Kaspersky says Uncle Sam snubbed proposal to open up its code for third-party review
- Reference: 1721908874
- News link: https://www.theregister.co.uk/2024/07/25/kaspersky_us_review_snub/
- Source link:
Kaspersky started [1]talking about this new "comprehensive assessment framework" to verify its security products, software updates, and threat detection rules a week ago, and exclusively provided additional details to The Register about the verification system it presented to the US Department of Commerce.
Uncle Sam, Kaspersky says, snubbed the proposal from the antivirus provider. The Department of Commerce did not respond to The Register 's questions on the matter.
[2]
The plan, which the company says builds on its earlier [3]Global Transparency Initiative , "can address most ICT supply chain risks relating to product development and distribution in an effective and verifiable manner," according to the company's namesake and CEO, Eugene Kaspersky, in a blog post shared with The Register .
[4]
[5]
"These are in fact the mitigation measures we've submitted in a proposal for discussion to the US Department of Commerce – once again confirming our openness to dialogue and determination to provide the ultimate level of security assurances," Kaspersky continued. "However, our proposal was simply ignored."
It's the latest salvo by the embattled Russian antivirus maker since the Commerce Department made its decision to [6]prohibit Kaspersky products last month.
[7]
This is a road that Washington has been traveling down for years now. The 2017 Global Transparency Initiative, which opened up the security company's source code to third-party review, was in response to an earlier [8]ban of Kaspersky tech on US government systems.
When asked what evidence American agencies have presented to the Russian firm to support its claims that the products pose a national security risk, Kaspersky VP of Public Affairs Yuliya Shlychkova said: "There is no evidence of wrongdoing."
"We do see trends of digital protectionism," she told The Register in an exclusive interview. "We do see trends of 'Made in' software, which is not necessarily best because not all countries have good, domestic antivirus [tools]."
[9]
"Therefore, we continue to advocate for a technical-based, evidence-based approach to evaluate trustworthiness" of cybersecurity products, Shlychkova continued. "And we have been sharing these principles, this framework with different regulators," most recently those in the Commerce Department, Shlychkova added.
This new framework includes three "pillars," the first of which involves the localization of data processing.
"Localize it in the US, and also ensure that there is a strict access policy that no one can access this data from any other countries, even employees of Kaspersky from other countries cannot access this data," Shlychkova said.
More broadly, this step is meant to ensure that local data is stored and processed in a physical environment in a particular region – for example, the US. And then anyone from another country or region deemed inappropriate – let's say, in Russia – can't access the data or the infrastructure used to process and store it.
Kaspersky says it already does this with its managed detection and response (MDR) service in Saudi Arabia and Brazil. According to Shlychkova, the company suggested similar processes in the US in its response to the Commerce Department.
An independent third party, selected by and reporting to in-country regulators, would then verify that these measures were implemented, suggested the firm.
Localized data processing also requires local threat analysis and malware detection signatures, both of which the company says its tech can provide. It also requires more regional R&D and IT teams, plus local datacenters, infrastructure, software, and the like in countries that choose this method.
Given that the Feds halted sales of new Kaspersky contracts on July 20, and set a deadline of September 29 to stop updates to existing customers, it's unlikely that Uncle Sam is going to reverse course in the near future.
While pledging to continue pursuing legal options, the company has begun [10]closing its American operations and eliminating US-based jobs.
[11]Kaspersky challenges US government to put up or shut up about Kremlin ties
[12]Kaspersky gives US customers six months of free updates as a parting gift
[13]Kaspersky culls staff, closes doors in US amid Biden's ban
[14]From network security to nyet work in perpetuity: What's up with the Kaspersky US ban?
The Cell
Back in 2010, the Huawei Cyber Security Evaluation Centre (HCSEC) – also known as The Cell – was set up in Banbury, Oxfordshire, to inspect all Huawei hardware and software used in the UK's critical networking infrastructure for vulns and backdoors.
The team assessed the gear for potential risks to the UK's national infrastructure – with the unit run by British spies in GCHQ with a UK government-run oversight board. The idea was it would inspect source code from Huawei and, among other things, build binary equivalent images for firmware in devices used in the UK's national comms infrastructure.
The last annual report, [15]published in 2021 , said the [16]company had made "no overall improvement" on firmware security but wouldn't say why. The unit hasn't produced a report since 2021, a move some of the UK's ministers have criticized for lacking " [17]transparency ." The UK government put in place an order to remove Huawei equipment from Britain's 5G networks by 2027, an order many telcos are struggling with, as indeed are their [18]counterparts in the US .
Huawei continues to deny that its kit is compromised by backdoors or that it is beholden to the Beijing government.
The second pillar – the review of data received – would also be subject to validation by this regulator-approved reviewer to ensure, in real time, that the data Kaspersky products ingests are not transferring any personally identifiable information or other protected data to the company (or the Kremlin), and ensure all of this data is being used for its intended, lawful purpose.
"It's important that it's a two-way stream," Shlychkova said. "One way is what data is being sent to Kaspersky solutions, and another stream is what data is being pushed from Kaspersky solutions towards users, and both streams are being checked by the third-party reviewers."
To this end, the third pillar involves the independent reviewer checking Kaspersky's threat database updates and product-related software code development to ensure that these updates and data being sent to user machines don't pose any risks, national security-related or otherwise.
"And this third pillar is the most technically advanced measure, and really unprecedented because we are processing more than 400,000 files per day," Shlychkova claimed.
Implementing this framework is "a long process" due to different regulatory environments in various countries, and will require significant advocacy and investment," she said. "There definitely needs to be a formal blessing from regulators to set up this whole system – we are only at the start of this process." ®
Get our [19]Tech Resources
[1] https://www.theregister.com/2024/07/18/kaspersky_us_government/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZqJ2q0oNkbdkUgDzsMCoggAAAEk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2017/10/23/kaspersky_source_code_review/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqJ2q0oNkbdkUgDzsMCoggAAAEk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqJ2q0oNkbdkUgDzsMCoggAAAEk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/06/20/us_bans_kaspersky_software/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqJ2q0oNkbdkUgDzsMCoggAAAEk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2017/09/13/homeland_security_bans_kaspersky_products/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqJ2q0oNkbdkUgDzsMCoggAAAEk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2024/07/15/kasperky_us_operations/
[11] https://www.theregister.com/2024/07/18/kaspersky_us_government/
[12] https://www.theregister.com/2024/07/17/kaspersky_goodbye_gift/
[13] https://www.theregister.com/2024/07/15/kasperky_us_operations/
[14] https://www.theregister.com/2024/06/22/kaspersky_kettle/
[15] https://www.theregister.com/2021/07/20/huawei_hcsec_oversight_report_muted_criticism/
[16] https://www.theregister.com/2021/07/20/huawei_hcsec_oversight_report_muted_criticism/
[17] https://www.telegraph.co.uk/business/2023/06/25/ministers-accused-huawei-security-report/
[18] https://www.theregister.com/2024/07/11/fcc_warns_yet_again_of/
[19] https://whitepapers.theregister.com/
Re: Umm, why does he need US Government approval ?
Because he doesn't want to publish the code, he wants just the US government to see it so that they stop saying it's unsafe.
Re: Umm, why does he need US Government approval ?
I think you are reading it wrong.
They had been told they would be banned from the US on the basis of national security, kasperskey offered to have their code reviewed by a third party from themselves and the government.
Apparently the offer was snubbed and now kasperskey are making it known what happened.
Thusly, it is being shown that the US are isolationist, fearful of other countries capabilities and rather than work on themselves, even when offered to have it done for them by an independent party. It shows nation lever cowardice.
They know they are wrong, have been given an out, refused and now are being presented as the schizophrenic paranoid nation they are.
Re: Umm, why does he need US Government approval ?
It's pointless to review a snapshot of the code, isn't it? It can be as clean as a whistle today and a steaming pile of malware tomorrow - or even a steaming pile of oops-sorry-I-clicked-on-the-wrong file, as we saw earlier in the week. So unless Kaspersky are going to embed US Gov in the code change and update lifecyle the offer's worth nothing.
Re: Umm, why does he need US Government approval ?
"So unless Kaspersky are going to embed US Gov in the code change and update lifecyle the offer's worth nothing."
Huawei already did this in the UK, granting UK GovCo (along with representatives of other nations) full access to their development code - and yet still the politicians snubbed them. When you're dealing with politics, logic goes right out the window.
Re: the schizophrenic paranoid nation they are
Thank you for posting your opinion.
But having the code get a third-party review only works now . The idea that after the third-party review, that Kaspersky can be leveraged to change the code anyway, or that any vulnerability to the code can be used on an 'first / easy-access' zero-day, or that the AV definition updates can be compromised to intentionally ignore a targeted attack, can all still apply and therefore "schizophrenic paranoid" isn't so much of a stretch of a self-preservation system to adhere to.
But let's let national security be potentially targeted, lest the nation-state be targeted as "schizophrenic paranoid".
Re: the schizophrenic paranoid nation they are
did you read the article?
Kaspersky asked to set up a framework to ensure data integrity/security... if this had anything to do with security the data brokerages would have instead been the target (Chinaman can buy the location data for any mil personnel easy breezy)
it'd be really easy to set up ongoing review of data pushed and sent. really not that complicated here, this keeps crowdstrike and other garbage indian outsourcing fronts in business, that is all.
Re: easy to set up ongoing review of data
No, it really isn't. Read the article?
"It also requires more regional R&D and IT teams, plus local datacenters, infrastructure, software, and the like in countries that choose this method."
If agreed upon the U.S. Commerce Commission would have to hire, and keep on staff, a full range of IT security & software professionals just to fine-pick through Every. Single. Kaspersky. Update.
Every one.
That's money. Who's paying for it?? Where are the infrastructure resources coming from? I seriously doubt Kaspersky would be willing to pony up the bill to the U.S. Government to pay for all that, contrary to Kaspersky's promise of cooperation. You don't just snap your fingers at a government and say "Here's our stuff, look at it as you will" and not have that create a huge bureaucratic requirement of infrastructure, methods, paid professionals, and requirements to be followed and carried out. Plus, PLUS, if Kaspersky's code would need to be overseen and approved at every update , exactly how useful would their AV product be with the delay in rollout caused by this oversight on every update?? It could be *weeks* before an update is approved for release by the government and what happens in the meantime to all the vulnerable systems?
It SOUNDS nice, "We promise to share our code!" but it really isn't very workable here, here in the *real* world. You actually expect a code review, done by the government no less, to be "timely" to allow relevant release that addresses the threats? We would all *love* for this to happen but it just can't.
Re: easy to set up ongoing review of data
The Kaspersky shills are out in force on this one, judging by the downvotes!
Re: easy to set up ongoing review of data
Yes all of those local data centers, just like another company did in Texas with Oracle. Ring a bell?
Still didn't make any difference, because at the end of the day the question isn't whether it is too hard to set up monitoring and compliance (which, by the way, many Federal agencies tend to make the monitored party pay for if they have their way), but irrational protectionism.
I fully believe that states should have sovereignty over their data, but it seems this really isn't the question here.
Re: the schizophrenic paranoid nation they are
You are absolutely correct, but it is also just as true for any piece of code ever written.
So by the same logic, why don't the US kick out Microsoft, Google, amazon, apple... They are just as obfuscated and just as much a threat to national security.
So... Back to square one, why ban Kasperskey? They have gone above and beyond anything required of a private company to try and clear their name. Its the US that assume guilty and don't allow to prove innocence.
Edit to say: my phone is acting up with touch input, so I accidentally posted twice in pieces... I have since deleted them, but that what those two deleted posts are.
Re: same logic, Microsoft and Google
All very true. But many Western countries have also banned Huawei under the same principle: that, in the real world, it is almost impossible to oversee what a company may be [forced] to do behind the scenes. There are just too many variables to look over in a timely manner, before any damage is done.
It is a perfect solution? No, not really. A flat-out ban-hammer is really the nuclear option. But in today's complex *and* fast-moving world, I'm not sure it is realistic to say a different option will actually be completely effective. Shame it has to come to this.
Re: same logic, Microsoft and Google
So we agree then, this is silly and pointless as everyone falls under the same suspicion.
So again, why the ban for kasperskey?
This is just petty, childish, fear driven and paranoid like I said, add the flip flopping on every other thing they try to world police and you get the schizophrenia, the requirements can change monthly for import/export conditions.
Umm, why does he need US Government approval ?
If he wants to open his code to 3rd-party review, it seems to me that he can just do it.
If he want to post source code on GitHub, he can.
This sounds like waffling to me. Either that, or he is trying to rattle Washington.