NCSC is concerned about the possibility President Putin could be using Russian software companies for state espionage ©PA Images
NCSC is concerned about the possibility President Putin could be using Russian software companies for state espionage ©PA Images

Firms get guidance on supply chain cyber security

posted by Francis Churchill
4 December 2017

The government has released guidance for businesses using cloud-enabled software such as data storage or anti-virus tools.

Cloud-enabled software is a catch-all term for programs or services that need to connect to a supplier or third party’s own network to function.

The guidance from the National Cyber Security Centre (NCSC) recommends companies using such software understand what information these products can access and it outlines steps businesses should take to reduce risk around cloud services.

NCSC released the guidance following a recommendation to government ministries against using anti-virus software from Russia-based Kaspersky Labs, which has been accused by the US of being used by the Russians for espionage. Kaspersky denies this a claim.

Businesses that use Kaspersky software are not being advised to switch, and the guidance is more generally about the safe use of cloud services.

In a blog-post addressing “speculation about foreign involvement in the UK supply chain”, NCSC technical director Ian Levy said the country of origin was not the most important security concern for businesses.

“In supply chain security, the country of origin matters, but isn’t everything. We've said for years that in today’s technological environment, virtually every significant network incorporates foreign technology,” he said.

“Of course, if a supplier is headquartered in a country which has a record of attacking the UK and our allies in cyberspace, then that is something we must worry about. But it’s much more complicated than saying, ‘Company A is from naughty country X so we should use company B from nice country Y instead’.”

Levy added more mundane things like not keeping software up to date, poor network configuration management and poor credential management posed a bigger risk.

Where there is a real risk of state espionage, Levy recommended engaging in transparent and frank dialogue with the supplier on how to work together to mitigate those risks.

“This is the approach we are taking with Kaspersky Labs; we're discussing whether a framework can be developed... that provides the UK with assurance about the security of their involvement in the wider UK market,” he said.

Anti-virus products, while a fundamental part of any firm’s cyber security, are potentially a vulnerability for firms because they require deep access to a computer’s folders and systems and near constant communication with the vendor’s own networks to function properly. 

The NCSC guidance recommends that firms using cloud software:

  • Understand how products interact with cloud services, what information they can access and what changes they can make to your own systems once enabled
  • Ask for a vendor statement including terms and conditions or a privacy policy
  • Do your own independent research on third-party software
  • Use monitoring tools to track data going to and from a third party
  • Use the product’s own tools (which good providers should include) to control what data goes to third parties.

Barclays has announced it is ending a deal to provide Kaspersky anti-virus software to its online banking customers, but said it was a precautionary measure and there was nothing to suggest customers already using the software should stop.

Separately, a think tank has called on government to do more to protect underwater cables that connect the UK to the internet.

The report by Policy Exchange, written by Conservative MP Rishi Sunak, says that 97% of global communications and $10tr of financial transactions go through a number of undersea cables that are inadequately protected and vulnerable to attack.

Comparatively little of the world’s communications go through satellites, the report said.

“A successful attack on the UK’s undersea cable infrastructure would be an existential threat to our security,” said Sunak. “Yet the exact locations of these cables are both isolated and publicly available; jugulars of the world economy which are a singularly attractive target for our enemies.”

Not only are undersea cables vulnerable to attack – the report cites US reports of Russian submarines aggressively operating near Atlantic cables – the report also said the points where undersea cables come ashore should also be considered key national infrastructure potentially vulnerable to terror attacks.

☛ Want to stay up to date with the news? Sign up to our daily bulletin.

This position can be based at our headquarters in Dover or any one of our overseas offices.
Between £50,000 - £60,000 depending on experience
Megger Group
East London
East London Waste Authority
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates