It’s been a month already since the US Department of Commerce issued its Final Determination with regard to the sales and use of Kaspersky products by US persons. The agency’s decision, if you happen not to be aware of it, in general terms was to ban Kaspersky products – with a few exceptions for informational and educational products and services – from the market. The outcome is the following: users in the US can no longer access the cybersecurity software they choose based on quality and expertise.
Throughout its 27-year history, our company has always been recognized as supplying the best protection on the market from all kinds of cyberthreats – no matter where they come from. Here are a few examples: earlier this year our products once again received the Product of the Year award from a renowned independent testing lab; from year to year our solutions have been demonstrating 100% protection against the most significant threat – ransomware; and it’s Kaspersky’s threat research team – respected both by the global InfoSec community and our users – that discovers, analyzes, and most importantly reveals to the world the biggest and most sophisticated state-sponsored espionage campaigns.
So, what might be the reason for banning best-in-class cybersecurity solutions trusted by millions? Has the problem been defined clearly and objectively? Have you seen any evidence of those risks that the US government has been referring to for years? We haven’t either.
While having to deal with the outcomes of growing protectionism (and its hard-hitting effects) – like zero-evidence claims of misconduct, and accusations based purely on theoretical risks – we’ve been continuously developing a universal methodology for cybersecurity product assessment, while remaining ever true to our key principle: being maximally transparent and open about how we do our work.
We became the first and remain the only major cybersecurity company to provide third parties with access to our source code, and we also allow our stakeholders and trusted partners to check our threat-detection rules and software updates in an unparalleled goodwill gesture. For several years already we’ve had our Global Transparency Initiative in place – unique in its scope and practical value – which once again reflects our cooperative attitude and determination to address any potential concerns regarding how our solutions work. Nevertheless, we still faced apprehensiveness regarding the reliability of our products – usually stemming from external factors like geopolitical conjecture – and so we went the extra mile by suggesting an even more thorough framework, which would assess the integrity of our security solutions throughout their lifecycle.
What I’ll be describing below is a framework we’ve been proactively sharing with the parties expressing concerns about the credibility of Kaspersky solutions – including those in the United States government. We believe the framework is comprehensive enough to address the most commonly expressed concerns, and is capable of forming a dependable chain of trust.
The key pillars of the cybersecurity assessment methodology we’ve been presenting (which, incidentally, we believe has the potential to form the basis of an industry-wide methodology) include: (i) the localization of data processing, (ii) the review of data received, and (iii) the review of both the information and updates delivered to user machines (as part of software and threat-database updates). Just as within our Global Transparency Initiative, the strategy’s core aim is the engagement of an external reviewer for checking the company’s processes and solutions. What, however, is new about this methodology is both the extent and depth of such reviews. Let’s look into the details…
Data processing localization
The matter of data processing and storage has been one of the most sensitive, not only for Kaspersky, but for the entire cybersecurity industry. We frequently get reasonable questions about what data our products can process, how this data is stored and, most fundamentally, why we need this data. The key purpose of data processing for Kaspersky is providing our users and customers with the very best cybersecurity solutions: by gathering data on malicious and suspicious files that we detect on user machines, we can train our algorithms – teaching them how to detect new threats and contain their spread.
The framework we’ve been presenting also implies greater localization of data processing infrastructure, and implementation of technical and administrative controls restricting access to such processing infrastructure for employees outside a given country or region. We already implement such an approach in delivering our Managed Detection and Response (MDR) service in Saudi Arabia, and the same mechanisms have been suggested in our discussions with the US authorities to alleviate their concerns. These measures would ensure that local data is both stored and processed in a physical environment where ultimate control over the data rests with persons under the local jurisdiction, or that of a closely allied country as deemed appropriate by these persons. Just as with the above-mentioned steps, an independent third-party validator might be invited to review the effectiveness of the measures implemented.
Local data processing requires local threat analysis and the development of local malware detection signatures, and our methodology provides for just that. Data processing localization requires expansion of human resources to support local infrastructure, and we’re prepared to further build up our regional R&D and IT teams in given countries. Such teams would be exclusively responsible for supporting the processing of domestic data, managing local data center software, and analyzing malware to identify new APTs specific to the given region. This measure would also ensure there are more international experts involved in the development of future Kaspersky product lines – making our R&D even more decentralized.
Data retrieval process review
We protect the data we gather against potential risks using rigorous internal policies, practices, and controls; we never attribute data gathered to a specific individual or organization, we anonymize it wherever possible, and we also limit access to such data within the company and process 99% of it automatically.
To further mitigate any potential risks to the data of our customers, we’ve suggested engaging a third-party authorized reviewer to periodically review our data retrieval process. Such a real time reviewer would periodically assess data we receive with data analytics tools and data processing platforms to make sure no personally identifiable information or other protected data is being transferred to Kaspersky, and to confirm that data retrieved is used solely for the detection of and protection against threats, and is appropriately handled.
Review of updates and data delivered to user machines
As a next step on the product side, the mitigation framework would be provided for regular third-party reviews of our threat-database updates and product-related software code development to mitigate supply-chain risks for our customers. Importantly, the third-party would be an independent organization reporting directly to a local regulator. This would be on top of Kaspersky’s existing rigorous and secure software development process, which focuses on mitigating risks – including a scenario where there’s an intruder in the system – to ensure no one can add unauthorized code to our products or AV databases.
But to further enhance security guarantees, the engagement of an external real-time reviewer is intended to assess the security of the code developed by Kaspersky engineers, suggest improvements, identify potential risks, and then determine appropriate solutions.
One of the scenarios of how such a check of threat-database updates can be organized is depicted below:
It’s important to emphasize that the third-party review can be either blocking or non-blocking, conducted either on a regular basis or once a critical mass of updates/components for review is accumulated, as well as applied to all or just a selection of components. The most advanced review option proposed involves real-time blocking – enabling reviewers to fully control the code delivered to user machines. A blocking review would stop any code during the review process from getting into a product or updates – and therefore to Kaspersky’s customers.
This comprehensive review process could be further enhanced by requiring the reviewer’s signature on all updates delivered to user machines after the underlying code has been confirmed and built. This would ensure that the code wasn’t altered after being reviewed in real time.
The proposed review not only enables real-time verification of the security of newly developed code, but also provides access to the entire source code – including its history. This allows the reviewer to fully assess the newly developed code, understand its changes over time, and see how it interacts with other product components.
Such an absolute code review would also be accompanied with access to a copy of the company’s software build environment, which mirrors the one used in Kaspersky – including compilation instructions and scripts, detailed design documentation, and technical descriptions of the processes and infrastructure. Hence, the real-time reviewer could build/compile code independently and compare binaries and/or intermediate build objects to shipped versions. The reviewer would also be able to verify build infrastructure and software for changes.
In addition, a trusted independent third-party could be provided with access to the company’s software development practices. Such independent analysis would aim to provide further guarantees that Kaspersky’s applied measures and processes match leading industry practices. The access would cover all relevant security documentation – including but not limited to: defining security requirements, threat modeling, code review, static and dynamic code verification, penetration testing, etc.
The bottom line is that, in our judgement, the aforesaid strategy can address most ICT supply-chain risks relating to product development and distribution in an effective and verifiable manner. And as I mention above, these are in fact the mitigation measures we’ve submitted in a proposal for discussion to the US Department of Commerce – once again confirming our openness to dialogue and determination to provide the ultimate level of security assurances. However, our proposal was simply ignored. This leads me to believe that the reason is based on the Department’s preconceived ideas. It seems that instead of assessing our proposal for its effectiveness in addressing the risks, it was examined to find an excuse to reject it.
While we have to admit that once again we’re having to deal with an act of digital protectionism, I know for a fact that the world is in acute need of a global cybersecurity risk-management strategy. It’s crucial to be able to address the evolving threat landscape effectively and ensure a unified approach to managing cybersecurity risks across diverse IT security domains. This approach could also help prevent short-sighted decisions depriving millions of users of their freedom of choice regarding credible cybersecurity protection and the creation of artificial restrictions on the exchange of data among cybersecurity professionals. Let’s allow these experts to focus on their important work without the additional burden of geopolitics – whose influence only benefits cybercriminals.
In an interconnected world where cyberthreats transcend borders, a global strategy is vital for bolstering cybersecurity defenses, enhancing trust, and promoting a more secure digital ecosystem. Our framework opens the door to a discussion within the industry about what a universal supply-chain cybersecurity assessment should look like – with the ultimate goal of building a reliable shield of trust and, consequently, a safer world.
And finally, for those seeking answers regarding the drastic new limitations on their freedom of choice, don’t forget that you can – and should – still have your say, by asking your questions directly, here.
Leave a Reply