6 Things Kaspersky Lab Says It's Doing To Win The Trust Of Its Customers And Partners
From bug bounties to independent assessments of internal processes to relocating core processes outside Russia, here's how Kaspersky Lab plans to go about rebuilding trust with customers and partners following accusations of ties to the Russian government.
Seeking A Fresh Start
Kaspersky Lab launched its Global Transparency Initiative in October 2017 following months of pushback over alleged ties to the Russian intelligence services, which the company has vehemently denied.
The initiative will seek to address what trust looks like in the context of information technology, as well as how it can be maintained, Tara Hairston, head of government relations for Kaspersky Lab North America, said last week at the company's Trusted Advisors Summit 2018 in Scottsdale, Ariz.
The company announced Tuesday that it plans to move a number of its core processes from Russia to Switzerland, including software assembly, threat detection updates, and customer data storage and processing for most regions.
While the initiative is in part a direct response to the geopolitical situation involving Kaspersky, Hairston said the efforts are primarily driven by a desire to address the general lack of trust when it comes to IT.
From bug bounties to independent assessments of Kaspersky's internal processes and source code, here's how the company plans to go about rebuilding trust with customers and partners.
6. Examining Options Around Localizing Some Of Its Data Collection
Kaspersky is looking into situating data collection and processing capabilities for the Kaspersky Security Network (KSN) outside of Russia to address customer concerns, Hairston said. KSN is a complex distributed infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world.
By the end of 2018, Hairston said Kaspersky plans to start redesigning and reconfiguring its back-end infrastructure, particularly around KSN data collection and processing. As part of this effort, Hairston said Kaspersky is also looking at practices that could minimize data exposure while ensuring the KSN project remains effective.
By the end of 2019, Kaspersky will have established a data center in Zurich, Switzerland to store and process information voluntarily shared by KSN users in North America, Europe, Singapore, Australia, Japan and South Korea, with more countries to follow, the company said Tuesday.
5. Taking Its Bug Bounty Program To The Next Level
Kaspersky launched a paid vulnerability disclosure program in the summer of 2016 to incentivize top-notch security researchers and ethical hackers to look at the company's products, Hairston said. The company used bug bounty platform provider HackerOne to manage the program, according to Hairston.
In October 2017, Hairston said Kaspersky increased the type of products researchers were allowed to look at and raised the bounty to up to $100,000 per discovered vulnerability. In order for researchers to receive the reward, Kaspersky must be able to verify that the vulnerabilities exist and are replicable.
Two months ago, Hairston said Kaspersky further expanded the products and vulnerabilities falling within the scope of the company's bug bounty program.
4. Putting Its Internal Processes Under The Microscope
Kaspersky plans to have independent experts validate and verify the company's secure development lifecycle as it relates to developing new products, software, and services, according to Hairston. The company is looking to go beyond checking boxes by obtaining various certifications, Hairston said, and is instead seeking independent experts to review its own internal processes.
Hairston said Kaspersky is considering bringing in a Big Four professional services firm like EY or Deloitte to conduct an external audit of the company's internal security practices. Alternatively, Hairston said Kaspersky might bring in independent experts to look at particular segments or processes. The internal audit and certification regime will also cover Kaspersky's engineering practices, Hairston said.
Kaspersky said Tuesday that it supports the creation of a new, non-profit organization to take on this responsibility, not just for the company, but also for other partners and members who wish to join.
3. Relocating Its Software Assembly To Switzerland
Kaspersky said Tuesday that it will relocate to Zurich its programming tools used to assemble ready-to-use software out of source code.
By the end of this year, Kaspersky's products and anti-virus databases will start to be assembled and signed with a digital signature in Switzerland before being distributed to customer endpoints worldwide.
The relocation will ensure that all newly-assembled software can be verified by an independent organization, Kaspersky said. It will also show that software builds and updates received by customers match the source code provided for the audit, according to Kaspersky.
2. Subjecting Its Source Code To Review From Independent Experts
Kaspersky is looking into ways or mechanisms to provide broader access to the code that underpins its threat detection rules, anti-virus software, and cloud-based services, Hairston said. The company would like to make the source code for its products and software updates available for independent assessment, evaluation and review, according to Hairston.
The company is currently attempting to find credible experts with the independence, capability, and capacity needed to review Kaspersky's code, Hairston said. Given that Kaspersky has been around for more than 20 years, Hairston said there's a lot of code to review.
In order to do this, though, Hairston said Kaspersky needs a physical location where the code can be reviewed by independent experts, potential customers, and other stakeholders.
1. Establishing Three Transparency Centers Around The Globe
Kaspersky plans to follow in the footsteps of companies like Microsoft and Cisco and establish meeting places where government officials, partners, and customers can come in and look at both code bases as well as the technology underpinning the company's products, Hairston said.
The company wants to establish one transparency center in Europe, one in North America, and one in Asia by 2020, Hairston said. Kaspersky announced Tuesday that a dedicated Transparency Center will be hosted in Switzerland, and is expected to open this year.
Kaspersky has also been in conversation with a number of governments since fall of 2017 around the mechanisms the company is thinking about or planning to put in place, Hairston said. The company is interested to learn what concerns have been expressed to government officials, Hairston said, as well as the extent to which Kaspersky's measures are addressing their concerns.