Kaspersky says Uncle Sam snubbed proposal to open up its code for third-party review

Exclusive Despite the Feds' determination to ban Kaspersky's security software in the US, the Russian business continues to push its proposal to open up its data and products to independent third-party review – and prove to Uncle Sam that its code hasn't been and won't be compromised by Kremlin spies.

Kaspersky started talking about this proposed "comprehensive assessment framework" to verify its security products, software updates, and threat detection rules a week ago, in hope that the plan would convince the US government to reverse its ban on Kaspersky software on national security grounds.

The Moscow-based biz has now exclusively provided additional details to The Register about the verification system it presented to the US Department of Commerce, a system it hoped would demonstrate that its code is not under Putin's control.

Uncle Sam has, Kaspersky says, so far snubbed the proposals from the antivirus provider. The Department of Commerce declined to answer The Register's questions on the matter. Kaspersky is not giving up, and still hopes to make its case.

The proposed framework, which the antivirus maker says builds on its earlier Global Transparency Initiative, "can address most ICT supply chain risks relating to product development and distribution in an effective and verifiable manner," according to the company's namesake and CEO Eugene Kaspersky in a blog post shared with The Register prior to its publication today.

"These are in fact the mitigation measures we've submitted in a proposal for discussion to the US Department of Commerce – once again confirming our openness to dialogue and determination to provide the ultimate level of security assurances," Kaspersky continued in his missuve.

"However, our proposal was simply ignored."

It's the latest salvo by the embattled Russian antivirus maker since the Commerce Department made its decision to prohibit Kaspersky products last month.

This is a road Washington has been traveling down for years now. Kaspersky's 2017 Global Transparency Initiative, which opened up the infosec company's source code to third-party review, was in response to an earlier ban of Kaspersky tech on US government systems. 

American authorities say they fear the Kremlin will somehow use Kaspersky's code to snoop on US computers and their users. When asked what evidence American agencies have presented to the Russian firm to support these claims that its products pose a national security risk, Kaspersky VP of Public Affairs Yuliya Shlychkova said: "There is no evidence of wrongdoing."

"We do see trends of digital protectionism," she told The Register in an exclusive interview. "We do see trends of 'Made in' software, which is not necessarily best because not all countries have good, domestic antivirus [tools]."

"Therefore, we continue to advocate for a technical-based, evidence-based approach to evaluate trustworthiness" of cybersecurity products, Shlychkova continued. "And we have been sharing these principles, this framework with different regulators," most recently those in the Commerce Department, Shlychkova added.

The proposed framework includes three pillars, the first of which involves the localization of data processing.

"Localize it in the US, and also ensure that there is a strict access policy that no one can access this data from any other countries, even employees of Kaspersky from other countries cannot access this data," Shlychkova said.

More broadly, this step is meant to ensure that any data accessible to Kaspersky is stored and processed solely in a particular region – for example, the US. And then anyone from another country or region deemed inappropriate – let's say in Russia – can't access the data or the infrastructure used to process and store the information.

Kaspersky says it already does this with its managed detection and response (MDR) service in Saudi Arabia and Brazil. According to Shlychkova, the antivirus maker suggested similar processes in the US in its response to the Commerce Department.

An independent third party, selected by and reporting to in-country regulators, would then verify that these measures were implemented, the firm suggested.

Localized data processing also requires local threat analysis and malware detection signatures, both of which the developer says its tech can provide. It also requires more regional R&D and IT teams, plus local datacenters, infrastructure, software, and the like in countries that choose this method.

Given that the Feds halted sales of new Kaspersky contracts on July 20, and set a deadline of September 29 to stop updates to existing customers, it's unlikely that Uncle Sam is going to reverse course in the near future.

While pledging to continue pursuing legal options, the Kaspersky has begun closing its American operations and eliminating US-based jobs.

The second pillar – the review of data received – would also be subject to validation by the regulator-approved reviewer to ensure, in real time, that the data Kaspersky products ingest is not transferring any personally identifiable information or other protected data to the company (or the Kremlin), and ensure all of this data is being used for its intended, lawful purpose.

"It's important that it's a two-way stream," Shlychkova added. "One way is what data is being sent to Kaspersky solutions, and another stream is what data is being pushed from Kaspersky solutions towards users, and both streams are being checked by the third-party reviewers."

To this end, the third pillar involves the independent reviewer checking Kaspersky's threat database updates and product-related software code development to ensure that these updates and data being sent to user machines don't pose any risks, national security-related or otherwise.

"And this third pillar is the most technically advanced measure, and really unprecedented because we are processing more than 400,000 files per day," Shlychkova claimed.

These proposals are not limited to the United States: Kaspersky wants to offer this to Europe as well, and also ultimately convince America to reverse course, we understand.

Implementing this framework is "a long process" due to different regulatory environments in various countries, and will require significant advocacy and investment," she said. "There definitely needs to be a formal blessing from regulators to set up this whole system – we are only at the start of this process." ®