as September’s DHS ban on U.S. government agencies using Kaspersky; but it will, for the time being at least, have a similar effect in the UK.
On Friday, NCSC chief Ciaran Martin wrote to permanent secretaries (the most senior civil servants in a UK government ministry) warning about the issue of supply chain risk in cloud-based products. In this sense it is a general warning that all security officers would do well to heed. The NCSC is not a regulator and cannot insist — but its guidance will undoubtedly be observed.
The warning focuses on Russia and explicitly calls out Kaspersky Lab.
“The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft. This includes espionage, disruption and influence operations. Russia has the intent to target UK central Government and the UK’s critical national infrastructure,” Martin wrote. “However,” adds the letter, “the overwhelming majority of UK individuals and organisations are not being actively targeted by the Russian state, and are far more likely to be targeted by cyber criminals.”
The unstated implication is that consumers can carry on using Kaspersky Lab, but that government — or indeed any organization that processes information classified SECRET and above — should never use a Russia-based AV provider. This idea is expanded in an associated blog post from Ian Levy, the NCSC technical director. He comments, “We see no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals.” In fact, he goes further: “We really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense.”
However, there is also a silver lining for Kaspersky Lab in this warning. Kaspersky is specifically named only twice towards the end of the letter to the permanent secretaries. Firstly, the letter states that the NCSC is in discussion with the Russian firm “about whether we can develop a framework that we and others can independently verify, which would give the Government assurance about the security of their involvement in the wider UK market.” Secondly, the letter adds that the NCSC will be transparent about the outcome of these discussions, and “will adjust our guidance if necessary in the light of any conclusions.”
This is an approach that Kaspersky Lab has already offered to the U.S. government. In July 2017 Kaspersky Lab offered to give its source code to the U.S. government for analysis. “Anything I can do to prove that we don’t behave maliciously I will do it,” said CEO Eugene Kaspersky. There is precedent for such code review in the UK. In October, Kaspersky launched a Global Transparency Initiative whose goal is to help the company clear its name following the reports about its inappropriate ties to the Russian government.
Chinese firm Huawei’s network products are effectively banned in the U.S. over fears that they could contain backdoors capable of leaking sensitive information back to China. These products are not banned in the UK — largely down to the operations of a building, commonly known as The Cell, in the market town of Banbury. Here the NCSC has oversight of Huawei source code, and engineers reverse engineer the code looking for flaws and backdoors. Huawei has been given a green light in the UK.
If Kaspersky Lab and the NCSC can come to a similar arrangement with the anti-virus code, then a UK accommodation with Kaspersky Lab might be possible. Eugene Kaspersky is optimistic, tweeting on Saturday, “Let me stress: there is *no* ban for KL products in the UK. We are in touch with @NCSC regarding our Transparency Initiative and I am sure we will find the way to work together.”
It will not be easy. Analyzing firmware in a hardware product is easier than analyzing the flow of traffic into and through the cloud; and it is noticeable that the NCSC’s primary concern is “the issue of supply chain risk in cloud-based products.”
“By definition,” explains cyber security researcher and consultant Stewart Twyneham, “anti-virus software needs to have total access to a computer in order to prevent infection — and modern quarantine mechanisms will often upload suspect viruses to the cloud so that researchers can learn more. This is alleged to have happened in the case of Nghia Hoang Pho back in 2015 — who copied secret NSA security exploits onto his home computer, which was running Kaspersky’s anti-virus.”
Pho was charged and pleaded guilty late last week to removing and retaining top-secret documents from his employer, the NSA. The suggestion is that Russian intelligence learned of the presence of this data through automatic uploads of suspect malicious files to Kaspersky’s cloud, and then hacked into Pho’s computer. How Russian intelligence learned of the NSA files is what is unknown and is the cause for concern. But since this sort of knowledge cannot come from a code review, the possibility even if not the probability of a clandestine relationship between Kaspersky Lab and Russian intelligence can never be proven one way or the other.
If a Kaspersky Lab code review by NCSC finds no back doors or flaws in the software, it is still unlikely to change NCSC guidance over top secret documents. However, since there will be little interest from Russian intelligence in standard consumer computers, it could lead to a tacit acceptance guide for any user outsid
e of government. Further, since the NCSC has promised to be transparent in any findings, that tacit acceptance could be interpreted as explicit acceptance for all users outside of government.
In March of this year, the NCSC warned about “the potential for hostile action against the UK political system.” Without confirming that the main threat is from Russia, the letter makes it clear that the primary threat is considered to be that country.