The Russia-Ukraine conflict has highlighted the extent to which the West relies on Russia for critical imports. The country is the third-biggest producer of oil in the world, accounting for 8 per cent of the UK’s oil demand and a quarter of the EU’s.
Energy is only part of the picture – according to the Office for National Statistics (ONS), the UK imported £10.3bn worth of goods from Russia in 2021, with core products being oil and gas; non-ferrous metals such as aluminium, lead and copper; wood; and mechanical machinery.
Sanctions mean Western nations will need to get vital resources from elsewhere, with the UK phasing out Russian oil imports by the end of 2022. But alongside crucial goods, we also import crucial services.
This includes cyber security software. Many businesses and individuals rely on Russian-owned cyber security firms such as Kaspersky, which is best known for its antivirus software that is used by more than 400 million customers across 200 countries.
Cyber security is a critical part of the UK’s national infrastructure, and if infiltrated by malicious state actors could result in the shutdown of public services – the WannaCry ransomware attack of 2017 brought hospitals to a temporary standstill.
The National Cyber Security Centre (NCSC) has published a blog offering guidance to businesses and individuals who use Russian cyber security services – this includes Russian-owned companies but also companies that have certain operations or people based in Russia, such as customer support or development teams.
We have not yet witnessed a major global cyber attack linked to the Ukraine conflict but we have previously seen Russian attacks on Western nations – the SolarWinds Corp attack in 2021, which targeted US government departments, and the UK telecoms companies attack in 2018, for example.
In the blog post, Ian Levy, the NCSC’s technical director, writes that most individuals and businesses are “highly unlikely” to be targeted by a Russian cyber attack. But everyone should prepare for the potentiality of one. “The absence of evidence is not evidence of absence,” he states. “The situation remains highly unpredictable. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them.”
The most vital thing any person or business can do is ensure their systems are secure, says Levy. This includes updating software regularly, good credential management (such as through strong passwords and two-factor authentication) and strong network configuration. Forward-planning is also crucial, in case a system is compromised or global sanctions are suddenly imposed, and there should be a recovery or back-up plan in case of data loss.
Some higher-risk organisations should reconsider whether they should use Russian cyber security companies at all, he says. Based on 2017 guidance, the NCSC advises that any government departments dealing in national security do not use products such as Kaspersky antivirus software. Many other types of organisations should “err on the side of caution” by reconsidering whether they should use such services and putting plans in place to protect their business from compromise or misuse if they decide to continue to do so.
This includes all public sector organisations; organisations providing services to Ukraine; “high-profile” organisations; those that provide critical national infrastructure, such as energy or broadband; and those that do work that could be deemed to be in opposition to Russian state interests.
Russian law dictates that businesses could actually be obliged to infiltrate UK systems; there are obligations on organisations to assist the Russian Federal Security Service (FSB), and the pressure to do so can increase during war. Lone actors or “hacktivists” also pose a risk – people working for Russian companies with access to UK systems may not have been tasked with infiltration but decide to do so anyway.
“Computers are predictable, people are not,” says a Western official. “It’s not just about states but about people inculcated in the art of doing this stuff.”
However, speculation about large-scale Russian cyber attacks has been overblown, the official says, adding that cyber warfare does not replace real warfare. “If you listen to some commentators, we are expecting cyber Armageddon [where] the Russians are going to push a big red button. This is very unlikely to happen. Cyber weapons are [just] a tool in the toolbox for a concerted campaign across multiple domains.”
It is down to each individual organisation to decide whether to proactively stop using Russian services immediately, to wait until a contract expires or to take the risk of continuing to do so, says Levy – but he warns that abruptly stopping without appropriate planning could do more harm than good.
“Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent,” he writes.
He also urges people to consider the impact of global sanctions on a company such as Kaspersky, which could stop issuing software updates, rendering its protection ineffective.
Businesses can follow the NCSC guidance on what to do when the cyber security threat is heightened, and individuals can follow the agency’s broader Cyber Aware guidance, which includes tips such as setting stronger passwords and using two-step verification.
The NCSC will update its guidance as the situation in Ukraine develops. Spotlight has contacted Kaspersky for comment.