NCSC: Time to Rethink Russian Supply Chain Risks

One of the UK’s top security agencies has urged the public sector, critical infrastructures (CNI), and other organizations to reconsider the potential risks associated with any “Russian-controlled” parts of their supply chain.

Ian Levy, technical director of the National Cyber Security Centre (NCSC), said there’s no evidence to suggest that the Russian state is about to force commercial providers to damage UK interests. However, that doesn’t mean it isn’t happening or won’t at some point in the future, he added.

“Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed,” Levy argued.

“The war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them.”

The new NCSC advice applies to all UK public sector organizations; those providing services to Ukraine; CNI firms; organizations doing work that could be seen as running counter to Russian interests; and high-profile organizations whose compromise would be a PR win for the Kremlin.

Levy argued that organizations more likely to be a target of Russian aggression need to reconsider any reliance on Russian tech or services. Those who use services sourced from inside the country need to think about increased cyber risk, even if the provider itself is not Russian, he added.

“You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk,” Levy continued. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *