Blog post

Managing supply chain risk in cloud-enabled products

Created:  01 Dec 2017
Updated:  01 Dec 2017
Author:  Ian Levy
Part of:  Cloud security

There’s been a lot of speculation about foreign involvement in the UK supply chain recently. Supply chain security is hard. And I mean really hard. I thought it would be a good idea to set out how we at the NCSC think about some of this stuff, specifically supply of products.

It’s always fun to talk about the omnipotent and omniscient hackers, and the super-sneaky espionage attacks they can perform. But, for most people and enterprises, the biggest risks remain:

  • not keeping software up to date
  • poor network configuration management
  • poor credential management

Most of the incidents that have caused actual harm to the UK have been caused by one of these problems. In general, we should concentrate on getting those fixed before worrying about really clever and risky supply chain interdictions from other states.

A flag is a poor indicator of trust

In supply chain security, the country of origin matters, but isn’t everything. We've said for years that in today’s technological environment, virtually every significant network incorporates foreign technology. The globalised nature of technology development, inclusion of third party components, mobility of talent and anti-discrimination laws, means that a flag is a poor indicator of trust.

Of course, if a supplier is headquartered in a country which has a record of attacking the UK and our allies in cyberspace, then that is something we must worry about. But it’s much more complicated than saying 'company A is from naughty country X so we should use company B from nice country Y instead'. Today we’re publishing some guidance on how cloud-enabled products should be assessed by enterprises. This guidance isn’t trivial, because it’s not a trivial problem.

Lots has been said about antivirus (AV) products of late. To be able to do its job, any AV product needs lots of access to your machine, and you have to trust the AV developers to:

  • write secure code that can’t be compromised
  • protect their development network from attack
  • ensure that virus signatures don’t break your system

An AV product also has to be in almost constant communication with the vendor’s systems, and this access could (in theory) be abused by someone in the company that supplied it, regardless of where they’re headquartered.

But what’s the motivation for doing so?

Obviously, that depends if you’re a government user working in national security, or an individual member of the public. Given the right legal framework and motivation, you can easily imagine such access being suborned to spy on another government.

'States spying on states' is one of the oldest professions in the world, but it always takes considerable time, effort and planning to do well. Would anyone realistically expect a government to go to the same lengths and risks to access data from machines belonging to most individual members of the public in another country? It doesn’t seem likely, as the vast majority of the public aren’t targeted by any nation state, and are much more likely to be harmed by criminals.

Why are we writing this guidance now?

The main reason for writing this guidance is that we’ve had requests for advice from UK organisations. The Prime Minister set out very clearly in her Mansion House speech that the Russian state is acting against the UK’s national interest in cyberspace. It follows that we need to do everything we can to reduce the risk of successful Russian attack, and this is much, much more complicated than just trying to take companies with Russian flags out of your supply chain.

There’s a comprehensive strategy to counter cyber attacks from all adversaries, and the National Cyber Security Strategy sets out the totality of the capabilities we use to protect the UK. As part of that, we provide advice based on evidence and rigour, not hyperbole and fear. Of course, Russia isn’t the only country that poses a threat to the UK, and it's not just AV products that (theoretically) can be abused. That’s why our guidance is both country and technology agnostic.

Product-based and nation-scale risks

So what does this mean for Russia-based AV and similar products? Given we assess that the Russian state commits cyber attacks against the UK for a number of reasons, we believe some UK government and critical national systems are at increased risk. Considering how an AV product could be abused - and the potential impact if it were - we need to focus our attention on managing this important risk effectively. We approach this in two ways; manage product-based risks and manage national-scale risks.

For the first part, we engage companies who we believe could pose a risk and explore how to work together to mitigate those risks sufficiently. Ultimately, this will be done in an evidence-based and transparent way. This is the approach we are taking with Kaspersky Labs; we're discussing whether a framework can be developed (that we and others can independently verify) that provides the UK with assurance about the security of their involvement in the wider UK market. If we can't develop solutions with these suppliers that we feel mitigate the risk to UK national security, other solutions will be needed. If we can, Russia will still be a threat to UK government and critical systems, and they’ll sometimes be successful. We need to make sure they’ll have to work hard and that there’s a good chance of them being caught quickly.

For the second part, Ciaran Martin has written to all Permanent Secretaries highlighting the risks as we see them, and advising them to make an informed, risk-based decision around cloud-enabled products that they use on their own networks (or that are being used in the sectors they care about). He's advised that systems with a national security purpose should not use products that could be exploited easily by the Russian government through supply chain interdiction. The Russian state has a similar stance in terms of its use of Western products, so there’s not much asymmetry here. Many departments already manage these risks well; there’s almost no installed base of Kaspersky AV in central government. Beyond this relatively small number of systems, we see no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals.

Complex and nuanced guidance - because it needs to be

Our advice in this space is a bit complex and nuanced. That’s because it’s a complex problem with lots of nuances. Whatever you do, don’t panic. For example, we really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense.

As we’ve said before, people and enterprises have a finite budget for security, whether that’s money, time, change or whatever. Let’s use this budget wisely and concentrate on fixing the things that we know are responsible for successful compromises.

Ian Levy

Technical Director, National Cyber Security Centre


miles - 04 Dec 2017
What is guidance for companies that support Government sector, assuming there is a domino effect into other businesses?
Ian Levy - 05 Dec 2017

Thanks for your question. We'd expect the affected departments to talk to their supply chain and let them know what they need to do.
Jon Edwards - 05 Dec 2017
All straightforward until you confused me with the following:

'He's advised that systems with a national security purpose should not use products that could be exploited easily by the Russian government through supply chain interdiction.'
'Many departments already manage these risks well; there’s almost no installed base of Kaspersky AV in central government.'

We know that the vast majority of central govt depts don't have systems that impact on national security therefore the statement that they don't use Kaspersky seems to contradict, or at least confuse, the suggestion that the (unacceptable) risk is only to national security systems.
Ian Levy - 07 Dec 2017
Yeah, that’s a fair point – poor drafting there. You’d actually be surprised at departments that have systems that could affect national security. However, your point stands – that last bit is a fact, but it’s not clear what the context is. It’s certainly not intended to suggest anything weird.
Eugene VAN DELSEN - 06 Dec 2017
Thank you Mr.Levy for this information. Our Kaspersky AV connection agreement will end in February 2018.

As per your own advice we will not rush to ripping out Kaspersky software at large, while, as you tell us, it makes little sense.
Anyway, there exist some worry that we should be ready to envisage a secondary AV ( McAfee is bombarding our PC´s with their trial offers). Do you think it would wise? This of course will bring forth the cost of a, maybe, unnecessary double "protection".
Thank you for your good advice.

Ian Levy - 07 Dec 2017
Thanks Eugene. We would recommend that you do NOT run two AV products on the same machine. They’re reasonably likely to conflict, the upfront cost and ongoing management cost will be potentially large and you’re not going to get a significant increase in protection. Different AV products on, say, clients and email gateways can make sense in some scenarios.
Jenny Vass - 06 Dec 2017
Thank you for the really clear information and sensible advice.
Tanya - 06 Dec 2017
As a member of the public who uses Kaspersky on my home computer, I really appreciate the tone of this post and how you've laid it out clearly for the layperson. Thanks for your no-nonsense, no-hyperbole approach, and I'll keep up with your latest recommendations.
neal - 06 Dec 2017
I have already renew my contract on 26/11/17 , would this action cancell my contract, thanks
Ian Levy - 07 Dec 2017
Neal, unless you fall into one of the categories we talk about (those who may be of interest to the Russian state or someone could have an impact on national security) then there’s no need to cancel your contract.
Charles Miller - 06 Dec 2017
Knowing who to trust is becoming increasingly difficult, but at this time my belief in Karspersky's integrity stands very much higher than my belief in the intergity of either the UK or US present governments, both of which are in alarmingly chaotic states, or in Barclays for that matter, and I will maintain my present faith in Karspersky until credible reason for change is presented. For now, I have no doubt that spying and interference is a two-way process that all countries engage in and that commercial spying and data gathering by UK and US is the greatest - and an as yet un-addressed - threat to personal cyber security and in that respect Karspersky scores far better than our governments and its agencies.
Ian Levy - 08 Dec 2017
Trust is a personal belief state so no-one can comment on your view of who you trust. However, trustworthiness is more evidence based, and that’s what our guidance tries to help people work through.
Ann King - 06 Dec 2017
The article was well written and self explanatory for the likes of me.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No