Moscow-based Kaspersky Lab plans to relocate most of its core infrastructure and operations to Switzerland in a bid to allay concerns the company is vulnerable to Russian-government influence.
By the end of 2019, customer data storage and processing for most regions including the US and North America will be based in Switzerland. So too will most software assembly operations and threat detection updates, the security vendor said this week. Kaspersky Lab will arrange for all activity in its Switzerland facility to be supervised by an independent third party to ensure full transparency.
The move is part of a broader effort by Kaspersky Lab to reestablish market trust following accusations by the US government that the company is vulnerable to interference from Russian intelligence and the government in Moscow. The concerns are primarily tied to an incident where the AV firm allegedly collected classified data belonging to the US National Security Agency (NSA) from the computer of an NSA contractor.
Kaspersky Lab has said its AV software automatically collected a file containing source code for a secret NSA hacking tool as part of its usual malware analysis process. Kaspersky Lab has maintained that its AV technology flagged the file as potentially malicious and uploaded the software to its network for analysis. But the company quickly deleted the data after determining what it was, Kaspersky has claimed. Critics, meanwhile, accused the company of helping Russian intelligence steal the data as part of a broader and systematic data theft campaign.
The Trump administration last December formally banned US government agencies from using Kaspersky Lab's range of antivirus and anti-malware tools. The ban, included in a broader spending bill, required all federal agencies to purge their systems of Kaspersky Lab software in 90 days.
The security vendor has sued the US government over the ban while also committing to make its operations more transparent to show it is not operating under Russian government influence. Last year, Kaspersky Lab announced the company would establish a total of three Transparency Centers worldwide from where it will carry out a majority of its operations under supervision by a trusted third-party. The company has also offered up its source code for third-party inspection under the transparency program.
The Switzerland center is the first of those transparency centers and demonstrates Kaspersky Lab's commitment to openness a spokeswoman says. "The Transparency Center will be created and operated by Kaspersky Lab and will serve as a facility for trusted responsible third-parties from both the public and private sectors to review and evaluate the source code of Kaspersky Lab software and software updates," she said. Source code for public releases will be stored in Switzerland and will be available for independent review.
The security vendor's new facility in Zurich will also host Kaspersky's software build conveyor — a set of tools the company uses to assemble its anti-malware software. By the end of this year, Kaspersky Lab will start assembling all products and threat detection rule databases for worldwide use out of its Swiss center.
"A third party organization will have all necessary access to processes and products and will decide for itself what to review," the spokeswoman said. The third party organization will be a non-profit entity that will be established independently for the purpose of producing professional technical reviews of Kaspersky Lab products. "On a regular basis the third-party organization will report publicly on its activities, and everyone will have an opportunity to access these reports," she said.
The third-party overseer will have access to Kaspersky's software development documentation, source code of publicly released products and access to the rules and databases the vendor uses for threat detection. Kaspersky Lab will also provide access to the source code of cloud services handling and storing data belonging to customers in North America, Europe and other regions.
Kaspersky Lab will continue to use the current software build conveyer in Moscow for creating products and AV bases for the Russian market.
Wesley McGrew, director of cyber operations at security consultancy Horne Cyber, says the measures that Kaspersky Lab is taking should help increase confidence among private businesses and individuals. But the vendor will still have its work cut out among potential government clients in the US and elsewhere.
"With competitors to choose from that haven't had the same accusations placed against them, governments aren't going to be quick to place trust back in Kaspersky," McGrew predicts. A lot will depend on the extent and the type of the visibility that the independent observer will have over Kaspersky's operations.
"The nature of antivirus software, with its high degree of privileged access to systems and networks, requires a lot of trust in the software, and how it is maintained and operated over time," McGrew notes. "Oversight will need to be comprehensive across the entirety of Kaspersky operations to convince people of the lack of Russian government influence."
- Kaspersky Lab Collected, Then Deleted NSA File from a Home Computer
- Kaspersky Lab Offers Up its Source Code for Inspection
- Kaspersky Lab and the AV Security Hole
- 8 Notorious Russian Hackers Arrested in the Past 8 Years