There’s been a lot of speculation about foreign involvement in the UK supply chain recently. Supply chain security is hard. And I mean really hard. I thought it would be a good idea to set out how we at the NCSC think about some of this stuff, specifically supply of products.
It’s always fun to talk about the omnipotent and omniscient hackers, and the super-sneaky espionage attacks they can perform. But, for most people and enterprises, the biggest risks remain:
- not keeping software up to date
- poor network configuration management
- poor credential management
Most of the incidents that have caused actual harm to the UK have been caused by one of these problems. In general, we should concentrate on getting those fixed before worrying about really clever and risky supply chain interdictions from other states.
A flag is a poor indicator of trust
In supply chain security, the country of origin matters, but isn’t everything. We've said for years that in today’s technological environment, virtually every significant network incorporates foreign technology. The globalised nature of technology development, inclusion of third party components, mobility of talent and anti-discrimination laws, means that a flag is a poor indicator of trust.
Of course, if a supplier is headquartered in a country which has a record of attacking the UK and our allies in cyberspace, then that is something we must worry about. But it’s much more complicated than saying 'company A is from naughty country X so we should use company B from nice country Y instead'. Today we’re publishing some guidance on how cloud-enabled products should be assessed by enterprises. This guidance isn’t trivial, because it’s not a trivial problem.
Lots has been said about antivirus (AV) products of late. To be able to do its job, any AV product needs lots of access to your machine, and you have to trust the AV developers to:
- write secure code that can’t be compromised
- protect their development network from attack
- ensure that virus signatures don’t break your system
An AV product also has to be in almost constant communication with the vendor’s systems, and this access could (in theory) be abused by someone in the company that supplied it, regardless of where they’re headquartered.
But what’s the motivation for doing so?
Obviously, that depends if you’re a government user working in national security, or an individual member of the public. Given the right legal framework and motivation, you can easily imagine such access being suborned to spy on another government.
'States spying on states' is one of the oldest professions in the world, but it always takes considerable time, effort and planning to do well. Would anyone realistically expect a government to go to the same lengths and risks to access data from machines belonging to most individual members of the public in another country? It doesn’t seem likely, as the vast majority of the public aren’t targeted by any nation state, and are much more likely to be harmed by criminals.
Why are we writing this guidance now?
The main reason for writing this guidance is that we’ve had requests for advice from UK organisations. The Prime Minister set out very clearly in her Mansion House speech that the Russian state is acting against the UK’s national interest in cyberspace. It follows that we need to do everything we can to reduce the risk of successful Russian attack, and this is much, much more complicated than just trying to take companies with Russian flags out of your supply chain.
There’s a comprehensive strategy to counter cyber attacks from all adversaries, and the National Cyber Security Strategy sets out the totality of the capabilities we use to protect the UK. As part of that, we provide advice based on evidence and rigour, not hyperbole and fear. Of course, Russia isn’t the only country that poses a threat to the UK, and it's not just AV products that (theoretically) can be abused. That’s why our guidance is both country and technology agnostic.
Product-based and nation-scale risks
So what does this mean for Russia-based AV and similar products? Given we assess that the Russian state commits cyber attacks against the UK for a number of reasons, we believe some UK government and critical national systems are at increased risk. Considering how an AV product could be abused - and the potential impact if it were - we need to focus our attention on managing this important risk effectively. We approach this in two ways; manage product-based risks and manage national-scale risks.
For the first part, we engage companies who we believe could pose a risk and explore how to work together to mitigate those risks sufficiently. Ultimately, this will be done in an evidence-based and transparent way. This is the approach we are taking with Kaspersky Labs; we're discussing whether a framework can be developed (that we and others can independently verify) that provides the UK with assurance about the security of their involvement in the wider UK market. If we can't develop solutions with these suppliers that we feel mitigate the risk to UK national security, other solutions will be needed. If we can, Russia will still be a threat to UK government and critical systems, and they’ll sometimes be successful. We need to make sure they’ll have to work hard and that there’s a good chance of them being caught quickly.
For the second part, Ciaran Martin has written to all Permanent Secretaries highlighting the risks as we see them, and advising them to make an informed, risk-based decision around cloud-enabled products that they use on their own networks (or that are being used in the sectors they care about). He's advised that systems with a national security purpose should not use products that could be exploited easily by the Russian government through supply chain interdiction. The Russian state has a similar stance in terms of its use of Western products, so there’s not much asymmetry here. Many departments already manage these risks well; there’s almost no installed base of Kaspersky AV in central government. Beyond this relatively small number of systems, we see no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals.
Complex and nuanced guidance - because it needs to be
Our advice in this space is a bit complex and nuanced. That’s because it’s a complex problem with lots of nuances. Whatever you do, don’t panic. For example, we really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense.
As we’ve said before, people and enterprises have a finite budget for security, whether that’s money, time, change or whatever. Let’s use this budget wisely and concentrate on fixing the things that we know are responsible for successful compromises.
Technical Director, National Cyber Security Centre