The CEO of Europe's National Cyber Security Center announced new guidelines regarding supply-chain risk in the cloud.
He focused on the power of anti-virus software from a single nation: "The specific country we are highlighting in this package of guidance is Russia," says CEO Ciaran Martin.
Here are two key points the EU's NCSC made in the announcement:
"The job of AV is to detect malware in a network and get rid of it. So to do its job properly, an AV product must (a) be highly intrusive within a network so it can find malware, and (b) be able to communicate back to the vendor so it knows what it is looking for and what needs to be done to defeat the infiltration. It is therefore obvious why this matters in terms of national security."
"To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen. In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used."
The center's CEO says the organization is in conversations with Kaspersky Lab about a framework that would let the NCSC and others have verifiable measures that information is not being transferred to the Russian Government.
We can usually count on Eugene Kaspersky to have a response on Twitter. Well, here it is: