EUGENE KASPERSKY, the co-founder of Kaspersky Lab, which is at the centre of US government security claims, has revealed further details about plans to have its software examined and audited in an independent code review.
However, the former deputy director of the US National Security Agency (NSA), Rick Ledgett, claims that this is not enough.
Kaspersky Lab said on Monday that it will ask independent parties to review its products in a process starting in the new year. The initiative is part a bid to distance itself from allegations that it allows the Russian government to use its popular anti-virus software to conduct cyber espionage.
The company is planning to provide software regulation and review bodies with the source code of current and future products, working with “the broader information-security community and other stakeholders”, Kaspersky said in a statement.
In addition, the company will also give outside organisations access to other aspects of its business, including software development. These reviews will begin in the first quarter of next year.
It said the aim of this is to “verify the integrity” of its solutions and processes. The company’s products are used on around 400 million computers worldwide.
Kaspersky is calling this a “global transparency initiative”, although it hasn’t yet named the outside reviewers that it will employ. Instead, it said that it is working with parties that sport “strong credentials in software security and assurance testing for cyber-security products”.
Distancing itself from Russia, the company will open specialist centres throughout Asia, Europe and United States. Here, customers, governments and other organisations will be able to access the results of the reviews.
And it’ll expand its independent security research programme, paying specialists as much as $100,000 if they find security vulnerabilities in its products.
However, writing today, Ledgett claimed that the initiative won’t address the core problem.
“On the face of it this sounds like a good move, but in reality it doesn’t address the alleged activity,” Ledgett claimed.
He continued: “When you download any anti-virus software and click on the very long end-user licence agreement, somewhere in there you agree to give that software access to all the files on your computer and all the files that will be sent to and from your computer…
“This all makes perfect sense for legitimate anti-virus companies, but it’s also a potential gold mine if misused. Instead of looking for signatures of malware, the software can be instructed to look for things like ‘secret’ or ‘confidential’ or ‘proprietary’ – literally anything the vendor desires. Any files of interest can be pulled back to headquarters under the pretext of analyzing potential malware.”
He concluded: “Eugene Kaspersky’s proposal to have experts analyze Kaspersky anti-virus code is irrelevant in this case, because the code is doing exactly what it has been designed to do, but in a way that is inconsistent with what customers expect and are paying for. It’s not the code itself, it’s the use of the code…
“If Eugene Kaspersky really wanted to assuage the fears of customers and potential customers, he would instead have all communications between the company’s servers and the 400 million or so installations on client machines go through an independent monitoring centre.
“That way evaluators could see what commands and software updates were going from Kaspersky headquarters to those clients and what was being sent back in response.”
Just last month, the use of Kaspersky products was banned throughout US government agencies amid fears that the company has been working with the Kremlin.
Despite this, the company has denied any involvement with the Russian government, adding that it doesn’t work with any governments in order to engage in espionage.
Co-founder Eugene Kaspersky said: “Internet balkanisation benefits no one except cybercriminals. Reduced cooperation among countries helps the bad guys in their operations, and public-private partnerships don’t work like they should.
“We need to re-establish trust in relationships between companies, governments and citizens. That’s why we’re launching this Global Transparency Initiative: we want to show how we’re completely open and transparent.
He added that the company is ethical in its practices. “We’ve nothing to hide. And I believe that with these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.” µ
Save this article