Russia-based Antivirus firm hits back with what it calls a “comprehensive transparency initiative,” to allow independent third-party review of its source code and internal processes to win back the trust of customers and infosec community.
Kaspersky launches this initiative days after it was accused of helping, knowingly or unknowingly, Russian government hackers to steal classified material from a computer belonging to an NSA contractor.
Earlier this month another story published by the New York Times claimed that Israeli government hackers hacked into Kaspersky’s network in 2015 and caught Russian hackers red-handed hacking US government with the help of Kaspersky.
US officials have long been suspicious that Kaspersky antivirus firm may have ties to Russian intelligence agencies.
Back in July, the company offered to turn over the source code for the U.S. government to audit.
However, the offer did not stop U.S. Department of Homeland Security (DHS) from banning and removing Kaspersky software from all of the government computers.
In a blog post today the company published a four-point plan:
- Kaspersky will submit its source code for independent review by internationally recognised authorities, starting in Q1 2018.
- Kaspersky also announced an independent review of its business practices to assure the integrity of its solutions and internal processes.
- Kaspersky will establish three transparency centres in next three years, “enabling clients, government bodies & concerned organisations to review source code, update code and threat detection rules.”
- Kaspersky will pay up to $100,000 in bug bounty rewards for finding and reporting vulnerabilities in its products.
“With these actions, we will be able to overcome mistrust and support our commitment to protecting people in any country on our planet.” Kaspersky’s CEO Eugene said.
However, infosec experts’ twitter commentary shows that the damage has already been done.
“Code review is absolutely meaningless. All Russian intelligence need is an access to KSN, Kaspersky’s data lake which is a treasure trove of data. Even open sourcing the entire product won’t reveal or even help with revealing that.” Amit Serper, the security researcher at Cybereason, tweeted.
Now it is important to see whether these actions will be enough to restore the confidence of US government agencies in Kaspersky or the company will be forced to move its base out of Russia.