After months of taking intense heat after the U.S. government claimed Kaspersky Lab’s antivirus software was used for spying, the Russian security firm pushed back by announcing the launch of its Global Transparency Initiative.
To win back customer trust, the company’s source code will undergo independent review by Q1 2018. Threat detection rules and software updates will also be audited. Although the outside reviewers are not named, Kaspersky told Reuters “they would have strong software security credentials and be able to conduct technical audits, source code reviews and vulnerability assessments.”
Kaspersky’s new transparency initiative doesn’t stop there. The company also plans to open “transparency centers” in the U.S., Europe and Asia where government stakeholders and customers can “access reviews on the company’s code, software updates and threat detection rules.”
“We want to show how we’re completely open and transparent,” said Eugene Kaspersky, CEO of Kaspersky Lab. “We’ve nothing to hide. And I believe that with these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.”
Kaspersky's Global Transparency Initiative
According to the press release, the “initial stage” of Kaspersky’s Global Transparency Initiative will include:
- The start of an independent review of the company’s source code by Q1 2018, with similar reviews of the company’s software updates and threat detection rules to follow.
- The commencement of an independent assessment of (i) the company’s secure development lifecycle processes, and (ii) its software and supply chain risk mitigation strategies by Q1 2018.
- The development of additional controls to govern the company’s data processing practices in coordination with an independent party that can attest to the company’s compliance with said controls by Q1 2018.
- The formation of three Transparency Centers globally, with plans to establish the first one in 2018, to address any security issues together with customers, trusted partners and government stakeholders. The centers will serve as a facility for trusted partners to access reviews on the company’s code, software updates, and threat detection rules, along with other activities. The Transparency Centers will open in Asia, Europe and the U.S. by 2020.
- The increase of bug bounty awards up to $100,000 for the most severe vulnerabilities found under the company’s Coordinated Vulnerability Disclosure program, to further incentivize independent security researchers to supplement our vulnerability detection and mitigation efforts, by the end of 2017.
In July, Kaspersky offered to turn over code for the U.S. government to audit. That offer did not stop the Department of Homeland Security (DHS) or the U.S. Senate from banning the software in September. A few weeks ago, unnamed officials claimed Israeli intelligence hacked Kaspersky and discovered Russian government hackers using the software to search for American secrets.
With the announcement of this new initiative, Kaspersky said, “Trust is essential in cybersecurity.” But the company “recognizes that trust is not a given; it must be repeatedly earned through an ongoing commitment to transparency and accountability.”
Various security professionals are weighing in with their opinions on whether the transparency initiative will be enough for Kaspersky to win back trust. Former NSA director Michael Hayden told Reuters that Kaspersky’s action is “a dramatic step forward, but not necessarily sufficient.”
Hi! We're evaluating contractors for independent code review. Will communicate this publicly when ready— Eugene Kaspersky (@e_kaspersky) October 23, 2017