Using Russian Security Software? UK Says Risks Have ChangedWar Alters Resiliency Requirements, Britain's National Cyber Security Center Warns
Any organization or individual using Russian security products or services should immediately review the risks such usage carries, not least in the event of Western sanctions against the providers.
So says Britain's National Cyber Security Center, in updated guidance issued Tuesday pertaining to "use of Russian technology products and services following the invasion of Ukraine." The NCSC serves as the public-facing arm of Britain's security, intelligence and cyber agency GCHQ and is the lead national incident response body.
Since the Russia-Ukraine war began, NCSC says that while Russia has continued to hit infrastructure in Ukraine with cyberattacks, it has seen no evidence suggesting that Russia has been using domestic technology or service providers to hit or disrupt targets in Britain and beyond.
But Ian Levy, NCSC's technical director, says there are no guarantees that this won't happen, and it could happen very quickly if the conflict suddenly escalates.
"In our view, it would be prudent to plan for the possibility that this could happen," he says. "In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them."
Risks Have Changed
Cybersecurity authorities in the U.K., the U.S. and beyond continue to emphasize that during the conflict, basic cybersecurity hygiene remains essential. NCSC says online attackers - including those from Russia - often seek to exploit organizations' failure to keep their software updated, to properly configure networks and to manage credentials, and this remains a concern (see: Feds Advise 'Shields Up' as Russian Cyberattack Defense).
But as the war continues, organizations also face other threats. For example, "Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war," Levy says. "We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed."
Levy says that any organization that might be targeted by Russia should "specifically consider the risk of Russian-controlled parts of their supply chain as part of their overall business risk management."
Whom might Russia target? That remains an open question, but NCSC says obvious targets might include British organizations that are in the public sector or that operate any part of the U.K.'s critical infrastructure, anyone who provides products or services to Ukraine or has taken a stance against Russia and any high-profile organization "that - if compromised - could represent a PR 'win' for Russia," Levy says.
Products called out by the NCSC for requiring careful risk consideration by organizations include anything made by Kaspersky. The release of the NCSC's guidance also follows the U.S. Federal Communications Commission this week adding Kaspersky to its list of high-risk companies, although it's not clear what real-world impact such a move might have.
In response to a request for comment on the NCSC's latest guidance, a Kaspersky spokesman tells Information Security Media Group: "While we consider this decision to be made on political rather than technical grounds, we are open to address any concerns that customers and regulators may have regarding our operations and products in a fully transparent, open and objective manner, including through Kaspersky Transparency Centers operating in Europe."
Update to 2017 Guidance
The latest guidance from NCSC updates guidance it issued in late 2017, after the U.S. banned Kaspersky for government use.
At the time, the NCSC said that no government or private organization in the national security space should be using Russian-made technology or services, including Kaspersky software. But otherwise, its advice was more measured than the American approach. In particular, Levy advised British organizations to review the supply chain risks posed by using Russian security software, rather than simply ditching the software. He also said at the time that there was "no installed base of Kaspersky AV in central government."
Shortly thereafter, one of Britain's largest banks, Barclays, said that as a "precaution" it had canceled its decade-long partnership with Kaspersky, which had offered free endpoint security software to new customers.
Fresh Advice for Individuals
The NCSC says numerous individuals continue to ask whether it's safe to use Russian software - especially Kaspersky's antivirus tools.
Levy says the risk of being hacked by or on behalf of Russia by running such software on a personal laptop or PC is likely extremely low.
"It's safe to turn on and use at the moment," Levy says.
A Kaspersky spokesman tells ISMG: "We want to thank the NCSC for the guidance related to private users and want to assure our customers that they are protected and safe with Kaspersky, as proven by independent tests."
But one bigger-picture risk is if Western governments for some reason were to suddenly sanction firms such as Kaspersky. If so, Levy says, users in Britain and allied countries may no longer be allowed to receive software or antivirus signature updates, which could put them at risk. "AV software is only effective if it's updated regularly," he says.
Enterprises: Don't Rush
Whatever organizations decide to do about any Russian technology providers or supply chain partners on which they rely, Levy urges them to develop a carefully crafted plan before acting.
"Whatever you choose, remember that cybersecurity, even in a time of global unrest, remains a balance of different risks," he says. "Rushing to change a product that's deeply embedded in your enterprise could end up causing the very damage you're trying to prevent."