X

Kaspersky Lab seeks to gain back trust after spy accusations

The Moscow-based security firm, accused of working with the Russian government to spy on customers, vows to offer independent audits to prove otherwise.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
3 min read

Kaspersky Lab has promised to work with independent companies to conduct audits on its product source code in the future in an effort to reestablish trust in the wake of alleged involvement in US government data theft.

The company issued a brief statement Monday, promising that by the first quarter of 2018, an "internationally recognized authority" will conduct independent source code reviews, as well as verify the "integrity of our solutions and processes."

kaspersky-total-security-cropped

Kaspersky Lab has been a popular, successful security company but is scrambling to fight allegations that it secretly helps the Russian government.

Kaspersky Lab

While the independent reviewer has not been named, Kaspersky said in a statement to Reuters news agency that the chosen company has "strong credentials in software security and assurance testing for cyber-security products."

Last month, the US Department of Homeland Security ordered all federal agencies to stop using Kaspersky products within the next 90 days due to suspected ties to the Russian government.

The DHS said that Kaspersky products represented "information security risks" because of Russian laws that could be used to lean on the cybersecurity firm for cyberespionage purposes, and therefore could "compromise federal information and information systems directly implicates US national security."

The Trump administration has also removed Kaspersky from lists of approved vendors that the US government is permitted to purchase equipment and services from.

Kaspersky software was also explicitly blamed for the theft of sensitive documents owned by the US National Security Agency and taken home by an employee who was targeted by Russian hackers for the information. The report alleged the files were identified through Kaspersky's antivirus software.

Kaspersky has denied these allegations, calling them "false" and based on "inaccurate assumptions." The creation of new transparency procedures has likely stemmed from a need to try to gain back trust from governments, businesses and consumers alike.

The Moscow-based cybersecurity firm said there are also plans to create three "transparency centers" worldwide in the Asia, Europe, and the United States over the next three years. These centers will bring together the plans to review source code and internal processes, as well as make changes to coding and threat detection rules as necessary. The first center will be up and running in 2018 and the others are expected to be complete by 2020.

Kaspersky said it will work with stakeholders and the information security community in the future to further solidify plans to increase transparency and strengthen compliance.

Kaspersky will also offer up to $100,000 in bumped-up bug bounty rewards to researchers who find and report vulnerabilities in core company products through the Coordinated Vulnerability Disclosure program by the end of 2017.

"We need to reestablish trust in relationships between companies, governments, and citizens," CEO Eugene Kaspersky said in the statement. "That's why we're launching this Global Transparency Initiative: we want to show how we're completely open and transparent."

"We've nothing to hide," the executive added. "And I believe that with these actions we'll be able to overcome mistrust and support our commitment to protecting people in any country on our planet."

This may not be enough to placate the security industry, however. Amit Serper, who leads security research at Boston-bsed Cybereasontweeted that access to source code may do little because that may not be where the true issue lies.

"Code review is absolutely meaningless," Serper tweeted. "All Russian intelligence need is an access to KSN, Kaspersky's data lake which is a treasure trove of data." KSN, or Kaspersky's Security Network, is a voluntary network that operates on the cloud to collect data on threats. The system may collect the checksums of processed files, URL information, information about a user's PC and software, and more.

"Even open sourcing the entire product won't reveal or even help with revealing that," he added.

Kaspersky did not immediately respond to a request for comment.

This story originally posted as "Kaspersky Lab tries to claw back trust with transparency initiative" on ZDNet.  

Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.

The Smartest StuffInnovators are thinking up new ways to make you, and the things around you, smarter.