Under intense political and market pressure in the wake of reports that its software was used by Russian nation-state cyberspies to steal US National Security Agency secrets, security firm Kaspersky Lab today announced it will allow independent third parties to review its source code as well as its internal processes and business operations.
The initiative follows a pledge made by Kaspersky Lab chairman and CEO Eugene Kaspersky in early July to share his firm's source code with the US government as a show of good faith. The Trump administration last month ordered US federal agencies to uninstall Kaspersky Lab software and services from their systems due to US national security concerns due to possible ties between "certain Kaspersky officials and Russian intelligence and other government agencies" as well as Russian law that allows intelligence agencies there to "request or compel" help from the security firm to intercept communications across Russian networks.
Eugene Kaspersky and his firm have vehemently denied helping the Russian government with any cyber espionage efforts, and said it had no knowledge of a recently reported breach of an NSA employee's home computer via the Kaspersky AV software running on it. The software was used to steal classified information and tools from the US spy agency, according to the reports, which allege the firm was complicit by either assisting in the heist or by selling software that was abused by Russian hackers.
The new transparency program indicates that the security firm has no plans to fade away under intense pressure by US officials and loss of commercial sales outlets such as Best Buy, which recently pulled the software from its shelves after the various reports of possible Russian government ties.
Kaspersky Lab did not name the third parties who will be performing its code reviews, but said it's looking for experts with experience in software and assurance testing. The reviews will entail technical audits, code base reviews, vulnerability assessments, architectural risk analysis, and secure development lifecycle process reviews, according to the company. "Taking a multi-stakeholder approach, we welcome input and recommendations from interested parties at [email protected]," the company said in response to questions about the new program, which it calls the Global Transparency Initiative.
The first phase of the program includes the kickoff of an independent review of Kaspersky Lab's source code by the first quarter of 2018, and subsequent reviews of updates and threat detection rules to then get similar vetting. The company also will launch an independent analysis of its secure development lifecycle processes and its software and supply chain risk mitigation practices during the first quarter.
Kaspersky Lab in Q1 also will work with an outside party to develop additional controls for its data processing practices, and also will set up the first of three Transparency Centers where "trusted partners" can inspect code, software updates, threat detection rules, and related operations by Kaspersky Lab. The centers will be based in Asia, Europe, and the US, and will be completed by 2020.
By the end of this year, Kaspersky Lab also will up its bug bounty awards to $100,000 for the most critical vulnerabilities.
Chris Wysopal, CTO of Veracode, which offers source code analysis, says the code and development process inspection announced by Kaspersky Lab is "good news" and should be adopted by all security vendors for their software. "Security software requires an enormous amount of trust from its users because of the privileged access that is granted security software for it to work," he says. "Add in dynamic software updates and dynamic rule updates and you have allowed an external party complete access to your computer."
Because software today gets updated on a continuous basis, a third-party review should occur for each update, he says, which Kaspersky has announced it will do. "A third-party review of the integrity of the SDLC and software supply chain is something all vendors should be providing to their customers, as almost all software is putting customers at varying levels of risk from vulnerabilities or backdoors."
When asked if Veracode was one of the third parties that will inspect Kaspersky Lab's code, Wysopal said he could neither confirm nor deny it was working with the security firm. Veracode typically has nondisclosure agreements with customers, for example, he says.
Fidelis Cybersecurity's John Bambenek says Kaspersky Lab's new program may help, but the allegations by Israeli intelligence reported that hackers searched for classified information in Kaspersky Lab's telemetry were especially damaging. He says the new controls Kaspersky Lab has planned for how data gets processed "might" address those allegations, but it's not yet clear.
"It certainly is a bold step Kaspersky is taking, and that they don't plan to retreat from the North American market quietly," says Bambenek, Fidelis' threat systems manager. "What this actually shows is that there might need to be best practices and rules all cybersecurity companies adhere to worldwide because the accusations against Kaspersky by the US today could easily be the accusations against a US company by another country tomorrow."
He says transparency and specific rules on how to handle user information by AV firms has been "long overdue."
Veracode's Wysopal concurs that the Kaspersky Lab program makes sense. But code-vetting still won't stop nation-states from abusing software and networks via backdoors and covert channels, which can be more difficult to police. "Due to the nature of software and networks, I don't think the risk can be entirely eliminated through transparency when it is nation-state risks we are dealing with," Wysopal says.
When asked how the transparency program addresses recent concerns about Kaspersky Lab's alleged relationship with the Russian government, Kaspersky Lab provided this statement: "Recent allegations aside, Kaspersky Lab company understands that as nations compete in cyberspace, IT security vendors must independently validate the assurance and integrity of their products in addition to their efficacy and effectiveness. As a cybersecurity company in operation for over 20 years, Kaspersky Lab has launched its Global Transparency Initiative to reiterate its industry leadership on not only providing great cybersecurity products and solutions, but also to demonstrate its continued willingness to go above and beyond to protect its customers."
Eugene Kaspersky says the new initiative is all about showing the firm's openness and transparency. "We've nothing to hide. And I believe that with these actions we'll be able to overcome mistrust and support our commitment to protecting people in any country on our planet."
He also called for curbing "attempts to introduce national boundaries in cyberspace" because cybersecurity requires multinational cooperation and "has no borders."
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.