Kaspersky Lab to open software to review, says nothing to hide despite US security concerns
Moscow-based Kaspersky Lab said on Monday it will ask independent parties to review the security of its anti-virus software, which the US government has said could jeopardise national security, citing concerns over Kremlin influence and hijacking by Russian spies.
Kaspersky, which research firm Gartner ranks as one of the world’s top cybersecurity vendors for consumers, said in a statement that it would submit the source code of its software and future product updates for review by a broad cross-section of computer security experts and government officials.
It also vowed to have outside parties review other aspects of its business, including software development. Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year, it said.
Kaspersky did not name the outside reviewers, but said they would have strong software security credentials and be able to conduct technical audits, source code reviews and vulnerability assessments.
US President Donald Trump’s administration last month barred government agencies from using Kaspersky Lab anti-virus products.
The world’s top cybersecurity experts are divided over whether Russian intelligence hijacked Kaspersky software without its knowledge or whether the firm or one of its employees was complicit.
Israeli intelligence officials said they had found Russian government hackers using Kaspersky anti-virus software to steal spy secrets from the US National Security Agency, according to reports this month in major US media.
Kaspersky has repeatedly denied those allegations, saying it has not helped Russia or other governments engage in espionage and that it is simply caught up in a wider geopolitical spat between Moscow and Washington following allegations Russian hackers interfered in last year’s US elections.
The Kremlin also denies the allegations.
US cybersecurity experts and former officials said the move by Kaspersky to open its software up for expert review could help alleviate concerns about future security gaps, but that the company had a lot of work to do to restore confidence.
Former NSA director Michael Hayden called Kaspersky’s action “a dramatic step forward, but not necessarily sufficient.”
Rodney Joffe, senior vice-president at online identity management firm Neustar and an adviser to the US Federal Communications Commission, said Kaspersky must show it has fixed all existing vulnerabilities, not just guarded against new ones.
“A good start would be a release of the source code for the products already out there, that matches the actual installed code base,” Joffe said.
The company said it would open “transparency centres” in Asia, Europe and the United States where customers, governments and others can access results of the outside reviews and discuss any concerns about the security of Kaspersky products.
It also said it would expand a programme where it pays independent security researchers to find security vulnerabilities in its products, boosting the maximum award size to US$100,000 from US$5,000.
But the company’s critics remained sceptical. Democratic Senator Jeanne Shaheen, who led calls in the US Congress to purge Kaspersky software from government networks, said in a statement that the review was “a red herring that doesn’t address any of the fundamental underlying concerns with Kaspersky products,” including Russian law that allows the Kremlin to monitor data transmissions.
