Several months ago, Kaspersky Lab announced that they were about to launch our Global Transparency Initiative. In the early spring, they advanced in that direction, increasing their bug bounty reward to $100,000. Today, they are ready to take another important step forward by relocating a good part of their infrastructure to Zurich, Switzerland, including the “software assembly line” and servers that store and process Kaspersky Security Network data, and creating their very first Transparency Center.
What’s that about the assembly line and KSN data?
First, our build systems — or “assembly line” — which work on the compilation and creation of Kaspersky Lab products and threat detection rule updates, will now be located in Zurich. That way, our software will be compiled and signed in Switzerland under the supervision of a third-party organization before being distributed to customers.
Second, we are moving the servers that process and store Kaspersky Security Network information for users located in Europe, North America, Australia, Japan, South Korea, and Singapore, with more countries to follow. This routine will be independently reviewed as well.
What’s the point of relocating the assembly line and KSN data?
Although the current level of protection in our data processing and software development infrastructure is extremely high, we are constantly working to improve it. To increase our resilience to supply-chain risks and transparency to our clients, it’s important to ensure that the source code reviewed in our Transparency Center and the code actually compiled into products that are shipped to customers is the same code. That’s why we are moving the compilation and signing facility to Switzerland as well.
The same goes for the data processed by Kaspersky Security Network: Storing it in Switzerland under the supervision of an independent organization means that any access to this data is meticulously logged — and the logs can be reviewed at any moment should any concerns arise.
What is this Transparency Center, anyway?
It’s a facility where trusted partners and government stakeholders can review our products’ source code as well as the tools we use. This facility will provide access to:
- Secure software development documentation,
- The source code of any publicly released product (including old versions),
- Threat detection rule databases,
- The source code of cloud services responsible for receiving and storing the data of customers based in Europe, North America, Australia, Japan, South Korea and Singapore,
- Software tools used for the creation of a product (the build scripts), databases, and cloud services.
Why are you doing this?
The most important goal of our Global Transparency Initiative is to establish all reviewing processes in such a way that there will be no need to rely on our word alone about the integrity of our products, updates, detection rules, data storage, and things like that. Responsible stakeholders from government and private organizations with relevant expertise will be able to review our software to make sure everything works as expected.
Who’s going to make sure you’re playing by the rules?
A third-party organization will be assessing the trustworthiness of everything going on in our Zurich facility. This organization will have as much access as possible. Its functions include:
- Supervising and logging instances of Kaspersky Lab employees getting access to product metadata received through Kaspersky Security Network and stored in the Swiss data center;
- Organizing and conducting a source code review;
- Performing other tasks aimed at assessing and verifying the trustworthiness of Kaspersky Lab products.
Kaspersky Lab supports the creation of a new, nonprofit organization to take on this responsibility, not just for the company, but for other partners and members who wish to join. The Transparency Center and the supervising organization are two completely different and independent entities, a point we must emphasize.
We chose this location for two reasons. First, Switzerland has maintained its policy of neutrality for two centuries. Second, the country has strong data protection legislation. We believe these two qualities make Switzerland the perfect place to move part of our sensitive infrastructure.
Are you going to open more Transparency Centers?
We have plans to open additional centers in North America and Asia by 2020. However, we are not ready yet to talk about details.
How fast will this relocation happen?
It will take some time. Relocation of our assembly line, the easier part of the process, will be finished by the end of 2018. The creation of a data processing infrastructure requires several dozen services to be relocated from Moscow to Zurich and implemented. We are starting this project now and plan to finish it by the end of 2019.
As far as we know, we are the first cybersecurity company to come forward with such an initiative. Being a pioneer makes matters more complicated in some ways, but we strongly believe that it’s high time to make software development transparent, and therefore, every company will have to do the same sooner or later. Being the very first gives us an advantage in that respect.