Kaspersky Lab's move from Russia to Switzerland fails to save it from Dutch oven

Netherlands turns up the heat as transparency plans unveiled

It has been a busy few days for beleaguered antivirus-flinger Kaspersky Lab. Today's confirmation of an infrastructure move to Switzerland comes hot on the heels of a comment from the Netherlands government that use of the Russian firm's software is a bit risky.

Kaspersky is moving a number of its core processes from Russia to Switzerland as part of its "Global Transparency Initiative" (aka "Please stop being horrid about our Russian connections"). The estimated costs of the move are $12m, Kaspersky told us.

The security outfit plans to open a data centre in Zurich by the end of 2019 which will store information on users in regions such as Europe, North America and Australia.

Before the end of 2018, Kaspersky Lab will have also shifted its "software build conveyor", a set of tools that assembles the applications, and plans to sign its threat detection rule databases with a digital signature in Switzerland.

Transparent, like Swiss mountain water

The, er, Russian security biz also intends to use an independent third party to conduct technical code reviews and make the source code available for review by "responsible stakeholders".

The Register contacted Kaspersky for a definition of the term and was told it meant "government, partners or customers that are interested in visiting the centre". So book your tickets, get in line and fill your boots.

Eugene Kaspersky, CEO of the eponymous software maker, said:

In a rapidly changing industry such as ours we have to adapt to the evolving needs of our clients, stakeholders and partners. Transparency is one such need, and that is why we've decided to redesign our infrastructure and move our data processing facilities to Switzerland. We believe such action will become a global trend for cybersecurity, and that a policy of trust will catch on across the industry as a key basic requirement.

Meanwhile, GCHQ offshoot the National Cyber Security Centre, which last year effectively banned the use of Russian antivirus products from government departments said of the Kaspersky Labs announcement:

Whilst this does not currently change our advice on systems with a national security purpose we welcome this move. This is a move in the right direction to potentially address risks to wider UK organisations and the public.

Our conversations with Kaspersky continue and this move will be discussed as part of our ongoing dialogue.

With action under way in the US to remove Kaspersky software from government PCs, the current NCSC block on the use of its AV on systems processing information classified SECRET still in place in the UK, and Twitter turning its nose up at the firm's ad money, the vendor is hoping that a caring, transparent image might waft away the lingering odour of Russian interference.

Dutch heat

But that may be a little too late for the government of the Netherlands. Justice Minister Ferdinand Grapperhaus has issued a letter with stern words for the Russian outfit.

In it he warned the Russian Federation has an active offensive cyber programme focused on Dutch interests and pointed out that Kaspersky is a Russian company, headquartered in Russia and so subject to Russian legislation. He said, "as a precautionary measure, [the use of] Kaspersky antivirus software [in] the national government will be phased out."

The Dutch Cabinet feels that there is a risk of espionage through the use of Kaspersky's products and so recommended the software is not used (aligning with the US and UK), although the even-handed politicos also pointed out that there are no concrete cases of abuse in the Netherlands.

A spokesperson from Kaspersky Lab told The Register:

Kaspersky Lab is very disappointed with this decision by the Dutch Government based on theoretical concerns... But yet again, Kaspersky Lab is caught up in a geopolitical fight and still no credible evidence of wrongdoing has been publicly presented by anyone or any organisation to justify such decisions.

Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it's disconcerting that a private company can be treated as guilty merely due to geopolitical issues.

Graham Cluley, an infosec watcher, agreed that it was all rather unfortunate and perhaps a little unfair on the software maker, telling The Register:

I can't help but feel sorry for Kaspersky. A reputation built up over 20 years has been damaged by rumours, without their accusers even having to make any evidence of wrongdoing public. I don't know how or if they can successfully convince everyone that they can be trusted, but shifting their core infrastructure to Switzerland certainly won't do them any harm at all.

As the US imposes hefty sanctions on a number of Russian businesses, keeping Kaspersky Lab headquartered in the Russian Federation may still be a pill too bitter to swallow for Western governments. ®

Similar topics

Narrower topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022