Alex - Fotolia
Information security firm Kaspersky Lab is to provide source code for third-party review, as part of the company’s newly-announced Global Transparency Initiative.
The move comes in the wake of a ban on the use of Kaspersky Lab’s software in US government systems and media reports that Russian hackers using the company’s antivirus software to search for classified US government documents.
The company said the initiative is part of its “commitment to protect customers from cyber threats, regardless of their origin or purpose” and that Kaspersky Lab will engage the broader information security community and other stakeholders in validating and verifying the trustworthiness of its products, internal processes, and business operations.
Kaspersky Lab said it will also introduce additional accountability mechanisms by which the company can further demonstrate that it addresses any security issues promptly and thoroughly.
“Because of the frenetic pace of both ICT [information and communication technology] deployment and the expansion of the threat landscape, Kaspersky Lab believes that increased co-operation to protect cyber space is more crucial than ever,” the company said in a statement.
“Trust is essential in cyber security, and therefore trust should be the foundation of any collaboration among those seeking to secure individuals, organisations and enterprises from cyber threats. However, Kaspersky Lab also recognises that trust is not a given; it must be repeatedly earned through an ongoing commitment to transparency and accountability.”
According to Kaspersky Lab, the transparency initiative is a “reaffirmation of the company’s commitment to earning and maintaining the trust of their customers and partners every day. “The company has never taken this trust for granted, but it wants to strive for continuous improvement in every way it can,” the statement said.
The initial phase of Kaspersky Lab’s Global Transparency Initiative will include:
- The start of an independent review of the company’s source code by Q1 2018, with similar reviews of the company’s software updates and threat detection rules to follow;
- The commencement of an independent assessment of the company’s secure development lifecycle processes, and its software and supply chain risk mitigation strategies by Q1 2018;
- The development of additional controls to govern the company’s data processing practices in co-ordination with an independent party that can attest to the company’s compliance with said controls by Q1 2018;
- The formation of three Transparency Centres in Europe, Asia and the US by 2020, with plans to establish the first one in 2018, to address any security issues together with customers, trusted partners and government stakeholders.
- The increase of bug bounty awards up to £75,000 ($100,000) for the most severe vulnerabilities found under the company’s Co-ordinated Vulnerability Disclosure programme.
Kaspersky Lab said it will engage with its stakeholders and the information security community to determine what the next phase of the initiative, commencing in the second half of 2018, should include.
Eugene Kaspersky, chairman and CEO of Kaspersky Lab, said: “Internet balkanisation benefits no one except cyber criminals. Reduced co-operation among countries helps the bad guys in their operations, and public-private partnerships don’t work like they should.
“The internet was created to unite people and share knowledge. Cyber security has no borders, but attempts to introduce national boundaries in cyberspace is counterproductive and must be stopped.
“We need to re-establish trust in relationships between companies, governments and citizens. That’s why we’re launching this Global Transparency Initiative: we want to show how we’re completely open and transparent. We’ve nothing to hide.
“And I believe that with these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.”