New guidance from the National Cyber Security Centre (NCSC) – part of GCHQ – says organisations in several key areas in particular should reconsider the risk of using Russian-controlled products as part of their network or supply chain because of the risk of potential cyberattacks. NCSC said that Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so might increase in a time of war. And while it said there was no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, the absence of evidence is not evidence of absence. SEE: How Russia’s invasion of Ukraine threatens the IT industry “In our view, it would be prudent to plan for the possibility that this could happen,” said Ian Levy, technical director at NCSC in a blog post. “You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk,” said Levy. He added: “Whatever you choose, remember that cybersecurity, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.” NCSC said organisations providing services to Ukraine and organisations or individuals doing work that could be seen as being counter to the Russian state’s interests, which makes them retaliatory targets for cyberattacks, should consider their risk. Organisations involved in critical infrastructure, the public sector and high-profile organisations that, if compromised, could represent what NCSC describes as a ‘PR win’ for Russia are also urged to think about the risks of using Russia-linked software and technology products. National security departments in government were advised against using cloud-enabled products where the supply chain included states like Russia in 2017, but following the invasion of Ukraine, others are also being urged to consider the risks. It’s not possible for NCSC to provide custom guidance on managing risk to every business, but it’s urging organisations to err on the side of caution, particularly if they’re more likely to be a target of Russian cyber aggression because of the invasion of Ukraine. Organisations should also consider how they could protect their network if those services are abused. “This conflict has changed the world order, and the increased risk and uncertainty aren’t going away any time soon. However, the best thing to do is to make plans, ensure your systems are as resilient as practical and have good recovery plans,” said Levy. SEE: A winning strategy for cybersecurity (ZDNet special report) NCSC also notes that any additional sanctions against Russia could means that services could be stopped at a moment’s notice, so organisations should examine how they would mitigate this. Russian state-backed hackers are accused of being the perpetrators of several major hacking campaigns, including the SolarWinds supply chain attack. In many instances, these attacks target the lowest-hanging fruit, abusing unpatched software, weak passwords and poor network management. Organisations are urged to apply security patches and use strong passwords to help protect networks from nation-state hackers – and other cyber criminals who use the same tactics. One of the most widely used forms of Russian-owned software is Kaspersky antivirus. According to NCSC, individual users are highly unlikely to be targeted by any potential cyberattacks that look to abuse the software, meaning that “it’s safe to turn on and use at the moment,” according to Levy. Nonetheless, it’s warned that if Kaspersky were to be subject to sanctions and the antivirus software stopped receiving updates, users might need to switch to another provider. NCSC will continue to evaluate the potential risk of cyberattacks by Russia – and other hostile groups – that could target the UK. NCSC has previously issued guidance on what organisations can do to help protect their networks from cyberattacks that might occur as a result of Russia’s invasion of the Ukraine.
MORE ON CYBERSECURITY
CISA warns - upgrade your cybersecurity now to defend against “potential critical threats”‘Massive cyberattack’ against Ukrainian ISP has been neutralized, Ukraine saysUkraine is building an ‘IT army’ of volunteers, something that’s never been tried beforeCloud security in 2021: A business guide to essential tools and best practicesUkraine crisis: Russian cyberattacks could affect organisations around the world, so take action now