Responding to U.S. government suggestions that its antivirus software has been used for surveillance of customers, Moscow-based Kaspersky Lab is launching what it’s calling a transparency initiative to allow independent third parties to review its source code and business practices and to assure the information security community that it can be trusted.
The company plans to begin the code review before the end of the year and establish a process for conducting ongoing reviews, of both the updates it makes to software and of the threat-detection rules it uses to detect malware and to upload suspicious files from customer machines. The latter refers to signatures and so-called Yara rules, which are the focus of recent allegations.
The company will open three “transparency centers” in the U.S., Europe and Asia, where trusted partners will be able to access the third-party reviews of its code and rules. It will also engage an independent assessment of its development processes and work with an independent party to develop security controls for how it processes data uploaded from customer machines.
“[W]e want to show how we’re completely open and transparent. We’ve nothing to hide,” Eugene Kaspersky, the company’s chairman and CEO, said in a written statement.
The moves follow a company offer in July to allow the U.S. government to review its source code.
Although critics say the transparency project is a good idea, some added it is insufficient to instill trust in Kaspersky going forward.
“The thing [they’re] talking about is something that the entire antivirus industry should adopt and should have adopted in the beginning,” said Dave Aitel, a former NSA analyst and founder of security firm Immunity. But in the case of Kaspersky, “the reality is … you can’t trust them, so why would you trust the process they set up?”
Kaspersky has come under intense scrutiny after its antivirus software was linked to the breach of an NSA employee’s home computer in 2015 by Russian government hackers who stole classified documents or tools from the worker’s machine. News reports, quoting U.S. government sources, have suggested Kaspersky colluded with the hackers to steal the documents from the NSA worker’s machine, or at least turned a blind eye to the activity.
It’s believed the documents or tools were siphoned from the NSA worker’s machines using “silent signatures” — keyword searches that antivirus companies conduct on customer machines to uncover suspicious files and send them back to the company for review. Although silent signatures are an acceptable method for detecting malware, recent stories have suggested that Kaspersky, or Russian government hackers operating with Kaspersky’s knowledge, used keywords that were deliberately designed to search for intelligence about classified U.S. operations, not for malicious code.
That’s possible, although some experts say it’s also possible the collection was inadvertent — that Kaspersky software identified classified NSA malware still in development, or related documents, and uploaded the material to Kaspersky servers, thinking it was a possible infection.
Kaspersky claims to have more than 400 million users worldwide, but that market share is under threat after the government-sourced news reports and after the Department of Homeland Security banned Kaspersky products last month from civilian government systems. Best Buy removed the software from computers it sells based on concerns that it can be used to spy on customers. Although it’s not yet clear if other governments and commercial partners will follow suit, the company is under great pressure to preserve its remaining business relationships.
The source code review would help address concerns that Kaspersky might embed a backdoor in its software or software updates or be forced to do so on behalf of the Russian government, or that the software could contain vulnerabilities that would allow the Russian government or others to hijack it to spy on Kaspersky customers. (The NSA and its British counterpart GCHQ have, at least in the recent past, endeavored to hack and repurpose Kaspersky software for their own purposes.) The review of Kaspersky’s threat-detection rules would respond to concerns that the company could use silent signatures to pull any file from customer computers, not just malicious ones.
And a secure control process for handling data and suspicious files collected from customer machines for analysis could also help ensure that the Russian government, or other threat actors, can’t intercept customer data while in transit from customer machines to Kaspersky’s network, or hack that network to obtain customer data and files after such material is collected.