Attribution is one of infosec's biggest challenges: experts struggle to identify the source of attacks and only do so when they feel the evidence is insurmountable.
Yet on Kaspersky Labs' "Transparency Tour" the company has advanced an explanation of its recent woes with no evidence at all.
The Tour is an effort to persuade us all that the company is not a danger to anyone except cyber-criminals, and to explain that it will soon open a "transparency lab" to prove it.
The company sent some heavy-hitters to Sydney, Australia, to make those points today: veep for public affairs Anton Shingarev and managing director for Asia Pacific Stephan Neumeier sat down with the media over sandwiches and salads to make their pitch.
The gist of the company's argument is that it is completely innocent, makes great products, is shocked – shocked! – by the allegations made against it and believes its troubles stem from being made pawn in a game of geopolitical chess.
That happened because so many of its developers reside in Russia, which makes it easy to smear the company.
"This backfires us," Shingarev said, but added that the company doesn't want to move its developers because they're good at what they do. And cheap, too, compared to coders in other climes.
Shingarev and Neumeier then advanced a theory that during their fearless mission to hunt down malware regardless of its source, Kaspersky researchers discovered, defused and exposed cyber weapons developed by several nation states. State actors build such weapons using arms-length deals with contractors, they alleged, so getting grumpy with Kaspersky in public was not an option.
But the US was angry at having its efforts stymied, so retaliated by smearing Kaspersky. Hence the ban on sales of the company's products to US government agencies justified by allegations that Kaspersky poses a national security risk.
That risk, the pair added, has been downgraded: when the ban was first imposed the pair said the company was identified as a real and present danger. These days they said a mere "potential" threat is used as justification for the ban and the change in language tells you all you need to know about its sincerity, or lack thereof.
Kaspersky Lab loses the privilege of giving Twitter ad moneyREAD MORE
Pressed by The Register, neither exec had evidence to support the theory. But they pointed out that we all know about tensions between the US and Russia, we can all see there's a trade war going on, Kaspersky sales are growing in the rest of the world and it's therefore obvious the company copped some blowback in a game bigger than any of us can really comprehend.
Neumeier also said the fact that only the US has taken action against Kaspersky proves the geopolitical skulduggery theory.
At which point The Register pointed out the 28 nations of the European Union last week passed a non-binding motion that said Kaspersky products have been "confirmed as malicious".
Neumeier's response was to say that Kaspersky Lab had been aware of that wording for months, and also aware of Polish Euro-MP Anna Elżbieta Fotyga's belief that the company represents a danger. Neumeier said Fotyga was responsible for the wording in the motion and that other MPs only included it under sufferance. Fotyga, he added, ignored two requests for meetings with Kaspersky at which the company hoped to explain itself. The head of a committee she sits on went one better and ignored three offers to meet.
Neumeier therefore felt that last week's motion was made without Kaspersky having fair opportunity to explain itself. Throw in the fact that Fotyga's first question about Kaspersky relied on accounts of the USA's unfair actions and Kaspersky thinks it's again been given the rough end of the pineapple.
Time for transparency
Despite being the victim of geopolitical forces no company could hope to control, Kaspersky thinks it can silence the doubters by being more transparent.
Hence its plan to move its data storage to Switzerland – yes, that Switzerland, the one with fabulous secrecy laws. Shingarev and Neumeier said those laws are a good thing for the company's customers, as it will keep their data away from prying eyes. If it had any data worth having anyway, which the pair said Kaspersky doesn't because it just needs basic details to go about its business.
Zurich will also house a "Transparency Lab" where the pair said the world will be able to come in and see... something.
Shingarev said the lab will see one of the big four consultancies review the company's source code and verify that it is indeed compiled into the company's products. He also mentioned a regime that will allow inspection of product updates to defend against allegations that a routine virus signature update can turn Kaspersky's products into something nasty for a few hours.
The company is also promising source code reviews for customers and/or maybe also by a consortium of universities whose collective eyeballing will make it possible to get through all three million lines of code.
There's also a plan to have a verification organisation examine Kaspersky's development processes to certify nothing naughty takes place. Shingarev said we'll all be very impressed once we learn the identity of that organisation, which is already in talks with Kaspersky to define the role.
Shingarev said he hopes the Transparency Lab will be up and running by the end of 2018, but that it's a lot of work so maybe it'll be hard to hit the deadline. Nor could he guarantee when the transparency activities will commence.
Asked by The Register what a visitor to the lab will be able to see, he mentioned the source code review but nothing more specific.
Whatever goes on in the lab, Shingarev said Kaspersky plans another two: one in Asia, one in North America.
Neumeier added that the labs are such a cunning plan it won't be long before Kaspersky is recognised as an Uber-style disruptor for having the foresight to operate such facilities.
Sinned against or sinner?
Shingarev and Neumeier remained plausibly sincere, upbeat and earnest during a 90-minute question-and-answer session, never wavering from their assertions of complete innocence and victimhood.
So is the company a sinner, or sinned against?
The "America wants to destroy us" argument was delivered with broad brush strokes, but zero evidence. The Transparency Lab was touted as offering incontrovertible proof of Kaspersky's innocence, but with few details on how it might be made apparent or when it will operate at maximum transparency.
And left entirely un-discussed was the issue that a technology company with ties to a state doesn't need to have dodgy products to represent a threat: a company's people can conduct espionage that software cannot, while a network of innocent and ignorant partners can be made vectors for subtle attacks or intelligence-gathering efforts.
For what it's worth, I came away feeling that Kaspersky Labs has an attribution problem. By advancing zero evidence it's a victim and merely sketching evidence it's not, the company neatly illustrated why infosec researchers are so cautious about attribution. That Kaspersky's staff defended the company by going beyond those norms so was as eloquent as anything else they said at the event. ®