It has been a busy few days for beleaguered antivirus-flinger Kaspersky Lab. Today's confirmation of an infrastructure move to Switzerland comes hot on the heels of a comment from the Netherlands government that use of the Russian firm's software is a bit risky.
Kaspersky is moving a number of its core processes from Russia to Switzerland as part of its "Global Transparency Initiative" (aka "Please stop being horrid about our Russian connections"). The estimated costs of the move are $12m, Kaspersky told us.
The security outfit plans to open a data centre in Zurich by the end of 2019 which will store information on users in regions such as Europe, North America and Australia.
Before the end of 2018, Kaspersky Lab will have also shifted its "software build conveyor", a set of tools that assembles the applications, and plans to sign its threat detection rule databases with a digital signature in Switzerland.
Transparent, like Swiss mountain water
The, er, Russian security biz also intends to use an independent third party to conduct technical code reviews and make the source code available for review by "responsible stakeholders".
The Register contacted Kaspersky for a definition of the term and was told it meant "government, partners or customers that are interested in visiting the centre". So book your tickets, get in line and fill your boots.
Eugene Kaspersky, CEO of the eponymous software maker, said:
In a rapidly changing industry such as ours we have to adapt to the evolving needs of our clients, stakeholders and partners. Transparency is one such need, and that is why we've decided to redesign our infrastructure and move our data processing facilities to Switzerland. We believe such action will become a global trend for cybersecurity, and that a policy of trust will catch on across the industry as a key basic requirement.
Meanwhile, GCHQ offshoot the National Cyber Security Centre, which last year effectively banned the use of Russian antivirus products from government departments said of the Kaspersky Labs announcement:
Whilst this does not currently change our advice on systems with a national security purpose we welcome this move. This is a move in the right direction to potentially address risks to wider UK organisations and the public.
Our conversations with Kaspersky continue and this move will be discussed as part of our ongoing dialogue.
With action under way in the US to remove Kaspersky software from government PCs, the current NCSC block on the use of its AV on systems processing information classified SECRET still in place in the UK, and Twitter turning its nose up at the firm's ad money, the vendor is hoping that a caring, transparent image might waft away the lingering odour of Russian interference.
But that may be a little too late for the government of the Netherlands. Justice Minister Ferdinand Grapperhaus has issued a letter with stern words for the Russian outfit.
In it he warned the Russian Federation has an active offensive cyber programme focused on Dutch interests and pointed out that Kaspersky is a Russian company, headquartered in Russia and so subject to Russian legislation. He said, "as a precautionary measure, [the use of] Kaspersky antivirus software [in] the national government will be phased out."
The Dutch Cabinet feels that there is a risk of espionage through the use of Kaspersky's products and so recommended the software is not used (aligning with the US and UK), although the even-handed politicos also pointed out that there are no concrete cases of abuse in the Netherlands.
A spokesperson from Kaspersky Lab told The Register:
Kaspersky Lab is very disappointed with this decision by the Dutch Government based on theoretical concerns... But yet again, Kaspersky Lab is caught up in a geopolitical fight and still no credible evidence of wrongdoing has been publicly presented by anyone or any organisation to justify such decisions.
Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it's disconcerting that a private company can be treated as guilty merely due to geopolitical issues.
Graham Cluley, an infosec watcher, agreed that it was all rather unfortunate and perhaps a little unfair on the software maker, telling The Register:
I can't help but feel sorry for Kaspersky. A reputation built up over 20 years has been damaged by rumours, without their accusers even having to make any evidence of wrongdoing public. I don't know how or if they can successfully convince everyone that they can be trusted, but shifting their core infrastructure to Switzerland certainly won't do them any harm at all.
As the US imposes hefty sanctions on a number of Russian businesses, keeping Kaspersky Lab headquartered in the Russian Federation may still be a pill too bitter to swallow for Western governments. ®