The year so far has been a punishing one for security firm Kaspersky. Continued clashes with US authorities has resulted in the company changes tactics and limit damage control. At a summit in Zurich, Switzerland, the embattled company held a conference on Tuesday, November 12, 2018, called Transparency Summit in a bid to convince the public they are a firm to be trusted. The summit highlighted the development of the company’s Global Transparency Initiative (GTI), announced in May of this year, which has resulted in the company moving operations from Moscow to Zurich with planned centers set for establishment across the globe. The summit also warned of the emergence of what Kaspersky calls “Tech Nationalism.” The summit and the transparency initiative have been the culmination of events that started with an article published in the Wall Street Journey in late 2017.
The article claimed that the Russian government was able to steal sensitive information relating to the US National Security Agency (NSA) by infiltrating a contractor's PC through Kaspersky Labs' antivirus software. The article further said that the incident occurred in 2015 when an NSA contractor transferred confidential files to their home machine. Claims emerged that Kaspersky has been used by the Kremlin for covert cyber espionage activities against other nations. A claim the firm has vigorously denied.
In the investigation that followed the incident it was revealed that the Kaspersky anti-virus software indeed analyzed the PC in question, however, this is what the software is designed to do, and came across a malicious .zip file. The file contained hacking tools later connected to the NSA. Kaspersky asserts that the file was removed from Kaspersky's malware repository and any other systems involved. Further, Kaspersky denies allowing any third party or government with access to the code.
The incident marked a ramping up of tensions between the US and Russian governments. The tensions between the two countries have not eased in any discernible way. While the war of words and indictments was underway software developed by Kaspersky was banned from use by US federal agencies by the DHS and the Trump Administration removed the company's products from US General Services Administration's (GSA) approved vendor lists. It was these events that forced the company into a reputational battle.
Kaspersky’s Global Transparency Initiative
The damage control instituted by the firm included the company moving operations from Moscow to Zurich and developing plans to create other data centers in Asia and North America depending on the initial success of the plan. That was just one phase of the plan. Another involved the Global Transparency Initiative (GTI) which at its core will allow stakeholders access to all requests. Not only will stakeholders be able to view requests but review the company's code, software updates, logs, and threat detection rules, alongside other information. An external auditor will also be employed to audit the company's developmental lifecycle processes, source code, and supply chain risk mitigation strategies. The cost of the entire project is estimated to be roughly 12 million USD and if successful there is the hope of other tech industries.
Eugene Kaspersky shared his views on the program stating,
“Transparency is becoming the new normal for the IT industry and for the cybersecurity industry in particular…We are proud to be on the front line of this process. As a technological company, we are focused on ensuring the best IT infrastructure for the security of our products and data, and the relocation of key parts of our infrastructure to Switzerland places them in one of the most secure locations in the world.”
Further, he went on record to say,
“This is a prototype and this project will become standard not just for the cybersecurity industry but for all IT industries. How much we are going to do depends on the needs and requests of Switzerland and the EU”
While GTI was established to rebuild trust between Kaspersky and its current and future customers, the ramifications will go far deeper. As the Internet becomes a battleground fought over by legislators imposing domestic rules such as the EU's General Data Protection Regulation (GDPR), the UK's snooper's charter, and China's surveillance bill, will fragment the web and data processing there will be another side effect. That being how trustworthy an IT company is will, and probably has, become woven into the political landscape.
The Spectre of Tech Nationalism
Anton Shingarev, VP for Public Affairs at Kaspersky, believes that the legislative efforts are, “designed to build walls around a country to protect its systems,” and that we, “live in the age of technological nationalism which is a global trend.” Shingarev argues that this form of nationalism is making it far harder for foreign companies to tap into domestic markets, while local companies are given the upper hand. Viewed in this light GTI is also an attempt to combat this form of nationalism.
When all things are considered together Kaspersky’s move to a historically neutral country like Switzerland takes on a new meaning. By moving out of Moscow Kaspersky is free of the political pressure caused by the Kremlin in relation to alleged global hacking efforts. Neutral Switzerland is far more appealing to customers and more importantly regulators. To that effect, Shingarev said that “staying far away from politics is the only way for a cybersecurity company to survive and be successful,” It will be interesting to see if other security firms follow suit in future.