Diversification is key. Italy and Germany jointly issued warnings about the Russian antivirus Kaspersky, and the company behind it, Kaspersky Labs.
In a note, the Italian National Cybersecurity Agency (NCA) said that in light of the Russian invasion of Ukraine, it is necessary to “consider the security implications of using information technology provided by companies linked to the Russian Federation”. Computer security suites, and especially those characterised by the “high level of invasiveness in the systems where they operate”, are themselves risky, it reads.
“Given the need to rely on such technological solutions in the digital infrastructures in use, it cannot be excluded that the effects of the [Ukrainian] conflict could compromise their reliability and effectiveness, as they could, for instance, affect the ability of supplier companies linked to the Russian Federation to ensure adequate support for their products and services.”
The alert seems to concern, without mentioning it, the best-known Russian-made antivirus, Kaspersky. The leading software has been at the centre of an international controversy over fears that the technology giant might be affected by Russian government interference.
The German warning
On the other hand, the BSI, Berlin’s intelligence agency, was far more direct in its wording. In the same hours as the NCA’s note, the Germans warned “against the use of the antivirus protection software of the Russian manufacturer Kaspersky […] BSI recommends replacing applications from Kaspersky’s antivirus protection software portfolio with alternative products,” reads the statement.
“The actions of the armed and/or intelligence forces in Russia, and the threats made by Russia against the EU, NATO and the Federal Republic of Germany in the course of the current armed conflict are associated with a considerable risk of a successful cyber attack.”
The BSI statement goes on to note that any Russian IT producer may either conduct offensive operations itself; be forced to attack target systems against its will; be spied upon, unknowingly, as a victim of a cyber operation; or be used as a vehicle for attacks against its own customers.
All users of antivirus software can be affected by such operations. Hence, the German 007s invited companies and “other organisations” to “carefully plan and implement the replacement of essential parts of their IT security infrastructure.”
Founded in the late 1990s by Eugene Kaspersky, of Russian origin, the company produces the software security system most widely used by the Italian public administration along with most of the private sector. Kaspersky Labs is based in Moscow, where a substantial proportion of its employees work; it has repeatedly denied any ties with the Russian government and has stood by the reliability of its systems.
For some time, however, the company has been in the crosshairs of some Western governments, such as the United States and the United Kingdom. Under Donald Trump and Boris Johnson, both decided to ban the software from all government agencies.
The NCA’s alert states that “there is no objective evidence of a decline in the quality of the technological products and services provided.” However, it did add that “in such a growing level of international conflict, one cannot disregard a re-evaluation of the risk that takes into account the changed scenario and considers the consequent adoption of mitigation measures.”
The NCA’s warning: a deeper dive
After liaising with Italy’s Cybersecurity Nucleus, the Agency issued a general recommendation: it’s best to proceed urgently towards “an analysis of the risk deriving from the cybersecurity solutions in use” and “consider the implementation of appropriate diversification strategies.”
Franco Gabrielli, one of the creators of the newly-born NCA, recently told Corriere della Sera it is necessary to “free ourselves from dependence on Russian technology.”
Among the measures indicated as “urgent” by the NCA are the securing of IT devices (“endpoint security”) and extending the reach to firewalls, antivirus, anti-malware and endpoint detection and response applications. Email services, cloud computing services and managed security services should also fall in the scope of such actions.
In order “not to weaken the protection of the organisations,” the NCA recommends never interrupting the operation of security services during this process of diversification.
Last week, the Agency’s Director Roberto Baldoni was audited by Parliament’s intelligence committee, COPASIR. On that occasion, as later reported by Chairman Adolfo Urso, officials discussed the possibility of an alignment with other European agencies, such as France’s ANNSI, which also took aim at Russian IT services in a recent statement, saying that companies “like Kaspersky may be questioned because of their ties with Russia.”