Russian cybersecurity software maker Kaspersky Labs has announced it will be moving core infrastructure processes to Zurich, Switzerland, as part of a shift announced last year to try to win back customer trust.
It also said it’s arranging for the process to be independently supervised by a Switzerland-based third party qualified to conduct technical software reviews.
“By the end of 2019, Kaspersky Lab will have established a data center in Zurich and in this facility will store and process all information for users in Europe, North America, Singapore, Australia, Japan and South Korea, with more countries to follow,” it writes in a press release.
“Kaspersky Lab will relocate to Zurich its ‘software build conveyer’ — a set of programming tools used to assemble ready to use software out of source code. Before the end of 2018, Kaspersky Lab products and threat detection rule databases (AV databases) will start to be assembled and signed with a digital signature in Switzerland, before being distributed to the endpoints of customers worldwide.
“The relocation will ensure that all newly assembled software can be verified by an independent organization, and show that software builds and updates received by customers match the source code provided for audit.”
In October the company unveiled what it dubbed a “comprehensive transparency initiative” as it battled suspicion that its antivirus software had been hacked or penetrated by the Russian government and used as a route for scooping up US intelligence.
Since then Kaspersky has closed its Washington D.C. office — after a ban on its products for U.S. government use which was signed into law by president Trump in December.
Being a trusted global cybersecurity firm and operating core processes out of Russia where authorities might be able to lean on your company for access has essentially become untenable as geopolitical concern over the Kremlin’s online activities has spiked in recent years.
Yesterday the Dutch government became the latest public sector customer to announce a move away from Kaspersky products (via Reuters) — saying it was doing so as a “precautionary measure”, and advising companies operating vital services to do the same.
Responding to the Dutch government’s decision, Kaspersky described it as “very disappointing”, saying its transparency initiative is “designed precisely to address any fears that people or organisations may have”.
“We are implementing these measures first and foremost in response to the evolving, ultra-connected global landscape and the challenges the cyber-world is currently facing,” the company adds in a detailed Q&A about the measures. “This is not exclusive to Kaspersky Lab, and we believe other organizations will in future also choose to adapt to these trends. Having said that, the overall aim of these measures is transparency, verified and proven, which means that anyone with concerns will now be able to see the integrity and trustworthiness of our solutions.”
The core processes that Kaspersky will move from Russia to Switzerland over this year and next — include customer data storage and processing (for “most regions”); and software assembly, including threat detection updates.
As a result of the shift it says it will be setting up “hundreds” of servers in Switzerland and establishing a new data center there, as well as drawing on facilities of a number of local data center providers.
Kaspersky is not exiting Russia entirely, though, and products for the Russian market will continue to be developed and distributed out of Moscow.
“In Switzerland we will be creating the ‘worldwide’ (ww) version of our products and AV bases. All modules for the ww-version will be compiled there. We will continue to use the current software build conveyer in Moscow for creating products and AV bases for the Russian market,” it writes, claiming it is retaining a software build conveyor in Russia to “simplify local certification”.
Data of customers from Latin American and Asia (with the exception of Japan, South Korea and Singapore) will also continue to be stored and processed in Russia — but Kaspersky says the list of countries for which data will be processed and stored in Switzerland will be “further extended, adding: “The current list is an initial one… and we are also considering the relocation of further data processing to other planned Transparency Centers, when these are opened.”
Whether retaining a presence and infrastructure in Russia will work against Kaspersky’s wider efforts to win back trust globally remains to be seen.
In the Q&A it claims: “There will be no difference between Switzerland and Russia in terms of data processing. In both regions we will adhere to our fundamental principle of respecting and protecting people’s privacy, and we will use a uniform approach to processing users’ data, with strict policies applied.”
However other pre-emptive responses in the document underline the trust challenge it is likely to face — such as a question asking what kind of data stored in Switzerland that will be sent or available to staff in its Moscow HQ.
On this it writes: “All data processed by Kaspersky Lab products located in regions excluding Russia, CIS, Latin America, Asian and African countries, will be stored in Switzerland. By default only aggregated statistics data will be sent to R&D in Moscow. However, Kaspersky Lab experts from HQ and other locations around the world will be able to access data stored in the Transparency Center. Each information request will be logged and monitored by the independent Swiss-based organization.”
Clearly the robustness of the third party oversight provisions will be essential to its Global Transparency Initiative winning trust.
Kaspersky’s activity in Switzerland will be overseen by an (as yet unnamed) independent third party which the company says will have “all access necessary to verify the trustworthiness of our products and business processes”, including: “Supervising and logging instances of Kaspersky Lab employees accessing product meta data received through KSN [Kaspersky Security Network] and stored in the Swiss data center; and organizing and conducting a source code review, plus other tasks aimed at assessing and verifying the trustworthiness of its products.
Switzerland will also host one of the dedicated Transparency Centers the company said last year that it would be opening as part of the wider program aimed at securing customer trust.
It expects the Swiss center to open this year, although the shifting of core infrastructure processes won’t be completed until Q4 2019. (It says on account of the complexity of redesigning infrastructure that’s been operating for ~20 years — estimating the cost of the project to be $12M.)
Within the Transparency Center, which Kaspersky will operate itself, the source code of its products and software updates will be available for review by “responsible stakeholders” — from the public and private sector.
It adds that the details of review processes — including how governments will be able to review code — are “currently under discussion” and will be made public “as soon as they are available”.
And providing government review in a way that does not risk further undermining customer trust may also provide a tricky balancing act for Kaspersky, given multi-directional geopolitical sensibilities, so the devil will be in the policy detail vis-a-vis “trusted” partners and whether the processes it deploys can reassure all of its customers all of the time.
“Trusted partners will have access to the company’s code, software updates and threat detection rules, among other things,” it writes, saying the Center will provide these third parties with: “Access to secure software development documentation; Access to the source code of any publicly released product; Access to threat detection rule databases; Access to the source code of cloud services responsible for receiving and storing the data of customers based in Europe, North America, Australia, Japan, South Korea and Singapore; Access to software tools used for the creation of a product (the build scripts), threat detection rule databases and cloud services”; along with “technical consultations on code and technologies”.
It is still intending to open two additional centers, one in North America and one in Asia, but precise locations have not yet been announced.
On supervision and review Kaspersky also says that it’s hoping to work with partners to establish an independent, non-profit organization for the purpose of producing professional technical reviews of the trustworthiness of the security products of multiple members — including but not limited to Kaspersky Lab itself.
Which would certainly go further to bolster trust. Though it has nothing firm to share about this plan as yet.
“Since transparency and trust are becoming universal requirements across the cybersecurity industry, Kaspersky Lab supports the creation of a new, non-profit organization to take on this responsibility, not just for the company, but for other partners and members who wish to join,” it writes on this.
Next month it’s also hosting an online summit to discuss “the growing need for transparency, collaboration and trust” within the cybersecurity industry.
Commenting in a statement, CEO Eugene Kaspersky, added: “In a rapidly changing industry such as ours we have to adapt to the evolving needs of our clients, stakeholders and partners. Transparency is one such need, and that is why we’ve decided to redesign our infrastructure and move our data processing facilities to Switzerland. We believe such action will become a global trend for cybersecurity, and that a policy of trust will catch on across the industry as a key basic requirement.”