The UK’s National Cyber Security Centre (NCSC) on Tuesday issued guidance for individuals and organizations regarding the use of Russian technology products and services in the context of the Ukraine invasion.
Cyberattacks aimed at Ukraine and attributed to Russia have increased since Moscow started to amass troops near the Ukrainian border last year, and the attacks have continued after the war began. While Russia’s recent cyberattacks appear to be focusing on Ukraine, some Western governments are concerned that Russia could launch significant cyber operations against them in response to the recent sanctions.
The White House last week warned US companies that Russia may be preparing a major cyberattack and urged them to strengthen their systems.
The UK, on the other hand, says it has not seen — and it does not expect to see — “the massive, global cyber attacks that some had predicted.”
However, the NCSC pointed out that Russia has been known to target UK entities, and the agency in 2017 warned about the potential risks posed by the use of Russian products and services, providing Kaspersky security products as an example.
Following the start of the conflict, European governments and the United States have warned about the potential risks posed by the use of Kaspersky products. The Russia-based cybersecurity firm has claimed to be neutral in the Russia-Ukraine war and has denounced politically-motivated accusations.
In its latest guidance, the NCSC advised organizations that are more likely to be targeted by Russia due to the current situation to evaluate the risks posed by the use of Russian technology.
“You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event,” explained Ian Levy, technical director at the NCSC. “Alternatively, you may choose to live with the risk. Whatever you choose, remember that cyber security, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.”
Levy added, “Regardless of whether you’re a likely target, ongoing global sanctions could mean that Russian technology services (and support for products) may have to be stopped at a moment’s notice. This would bring a new set of risks. Enterprises should consider how such an event would affect their resilience, and consider plans for mitigation.”
The NCSC pointed out that most individual users in the UK are unlikely to be targeted by Russia and assured them that the use of Kaspersky antivirus and other products on their personal computers is safe “at the moment.” However, the agency noted that Kaspersky itself could become subject to sanctions and they may need to move to a different product if their current antivirus application stops receiving updates.
Kaspersky has long been in the crosshairs of governments due to alleged ties to Russian intelligence, accusations that the company has consistently denied. The NCSC has no evidence that Russia could try to use commercial products and services to cause damage to UK interests, but noted that Russian companies already have a legal obligation to assist the country’s security service and the pressure on companies could increase during the war.
“In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them,” Levy said.
According to the NCSC, organizations providing services to Ukraine, high-profile companies that could represent a “PR win” for Russia, entities doing work that interferes with Russia’s interests, and critical infrastructure organizations are particularly at risk.
Critical infrastructure organizations have been advised to contact the agency if they rely on Russian tech for the operation of their systems.