The UK’s National Cyber Security Centre (NCSC) has advised users of Russian technology products to reassess the risks it presents.
In advice that builds on 2017 guidance about technology supply chains that include links to hostile states, NCSC technical director Ian Levy stated that the agency has not found evidence “that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests.”
But he added that “the absence of evidence is not evidence of absence” – so “it would be prudent to plan for the possibility that this could happen.”
Think about how you could insulate yourself from compromise or misuse of Russian technology
In 2017 NCSC advice was that “some UK government and critical national systems” were at risk from Russia, and that “systems with a national security purpose” should not use Russian products. The advice suggested that the “wider public sector, more general enterprises, or individuals” had nothing to worry about.
Not any more.
The new advice wants the entire public sector to rethink its exposure to Russian tech products and services. Critical infrastructure service providers, and “organisations or individuals doing work that could seen as being counter to the Russian State’s interests” also need to rethink their exposure.
So do organizations providing services to Ukraine. High-profile organizations that, if compromised, would be trophies for Moscow have also been put on alert.
Organizations that use services provided out of Russia “should think about how you could insulate yourself from compromise or misuse of these services,” the advice states, naming development and support services as offerings to consider. “This is true whether you contract directly with a Russian entity, or it just so happens that the people who work for a non-Russian company are located in Russia,” the post adds.
“If you are more likely to be a target for the Russian state because of what’s going on, then it would be prudent to consider your reliance on all types of Russian technology products or services (including, but not limited to, cloud-enabled products such as AV),” the advice warns.
The document includes a short section on security software vendor Kaspersky, which is rated as representing no threat to individual users “at the moment”. That could change if Putin pulls the trigger, or if sanctions on Kaspersky see its operations disrupted in ways that prevent updates to its AV products.
Ironically, unpatched software remains one of the NCSC’s big three risks. The others are poor network configuration management and poor credential management.
“We know these are the most common causes of compromises, including those we (and our partners) have attributed to the Russian state,” Levy’s post states.
But the illegal invasion of Ukraine means addressing those three weak points must now be joined by consideration of exposure to Russian tech. ®