Time for UK orgs to assess Russian supply chain risks, says NCSC technical director

The technical director of the UK National Cyber Security Centre (NCSC) has urged UK organisations to reconsider the potential risks associated with “Russian-controlled” parts of their supply chain. The guidance comes from Ian Levy amid the Russia-Ukraine war and explores the likelihood of Russian commercial products and services being used by the Russian state to cause damage to UK interests.

No evidence of Russian subordinance but threats remain

“We have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, but the absence of evidence is not evidence of absence,” Levy wrote in a blog posting. “The war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them.”

Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB) and the pressure to do so may increase in a time of war, he added. “We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed.”

Certain organisations at higher risk of Russian supply chain threats

Certain organisations using Russian-nexus products should reconsider the risk of Russian-controlled parts of their supply chain as part of their overall business risk management, Levy said. Specifically, these are businesses providing services to Ukraine, services related to critical infrastructure or doing work that could be seen as counter to the Russian state’s interests, he added.

“If you are more likely to be a target for the Russian state because of what’s going on, then it would be prudent to consider your reliance on all types of Russian technology products or services,” Levy said. “If you use services that are provided out of Russia (including development and support services), then you should think about how you could insulate yourself from compromise or misuse of these services. This is true whether you contract directly with a Russian entity, or it just so happens that the people who work for a non-Russian company are located in Russia.”

Regardless of whether you’re a likely target, ongoing global sanctions could mean that Russian technology services and support for products may have to be stopped at a moment’s notice. “This would bring a new set of risks. Enterprises should consider how such an event would affect their resilience and consider plans for mitigation.”

Removing Russian products a balance of risk

The question of whether businesses should continue to use Russian products and services is a pertinent one, and UK organisations may choose to remove them proactively, wait until contracts expire, or do so in response to the geopolitical events. Alternatively, businesses may choose to live with the risk, Levy wrote. Whatever decisions are made, cybersecurity remains a balance of different risks. “Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent,” he warned.

As for specific Russian products, Levy cited queries over the use of Kaspersky anti-virus – something that Germany’s BSI recently warned against over spying concerns. He said that it remains highly unlikely that individuals and most enterprises will be targeted by Russian cyberattacks regardless of whether they use Russian products and services. “However, you may need to move to a new AV product if Kaspersky itself becomes subject to sanctions, since the AV product would likely stop getting updates (and AV software is only effective if it’s updated regularly).”

Ultimately, the conflict has changed the world order and the increased risk and uncertainty aren’t going away any time soon, he added. “The best thing to do is to make plans, ensure your systems are as resilient as practical and have good recovery plans,” Levy concluded.