Blog post

Managing supply chain risk in cloud-enabled products

Created:  01 Dec 2017
Updated:  01 Dec 2017
Author:  Ian Levy
Part of:  Cloud security
Antivirus

There’s been a lot of speculation about foreign involvement in the UK supply chain recently. Supply chain security is hard. And I mean really hard. I thought it would be a good idea to set out how we at the NCSC think about some of this stuff, specifically supply of products.

It’s always fun to talk about the omnipotent and omniscient hackers, and the super-sneaky espionage attacks they can perform. But, for most people and enterprises, the biggest risks remain:

  • not keeping software up to date
  • poor network configuration management
  • poor credential management

Most of the incidents that have caused actual harm to the UK have been caused by one of these problems. In general, we should concentrate on getting those fixed before worrying about really clever and risky supply chain interdictions from other states.

A flag is a poor indicator of trust

In supply chain security, the country of origin matters, but isn’t everything. We've said for years that in today’s technological environment, virtually every significant network incorporates foreign technology. The globalised nature of technology development, inclusion of third party components, mobility of talent and anti-discrimination laws, means that a flag is a poor indicator of trust.

Of course, if a supplier is headquartered in a country which has a record of attacking the UK and our allies in cyberspace, then that is something we must worry about. But it’s much more complicated than saying 'company A is from naughty country X so we should use company B from nice country Y instead'. Today we’re publishing some guidance on how cloud-enabled products should be assessed by enterprises. This guidance isn’t trivial, because it’s not a trivial problem.

Lots has been said about antivirus (AV) products of late. To be able to do its job, any AV product needs lots of access to your machine, and you have to trust the AV developers to:

  • write secure code that can’t be compromised
  • protect their development network from attack
  • ensure that virus signatures don’t break your system

An AV product also has to be in almost constant communication with the vendor’s systems, and this access could (in theory) be abused by someone in the company that supplied it, regardless of where they’re headquartered.

But what’s the motivation for doing so?

Obviously, that depends if you’re a government user working in national security, or an individual member of the public. Given the right legal framework and motivation, you can easily imagine such access being suborned to spy on another government.

'States spying on states' is one of the oldest professions in the world, but it always takes considerable time, effort and planning to do well. Would anyone realistically expect a government to go to the same lengths and risks to access data from machines belonging to most individual members of the public in another country? It doesn’t seem likely, as the vast majority of the public aren’t targeted by any nation state, and are much more likely to be harmed by criminals.

Why are we writing this guidance now?

The main reason for writing this guidance is that we’ve had requests for advice from UK organisations. The Prime Minister set out very clearly in her Mansion House speech that the Russian state is acting against the UK’s national interest in cyberspace. It follows that we need to do everything we can to reduce the risk of successful Russian attack, and this is much, much more complicated than just trying to take companies with Russian flags out of your supply chain.

There’s a comprehensive strategy to counter cyber attacks from all adversaries, and the National Cyber Security Strategy sets out the totality of the capabilities we use to protect the UK. As part of that, we provide advice based on evidence and rigour, not hyperbole and fear. Of course, Russia isn’t the only country that poses a threat to the UK, and it's not just AV products that (theoretically) can be abused. That’s why our guidance is both country and technology agnostic.

Product-based and nation-scale risks

So what does this mean for Russia-based AV and similar products? Given we assess that the Russian state commits cyber attacks against the UK for a number of reasons, we believe some UK government and critical national systems are at increased risk. Considering how an AV product could be abused - and the potential impact if it were - we need to focus our attention on managing this important risk effectively. We approach this in two ways; manage product-based risks and manage national-scale risks.

For the first part, we engage companies who we believe could pose a risk and explore how to work together to mitigate those risks sufficiently. Ultimately, this will be done in an evidence-based and transparent way. This is the approach we are taking with Kaspersky Labs; we're discussing whether a framework can be developed (that we and others can independently verify) that provides the UK with assurance about the security of their involvement in the wider UK market. If we can't develop solutions with these suppliers that we feel mitigate the risk to UK national security, other solutions will be needed. If we can, Russia will still be a threat to UK government and critical systems, and they’ll sometimes be successful. We need to make sure they’ll have to work hard and that there’s a good chance of them being caught quickly.

For the second part, Ciaran Martin has written to all Permanent Secretaries highlighting the risks as we see them, and advising them to make an informed, risk-based decision around cloud-enabled products that they use on their own networks (or that are being used in the sectors they care about). He's advised that systems with a national security purpose should not use products that could be exploited easily by the Russian government through supply chain interdiction. The Russian state has a similar stance in terms of its use of Western products, so there’s not much asymmetry here. Many departments already manage these risks well; there’s almost no installed base of Kaspersky AV in central government. Beyond this relatively small number of systems, we see no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals.

Complex and nuanced guidance - because it needs to be

Our advice in this space is a bit complex and nuanced. That’s because it’s a complex problem with lots of nuances. Whatever you do, don’t panic. For example, we really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense.

As we’ve said before, people and enterprises have a finite budget for security, whether that’s money, time, change or whatever. Let’s use this budget wisely and concentrate on fixing the things that we know are responsible for successful compromises.

Ian Levy

Technical Director, National Cyber Security Centre

32 comments

miles - 04 Dec 2017
What is guidance for companies that support Government sector, assuming there is a domino effect into other businesses?
Ian Levy - 05 Dec 2017
Miles,

Thanks for your question. We'd expect the affected departments to talk to their supply chain and let them know what they need to do.
Jon Edwards - 05 Dec 2017
All straightforward until you confused me with the following:

'He's advised that systems with a national security purpose should not use products that could be exploited easily by the Russian government through supply chain interdiction.'
and
'Many departments already manage these risks well; there’s almost no installed base of Kaspersky AV in central government.'

We know that the vast majority of central govt depts don't have systems that impact on national security therefore the statement that they don't use Kaspersky seems to contradict, or at least confuse, the suggestion that the (unacceptable) risk is only to national security systems.
Ian Levy - 07 Dec 2017
Yeah, that’s a fair point – poor drafting there. You’d actually be surprised at departments that have systems that could affect national security. However, your point stands – that last bit is a fact, but it’s not clear what the context is. It’s certainly not intended to suggest anything weird.
Eugene VAN DELSEN - 06 Dec 2017
Thank you Mr.Levy for this information. Our Kaspersky AV connection agreement will end in February 2018.

As per your own advice we will not rush to ripping out Kaspersky software at large, while, as you tell us, it makes little sense.
Anyway, there exist some worry that we should be ready to envisage a secondary AV ( McAfee is bombarding our PC´s with their trial offers). Do you think it would wise? This of course will bring forth the cost of a, maybe, unnecessary double "protection".
Thank you for your good advice.


Ian Levy - 07 Dec 2017
Thanks Eugene. We would recommend that you do NOT run two AV products on the same machine. They’re reasonably likely to conflict, the upfront cost and ongoing management cost will be potentially large and you’re not going to get a significant increase in protection. Different AV products on, say, clients and email gateways can make sense in some scenarios.
Jenny Vass - 06 Dec 2017
Thank you for the really clear information and sensible advice.
Tanya - 06 Dec 2017
As a member of the public who uses Kaspersky on my home computer, I really appreciate the tone of this post and how you've laid it out clearly for the layperson. Thanks for your no-nonsense, no-hyperbole approach, and I'll keep up with your latest recommendations.
neal - 06 Dec 2017
I have already renew my contract on 26/11/17 , would this action cancell my contract, thanks
Ian Levy - 07 Dec 2017
Neal, unless you fall into one of the categories we talk about (those who may be of interest to the Russian state or someone could have an impact on national security) then there’s no need to cancel your contract.
Charles Miller - 06 Dec 2017
Knowing who to trust is becoming increasingly difficult, but at this time my belief in Karspersky's integrity stands very much higher than my belief in the intergity of either the UK or US present governments, both of which are in alarmingly chaotic states, or in Barclays for that matter, and I will maintain my present faith in Karspersky until credible reason for change is presented. For now, I have no doubt that spying and interference is a two-way process that all countries engage in and that commercial spying and data gathering by UK and US is the greatest - and an as yet un-addressed - threat to personal cyber security and in that respect Karspersky scores far better than our governments and its agencies.
Ian Levy - 08 Dec 2017
Trust is a personal belief state so no-one can comment on your view of who you trust. However, trustworthiness is more evidence based, and that’s what our guidance tries to help people work through.
Ann King - 06 Dec 2017
The article was well written and self explanatory for the likes of me.
John Ridyard - 06 Dec 2017
I believe we may be looking for Reds under our beds here ... Russia needs the rest of the world's commerce to work ... however rival AV companies ... they might love Kaspersky to fail .. more revenue for them. Personally I am more concerned that my service provider is being swallowed up by an American mega-company
Colleen Needham - 06 Dec 2017
What should ordinary consumers do, if we have purchased Kaspersky products, to protect us while on the internet etc.
Ian Levy - 12 Dec 2017
Nothing. You’re fine to continue using the product you’ve chosen.
Pat Melia - 06 Dec 2017
So there is no need for me to uninstall Kaspersky from my home laptop?
Ian Levy - 12 Dec 2017
Unless you’re in one of the very specific groups we talk about, then there is no need for you to uninstall it.
Glynn Trow - 06 Dec 2017
Instead of telling us Kaspersky may not be secure, how about solving the problem and giving us something to use instead?
Ian Levy - 12 Dec 2017
We didn’t say that Kaspersky was insecure. We gave guidance for how to choose products that communicate with their vendor (which includes all antivirus) and also said that a small section of government systems shouldn’t use products from Russia. We also explicitly say that this recommendation doesn’t apply outside of national security systems. That’s hardly saying that the product is insecure!
ALBERT SHARPLES - 06 Dec 2017
As a home user and customer of Barclays I have used Kaspersky for a number of years and would like to continue using them I still have 11 months to go with Them and would like to continue with them when my contract expires, As a home user I have faith in Kaspersky and hope to be able to continue with them.
Ian Levy - 12 Dec 2017
As the blog says, unless you’re in the specific group of people and systems related to national security, you should feel free to continue use the product on your home PC.
Nokka - 07 Dec 2017
What a great way to build tarnished relationships with Russia!
Ken Dickinson - 07 Dec 2017
Kaspersky is a brilliant anti virus it's kept my computer virus free for years plus nothing on my computer to interest me !! never mind the Russians so keep it going Kaspersky.
David W - 08 Dec 2017
Kaspersky has been voted the best AV software on the market by several bodies for the past few years. These supporters include the computer magazine "ComputerActive" which I have found to be a trustworthy and interesting publication. Who should I trust now, the government or the owners of "ComputerActive"? I really do not trust Barclay's (or any other bank) which has given pathetically low interest rates on savings for several years, playing with other people's money paying their executives more in one year than "normal working people" can expect to earn in a lifetime ... Kaspersky was one of the "benefits" of banking with Barclay's ... will Barclay's offer another "free" anti-virus software package now that we are told we should not trust them?
Keith - 09 Dec 2017
Barclays knee jerk reaction! They have not explained the theoretical risk to ordinary Barclays Account users.
Othe, probably more knowledgeable sources, are confirming the "no need to strip out" advice.
I am sticking with Kaspersky as reviewers are still maintaining the highest protection rating for this product post the Barclays withdrawal.
Gina - 10 Dec 2017
I have recently renewed my contract through Barclays. I am sorry that Barclays are no longer continuing this offer as I like this program and I feel secure with it. When I renew next year I will have to pay, I am just hoping it is not out of my budget to buy it.
Patricia - 12 Dec 2017
I feel safe with Kaspersky as l have used for several years and only just renewed mine so please keep going Kaspersky
Tony Page - 17 Dec 2017
What is extremely frustrating is that the Kaspersky software that many people are using on home computers and have commented on have been running for years successfully on their PC's and they - like me - do not want to change to another product. Barclays who have offered this software free to account holders have yet to tell us what they are going to use as an alternative but say they will not be offering Kaspersky anymore. This means that I have to either pay for something that works extremely well in future or accept something else that may be an inferior product because of 'scare mongering' by certain people. It also, as mentioned by others, means that Kaspersky's competitors get a 'leg up' in selling their software as an alternative. Perhaps Barclays should make an effort to let people know sooner rather than later what their alternative offering is going to be so people can have time to make a judgement on whether this is acceptable or whether to 'pay' to keep Kaspersky. Anyway if there is no real risk to home users as suggested in these articles then why are Barclays stopping the Kaspersky free software offer anyway (anyone from Barclays looking at this feed feel free to answer).

Tony Page - 17 Dec 2017
Jules Anderson - 20 Dec 2017
Ian - great explanation of a complex matter that impacts organisations across the UK.

Having read this, and Ciaran's letter to the PS' I believe that we are 'between a rock and a hard place' with this type of threat, Kaspersky themselves were attacked by a nation state or so the speculation goes. We may think 'what comes around goes around' but never great to be on the receiving end of an attack as we know from WannaCry etc this year.

The real concern for us all is that the Digital Economy needs Trust, needs systems and tools. as well as advice to navigate a safe way through this type of threat, actual or perceived. The NCSC has to play a major role working with industry and use commercial products to bring Digital Trust into the mainstream vocabulary of Enterprise and Government. If these are friendly flag products then great but ultimately there is still the fear of digital espionage.

So if you are able to determine how big the rock is, then gives us all a chance to go and find the hard place...

Good luck in continuing to get the message out in a measured and clear way.
john mike - 22 Jan 2018
very useful post , thanks for uploading
Priyanka Rai - 16 Aug 2018
nice article

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No