Moscow-based cybersecurity firm Kaspersky Lab, battered by suspicion of Russian government influence, wants to reassure customers by opening up its software’s underlying code for outside review. But security experts and some US politicians say the move is mostly meaningless.
In September, the US government barred federal agencies from using Kaspersky’s anti-virus products because of concerns about its ties to the Kremlin and Russian spy operations. News reports have since linked Kaspersky software to an alleged theft of cybersecurity information from the US National Security Agency. The company has repeatedly denied the allegations and says it’s been dragged into the middle of a “geopolitical fight.”
Now Kaspersky says it will provide the source code of its software — including software updates and threat-detection rules updates — for independent review and assessment. Outside experts, however, say such a review can only reveal so much, and thus would do little to address concerns of customers and the US government.
“They’re trying to salvage their reputation,” said Blake Darche, a former NSA worker who is now chief security officer for security firm Area 1. “I don’t see how it addresses the allegations against them in any meaningful way.”
“This review is a red herring that doesn’t address any of the fundamental underlying concerns with Kaspersky products, most significantly, that Russian law enables the Kremlin to monitor data transmissions, including Kaspersky’s,” US Senator Jeanne Shaheen, a New Hampshire Democrat and regular Kaspersky critic, said in a statement Monday.
The suspicion has taken a toll on Kaspersky. Shortly after the federal ban, retailers such as Best Buy and Office Depot also stopped selling its consumer security software. Then news broke in early October that hackers allegedly working for the Kremlin used Kaspersky’s software to steal information from a National Security Agency contractor about how the US infiltrates foreign networks and defends against cyberattacks. The company denied involvement.
CEO Eugene Kaspersky said on Twitter on Monday that’s he’s evaluating contractors who can conduct an independent code review. By 2020, the company says it plans to open three centers in Europe, Asia and the United States where it says customers, government agencies and concerned organizations will also be able to review its code.
Security researcher Chris Wysopal said he welcomed multiple, independent reviewers, but cautioned that such analyses can provide only a snapshot of how the software works at a given moment in time. Like phone apps and other programs, security software is frequently updated.
“Even with this transparency, there’s still a level of trust you have to give the company,” said Wysopal, the chief technology officer of Vericode, a part of CA Technologies. “But this is a world we live in. There’s a supply chain. We live in a world of dynamic software, constantly updating.”