The Alleged Ties To Russian Intelligence
Kaspersky Lab can’t seem to get rid of the stigma of being a Russian company. Even after Eugene Kaspersky publicly declared that Russian President Vladimir Putin is not his friend, and offered to show his source codes to the US government, he can’t shake off the perception that he’s helping the Russian government attack Western interests.
It did not help that Israeli government hackers provided the US National Security Agency (NSA) with evidence that Russian hackers used Kaspersky Lab software to scan for American classified programs. They also found NSA hacking tools in the Kaspersky Lab network, the same tools that the NSA later confirmed were in Russian intelligence hands.
That was what led to the US General Services Administration directive to remove Kaspersky Lab from its list of approved vendors, and the US Senate to call for a government-wide ban.
There is no evidence that Kaspersky Lab itself was complicit in helping Russian intelligence scan for American classified programs, or obtain the NSA hacking tools. It is entirely possible that the Russian intelligence hackers merely exploited the same flaws in Kaspersky Lab software that the Israelis used to gain access to their network and software.
However, all these controversies have greatly undermined Kaspersky Lab’s credibility and sales worldwide.
The Kaspersky Lab Global Transparency Initiative
The Kaspersky Lab Global Transparency Initiative attempts to prove and assure their customers (and potential customers) that there are no backdoors in their software. Under this initiative, Kaspersky Lab will make their source codes, including software updates and threat detection rules, available for independent review and evaluation.
Their Global Transparency Initiative will kick off with these actions :
- Kaspersky Lab will offer their source codes for an independent review by Q1 2018, with similar independent reviews of their software updates and threat detection rules to follow.
- An independent assessment of the Kaspersky Lab development lifecycle processes, and its software and supply chain risk mitigation strategies, will begin by Q1 2018.
- Additional controls to govern Kaspersky Lab data processing practices, with verification by an independent party, will be developed by Q1 2018.
- Three Transparency Centers will be established in Asia, Europe and the US to address security issues with Kaspersky Lab partners, customers and government stakeholders. They will also serve as a facility for “trusted partners to access reviews on the company’s code, software updates and threat detection rules“. The first Transparency Center will open by 2018, with the rest by 2020.
- Kaspersky Lab will increase their bug bounty awards up to $100,000 for the most severe vulnerabilities found under their Coordinated Vulnerability Disclosure program by the end of 2017.
Kaspersky Lab will later announce the next phase of the Global Transparency Initiative, after engaging with their stakeholders and the cybersecurity community.
What This Does Not Address
The initial phase of the Kaspersky Lab Global Transparency Initiative will help verify, and assure their customers, that there are no backdoors in their software. However, it does not address a major concern for the US government – the fact that their data is routed through Russian Internet service providers that are subject to the Russian intelligence surveillance system called SORM (System of Operative-Investigative Measures).
Kaspersky Lab has said that customer data sent to their Russian servers are encrypted, and they do not decrypt it for the Russian government. But it would be impossible for them to prove it. Perhaps they will address this concern in the next phase of their Global Transparency Initiative.
Don’t forget to read our interview with Eugene Kaspersky on his alleged ties with Russian President Vladimir Putin and the Kremlin.