Kaspersky Lab to open software to review,
says nothing to hide
Send a link to a friend
[October 23, 2017]
By Jim Finkle and Eric Auchard
(Reuters) - Moscow-based Kaspersky Lab will
ask independent parties to review the security of its anti-virus
software, which the U.S. government has said could jeopardize national
security, citing concerns over Kremlin influence and hijacking by
Kaspersky, which research firm Gartner ranks as one of the world's top
cyber security vendors for consumers, said in a statement that it would
submit the source code of its software and future product updates for
review by a broad cross-section of computer security experts and
It also vowed to have outside parties review other aspects of its
business, including software development. Reviews of its software, which
is used on some 400 million computers worldwide, will begin by the first
quarter of next year, it said.
"We've nothing to hide," Chairman and CEO Eugene Kaspersky said on
Monday. "With these actions we’ll be able to overcome mistrust and
support our commitment to protecting people in any country on our
Kaspersky did not name the outside reviewers, but said they would have
strong software security credentials and be able to conduct technical
audits, source code reviews and vulnerability assessments.
U.S. President Trump's administration last month barred government
agencies from using Kaspersky Lab anti-virus products. The U.S. Senate
voted to back the plan.
The world's top cyber security experts are divided over whether Russian
intelligence hijacked Kaspersky software without its knowledge or
whether the firm or one of its employees were complicit.
Israeli intelligence officials said they had found Russian government
hackers using Kaspersky antivirus software to steal spy secrets from the
U.S. National Security Agency, according to reports this month in major
Kaspersky has repeatedly denied those allegations, saying it has not
helped Russia or other governments engage in espionage and that it is
simply caught up in a wider geopolitical spat between Moscow and
Washington following allegations Russian hackers interfered in last
year's U.S. elections.
The Kremlin also denies the allegations.
Some researchers have pointed to the company’s problems in the United
States as an example of the growing Balkanisation of the cyber security
industry, which is making it harder to fight cross-border crime.
[to top of second column]
The logo of the anti-virus firm Kaspersky Lab is seen at its
headquarters in Moscow, Russia September 15, 2017. REUTERS/Sergei
U.S. cyber security experts and former officials said the move by
Kaspersky to open its software up for expert review could help
alleviate concerns about future security gaps, but that the company
had a lot of work to do to restore confidence.
Former NSA director Michael Hayden called Kaspersky’s action "a
dramatic step forward, but not necessarily sufficient."
Rodney Joffe, senior vice president at online identity management
firm Neustar and an advisor to the U.S. Federal Communications
Commission, said Kaspersky must show it has fixed all existing
vulnerabilities, not just guarded against new ones.
"A good start would be a release of the source code for the products
already out there, that matches the actual installed code base,"
Joffe told Reuters.
The company said it would open "transparency centers" in Asia,
Europe and the United States where customers, governments and others
can access results of the outside reviews and discuss any concerns
about the security of Kaspersky products.
It also said it would expand a program where it pays independent
security researchers to find security vulnerabilities in its
products, boosting the maximum award size to $100,000 from $5,000.
(Reporting by Jim Finkle in Toronto; John Walcott in Washington
D.C.; Eric Auchard in London and Jeremy Wagstaff in Singapore;
Editing by Lisa Von Ahn, Peter Cooney and Alexander Smith)
[© 2017 Thomson Reuters. All rights
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.