Exclusive Despite the Feds' determination to ban Kaspersky's security software in the US, the Russian business is moving forward with another proposal to open up its data and products to third-party review - and prove to Uncle Sam that its code hasn't been compromised by Kremlin spies.

Kaspersky started talking about this new "comprehensive assessment framework" to verify its security products, software updates, and threat detection rules a week ago, and exclusively provided additional details to The Register about the verification system it presented to the US Department of Commerce.

Uncle Sam, Kaspersky says, snubbed the proposal from the antivirus provider. The Department of Commerce did not respond to The Register's questions on the matter.

The plan, which the company says builds on its earlier Global Transparency Initiative, "can address most ICT supply chain risks relating to product development and distribution in an effective and verifiable manner," according to the company's namesake and CEO, Eugene Kaspersky, in a blog post shared with The Register.

"These are in fact the mitigation measures we've submitted in a proposal for discussion to the US Department of Commerce - once again confirming our openness to dialogue and determination to provide the ultimate level of security assurances," Kaspersky continued. "However, our proposal was simply ignored."

It's the latest salvo by the embattled Russian antivirus maker since the Commerce Department made its decision to prohibit Kaspersky products last month.

This is a road that Washington has been traveling down for years now. The 2017 Global Transparency Initiative, which opened up the security company's source code to third-party review, was in response to an earlier ban of Kaspersky tech on US government systems. 

When asked what evidence American agencies have presented to the Russian firm to support its claims that the products pose a national security risk, Kaspersky VP of Public Affairs Yuliya Shlychkova said: "There is no evidence of wrongdoing."

"We do see trends of digital protectionism," she told The Register in an exclusive interview. "We do see trends of 'Made in' software, which is not necessarily best because not all countries have good, domestic antivirus [tools]."

"Therefore, we continue to advocate for a technical-based, evidence-based approach to evaluate trustworthiness" of cybersecurity products, Shlychkova continued. "And we have been sharing these principles, this framework with different regulators," most recently those in the Commerce Department, Shlychkova added.

This new framework includes three "pillars," the first of which involves the localization of data processing.

"Localize it in the US, and also ensure that there is a strict access policy that no one can access this data from any other countries, even employees of Kaspersky from other countries cannot access this data," Shlychkova said.

More broadly, this step is meant to ensure that local data is stored and processed in a physical environment in a particular region - for example, the US. And then anyone from another country or region deemed inappropriate - let's say, in Russia - can't access the data or the infrastructure used to process and store it.

Kaspersky says it already does this with its managed detection and response (MDR) service in Saudi Arabia and Brazil. According to Shlychkova, the company suggested similar processes in the US in its response to the Commerce Department.

An independent third party, selected by and reporting to in-country regulators, would then verify that these measures were implemented, suggested the firm.

Localized data processing also requires local threat analysis and malware detection signatures, both of which the company says its tech can provide. It also requires more regional R&D and IT teams, plus local datacenters, infrastructure, software, and the like in countries that choose this method.

Given that the Feds halted sales of new Kaspersky contracts on July 20, and set a deadline of September 29 to stop updates to existing customers, it's unlikely that Uncle Sam is going to reverse course in the near future.

While pledging to continue pursuing legal options, the company has begun closing its American operations and eliminating US-based jobs.

The second pillar - the review of data received - would also be subject to validation by this regulator-approved reviewer to ensure, in real time, that the data Kaspersky products ingests are not transferring any personally identifiable information or other protected data to the company (or the Kremlin), and ensure all of this data is being used for its intended, lawful purpose.

"It's important that it's a two-way stream," Shlychkova said. "One way is what data is being sent to Kaspersky solutions, and another stream is what data is being pushed from Kaspersky solutions towards users, and both streams are being checked by the third-party reviewers."

To this end, the third pillar involves the independent reviewer checking Kaspersky's threat database updates and product-related software code development to ensure that these updates and data being sent to user machines don't pose any risks, national security-related or otherwise.

"And this third pillar is the most technically advanced measure, and really unprecedented because we are processing more than 400,000 files per day," Shlychkova claimed.

Implementing this framework is "a long process" due to different regulatory environments in various countries, and will require significant advocacy and investment," she said. "There definitely needs to be a formal blessing from regulators to set up this whole system - we are only at the start of this process." ®

https://www.theregister.com//2024/07/25/kaspersky_us_review_snub/