Why the bloody hell should you trust Kaspersky Labs? (opinion)

Kaspersky

In December 2017 President Donald Trump signed legislation banning the use of Kaspersky Labs cybersecurity products. It applies to all U.S. government civilian and military agencies.

The justification was that the Moscow-based cybersecurity firm could be vulnerable to Kremlin influence.

Kaspersky Labs appealed and lost. GadgetGuys’ coverage is here.

Kaspersky Labs (Australian website here) invited media to a briefing in Sydney.

For the record, GadgetGuy has no fixed positive or negative perceptions on Kaspersky Labs. That includes its founder Eugene, its alleged KGB/FSB links or its products.

In fact, Eugene and Kaspersky Labs have been nothing but helpful and open since we started reporting on the company in the 90s. Perhaps that colours our view a little.

Back to the question – Why the bloody hell should you trust Kaspersky Labs?

You should not. You should not trust any company, especially one that has system level access to computing devices! Trust is earned. We will come to that later.

Kaspersky Labs says the issue is geopolitically motivated. Its US Government and Military software business was less than $50,000. A paltry sum.

The US actions are akin to the Russian government banning Symantec or McAfee on similar unsubstantiated grounds. Hey, throw enough mud, some sticks.

The company is not suggesting a vendetta (although there may well be)

It says a prime justification used is that founder Yevgeny Valentinovich Kaspersky born 1965

  • Went to The Technical Faculty of the KGB Higher School, that prepared intelligence officers for the Russian military and KGB.
  • Was a member of the Communist Party.
  • Did national military service.
  • Served the Soviet military intelligence service as a software engineer.
  • Met his first wife Natalya Kaspersky at Severskoye, a KGB vacation resort, in 1987.
  • Lives in Russia and is a Ruskie.

More cold war mongering – better dead than red stuff. But if you lived in the period 1945-1991 then the US fear of communists, socialists and Russia was pretty well ingrained.

OK, Eugene drank the KGB Kool-Aid. I know lots of Aussies that went to government-run schools; had government-funded higher education; did national service; worked in the public service; joined a political party or were union reps; and became political apparatchiks. In fact, much of Australia’s government resembles that.

Kaspersky presents a highly visible and convenient target. His only crime is that he was good at maths, born in Russia and been successful in building a top-five cybersecurity company.

Do we also point the bone at the thousands of cybersecurity engineers because they were part of the Israeli secret Unit 8200 or leaned security coding at one of the many US, European or even Australian cyber terrorism units?

Kaspersky Labs has initiated a ‘World Transparency Tour’ to explain its view

Moscow-based Anton Shingarev, Vice President for Public Affairs and head of the CEO office spoke to the media conference. Stephan Neumeier Managing Director, Kaspersky Lab, APAC put a local perspective on the issues.

As part of its Global Transparency Initiative, Kaspersky Lab is adapting its infrastructure to move several core processes from Russia to Switzerland. This includes

  • Customer data storage and processing for most regions.
  • The opening of the first Transparency Centre.
  • Software assembly, including threat detection updates to prove the code is clean.
  • Supervision by an independent third party based in Switzerland.

The customer data comes from 400+ million endpoints. Users opt to share it with the Kaspersky Security Network (KSN). This is an advanced, cloud-based AI/ML system that processes cyberthreat-related data.

The software assembly issue is interesting. It is a ‘software build conveyer’ – a set of programming tools used to assemble ready-to-use software from source code. By the end of 2018, assembly and signing of Kaspersky Lab products and threat detection rule databases will have a Swiss digital signature. The software will be verified by an independent organisation to show that software builds, and updates received by customers match the source code provided for audit.

The source code of Kaspersky Lab products and software updates will be available for review by in a dedicated Transparency Centre.

Kaspersky hopes these measures will enable it to earn the trust that it needs to survive and thrive again.

Shingarev made some very good points.

First, no country should put at risk its critical infrastructure by using any security software that has not been thoroughly vetted and produced by a ‘friendly’ company. Does the US have such relationships? You bet.

Second, like all reputable security companies, Kaspersky Labs must cooperate with law enforcement and others with legitimate interests. If that means the FBI, CIA, Homeland, KGB, FSB, Europol, Scotland Yard or more then so be it. The Global Transparency Initiative to isolate data in Switzerland adds an extra layer of protection that other cybersecurity companies do not have.

Third, if you have nothing to hide you have no more worries about Kaspersky than using Amazon or any other cloud-based product. In fact, do not connect to the internet if you want to be secure. So, unless you are running critical infrastructure, then Kaspersky is as safe as it gets.

Finally, Kaspersky focuses on consumer, small business, corporate and enterprise (1000+ seats). It has won masses of cybersecurity awards. Nothing will stop them from detecting and preventing even state-sponsored malware from infecting its clients.

GadgetGuy’s take. A PR stunt or a sincere move to clear Kaspersky Labs name

Kaspersky Labs is ‘damned if it does, and damned if it does not’ try to clear its name. It is classic PR crisis management. Faced with this desperate situation, it could have done nothing, got on with business and tried to starve the oxygen from the fire. Or it could have reacted as it has.

On the one hand, critics are saying ‘Methinks thou doth protest too much’. But I can’t help but feel that it is also Eugene Kaspersky’s ‘personal’ moral response to the scurrilous treatment of him and his company. I think the response is sincere.