NZ intelligence agencies are not following the lead of US regulators in black-listing software from Russian company Kaspersky Lab.
That leaves an unknown number of government and other significant users to conduct their own risk assessments as the global security landscape shifts due to the war in Ukraine.
Rotorua-based Lakes District Health Board is one government entity using software from Moscow-based Kaspersky Lab to protect its clinical servers.
A spokesperson told Reseller News the DHB was working with the Ministry of Health and the National Cyber Security Centre (NCSC) to ascertain whether removal of Kaspersky anti-virus was a New Zealand Government requirement.
"If it’s removal is required, then a replacement product will be installed," the spokesperson said.
Late last month the US Federal Communications Commission added Kaspersky to its blacklist, effectively deeming it a threat to national security. That followed a 2017 ban on the use of Kaspersky software in federal information systems due to concerns about Kaspersky's links to the Russian government.
But, so far at least, the stance of New Zealand's intelligence community appears little changed since 2017.
A spokesperson for the NCSC, which is a unit of the Government Communications Security Bureau, said the services were encouraging Aotearoa New Zealand’s nationally significant organisations to consider and strengthen their cyber security readiness in response to the Russian invasion of Ukraine and the potential for increased malicious cyber activity.
"In light of the global threat environment, the NCSC recommends nationally significant organisations consider their security posture, exercise readiness, and monitor for relevant cyber security developments," the spokesperson told Reseller News.
"However, we do not prescribe systems or software or hardware to be used by government agencies."
The New Zealand Information Security Manual (NZISM) provided security guidance and risk management frameworks to be applied to mitigate information security risks, the spokesperson said.
"It includes minimum technical security standards for good system hygiene, as well as providing other technical and security guidance for government departments and agencies to support good information governance and assurance practices."
For its part, Kaspersky Lab said it was disappointed with the FCC's decision, saying it was not based on any technical assessment of Kaspersky products – that the company had continuously advocated for – but instead was made on political grounds.
Kaspersky said the move was unconstitutional, made without due process and based on unsubstantiated allegations without any public evidence of wrongdoing by the company.
In 2018, former National MP Brett Hudson asked Minister of State Services Chris Hipkins whether any government agencies used security products from Kaspersky Lab and if so, which agencies and in what specific deployments.
Hipkins did not answer that question directly. In addition to guidance from the GCSB's New Zealand Information Security Manual, he said, the Government chief digital officer ensured that ICT Shared Capability Service suppliers had appropriate security software controls in place.
"This approach ensures that risk management and information security considerations are included in agency certification and accreditation processes," Hipkins said.
The GCDO had also established an all of government security and related services panel of approved suppliers that agencies could use to assist in assessing their information security needs, he said.
"Government agencies are aware of recent reporting regarding Kaspersky Lab products and are considering whether further guidance is required," Hipkins said.
While security and related services were included in these panels, cyber security software was not.
In March, distributor Dicker Data's chief operating officer urged partners to seek alternative cyber security products to Kaspersky as the distributor ended its relationship with the Russian vendor in Australia and New Zealand.
Vlad Mitnovetski told ARN the company had to make the difficult, but just decision to cull ties with Kaspersky over the vendor's controversially "neutral" stance on Russia's invasion of Ukraine.
Kaspersky's full distribution has now been taken over by Leader, which signed an A/NZ partnership with the vendor a week before the Russian invasion.
“We, of course, are aligned with the entire Western world to do whatever we can," Mitnovetski said. "This move is basically our statement that we will not be funding this madness and terror – war – in Ukraine."
Kiev-born Mitnovetski said it was a little drop in the ocean, "but it's our stand.”
The distributor’s CEO and namesake, David Dicker, was in full support of the move, Mitnovetski said.
“He knows that sometimes people just need to stand and when war's happening, being neutral is not a position. To me, it's unacceptable."