10.23.2017

Kaspersky to Open Source Code for Review

But Can They Be Trusted?


Kaspersky, the Russian security firm known for its same-named antivirus software has been under suspicion of Russian government influence in recent months. Specifically, the company is under investigation for allegations of cyber espionage, which it has continuously denied. The company recently allowed the U.S. government to inspect its code for malicious intent, and now plans to submit its code to outside review.

Back in September, the U.S. government banned the use of Kaspersky antivirus software amid the concerns of ties to the Kremlin. At the time, the Department of Homeland Security stated "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security." Retailers that formerly stocked Kaspersky products have stopped selling them, including both Office Depot and Best Buy.

Just one month later, outlets started reporting that the Kaspersky software was used to steal cyber security secrets from an NSA contractor’s home computer in 2005. Kaspersky Lab has denied the allegations and claims it has been dragged into a “geopolitical fight” between the U.S. and Russia.

“Kaspersky Lab has denied the allegations and claims it has been dragged into a “geopolitical fight” between the U.S. and Russia.”

Earlier this month, it came to light that Israel was responsible for tipping off the NSA, after Israeli spies discovered NSA attack tools in Kaspersky's network. CEO and founder Eugene Kaspersky said at the time that the NSA tools could have been picked up as malware by its software. He stated that “We absolutely and aggressively detect and clean malware infections no matter the source."

Kaspersky plans to provide source code for its products, including software and threat detection updates, to a currently undecided independent review company. Expert opinions are mixed, but many believe it makes no difference. "I don't see how it addresses the allegations against them in any meaningful way." says former NSA worker Blake Darche, now chief security officer for security firm Area 1. 

By 2020, Kaspersky Labs hopes to open three code review centers in the U.S., Europe and Asia. Customers, government agencies and organizations will be able to review Kaspersky software code at these locations. A sort of bug bounty is also planned, rewarding 5 to 100 thousand dollars for reported vulnerabilities in Kaspersky software. These are likely steps in the right direction, but it will be a long time before consumers are able to trust the Moscow-based company again.