Kaspersky Lab tries to claw back trust with transparency initiative

The company has promised independent source code reviews and increased bug bounty rewards in the future.

(Image: File photo)

Kaspersky Lab has promised to work with independent companies to conduct audits on its product source code in the future in an effort to reestablish trust in the wake of alleged involvement in US government data theft.

On Monday, the company issued a brief statement that said by Q1 2018 an "internationally recognized authority" will conduct independent source code reviews, as well as verify the "integrity of our solutions and processes."

While the reviewer company has not been named, in a statement to the Reuters news agency, the firm said the chosen party has "strong credentials in software security and assurance testing for cyber-security products."

Last month, the US Department of Homeland Security (DHS) ordered all US federal agencies to stop using Kaspersky products within the next 90 days due to suspected ties to the Russian government.

The DHS said that Kaspersky products represented "information security risks," due to Russian laws which could be used to lean on the cybersecurity firm for cyberespionage purposes, and therefore could "compromise federal information and information systems directly implicates US national security."

The Trump administration has also removed Kaspersky from lists of approved vendors that the US government is permitted to purchase equipment and services from.

Kaspersky software was then explicitly blamed for the theft of sensitive documents owned by the US National Security Agency (NSA), taken home by an employee who was targeted by Russian hackers for the information. The report alleged the files were identified through the firm's antivirus software.

Kaspersky Lab has denied these allegations, calling them "false" and based on "inaccurate assumptions," and the creation of new transparency procedures has likely stemmed from a need to claw back trust from governments, businesses, and consumers alike.

The Moscow-based cybersecurity firm said there are also plans to create three "transparency centers" worldwide in the Asia, Europe, and the US over the next three years. These centers will bring together the plans to review source code and internal processes, as well as make changes to coding and threat detection rules as necessary. The first center will be up and running in 2018 and the others are expected to be complete by 2020.

Kaspersky Lab said that the firm will work with stakeholders and the information security community in the future to further solidify plans to increase transparency and strengthen compliance.

Read also: Israeli hackers caught Russian hackers exploiting Kaspersky, NYT reports

Kaspersky Lab will also be offering up to $100,000 in bumped-up bug bounty rewards to researchers who find and report vulnerabilities in core company products through the Coordinated Vulnerability Disclosure program by the end of 2017.

"We need to reestablish trust in relationships between companies, governments, and citizens," said Eugene Kaspersky, chairman and CEO of Kaspersky Lab. "That's why we're launching this Global Transparency Initiative: we want to show how we're completely open and transparent."

"We've nothing to hide," the executive added. "And I believe that with these actions we'll be able to overcome mistrust and support our commitment to protecting people in any country on our planet."

This may not be enough to placate the security industry, however. Amit Serper from Cybereason, Boston, noted on Twitter that access to source code may do little, as that may not be where the true issue lies.

"Code review is absolutely meaningless," said Serper.

"All Russian intelligence need is an access to KSN, Kaspersky's data lake, which is a treasure trove of data," he said, referring to Kaspersky's Security Network (KSN), a voluntary network which operates on the cloud to collect data on threats. The system may collect the checksums of processed files, URL information, information about a user's PC and software, and more.

"Even open sourcing the entire product won't reveal or even help with revealing that," he added.

"I do have to say though that as security research professionals I think that Kaspersky's people are probably the top in the industry," the researcher added. "The talents that they have are amazing. My opinions aren't personal against people 'hate the game, not the player'."

When reached by ZDNet, a representative for Kaspersky added:

"The Kaspersky Lab proposal for source code and software-updates analysis suggests the access to review how our products interact with KSN. Our goal is to work with independent experts with strong credentials in software security and assurance testing for cybersecurity products, and we are ready to take all necessary steps to ensure we are providing the best protection for our customers' security."

Previous and related coverage