The year 2023 marks the five-year anniversary of Kaspersky’s Global Transparency Initiative (GTI), the company’s flagship program which aims to set an industry benchmark in tackling supply chain risks. As the overall attitude regarding risks associated with the use of third-party software is growing and businesses and regulators are keener to know how safe the software they use is, Kaspersky announces its plans to further expand the initiative by growing its network of Transparency Centers worldwide and broadening source code review options.
Demand for greater digital trust is increasing amid a growing tendency toward digital sovereignty, with major milestones set by the emergence of regulations such as the European Cyber Resilience Act proposal. The latter has raised questions about the evidence-based criteria of appropriate digital products and measures to verify their compliance, with universal trust-building frameworks in demand as never before.
Aimed at highlighting the trustworthiness of Kaspersky solutions and promoting transparency standards in the cybersecurity industry as a whole, the GTI has been developing and growing in scale, with the company’s total investment in the project having totaled US$7.9 million since its launch. Today, the GTI encompasses six main pillars, namely data relocation, opening of Transparency Centers worldwide, regular independent audits, vulnerability management program, educational Cyber Capacity Building Program, and Transparency Reports.
One of the GTI’s early actions was the relocation of the cyberthreat-related data received from users of Kaspersky products to data centers in Switzerland, known for its robust data protection and neutrality. Today, the data of Kaspersky users in Europe, North and Latin America, the Middle East, and also several countries in the Asia-Pacific region is stored and processed in two data centers in Zurich.
“At Kaspersky, we have always been extremely serious about how we protect user data. To ensure the data our customers trust us with is secure, we’ve been following an integrated approach, bringing our data management practices in compliance with the leading industry standards,” comments Anton Ivanov, Chief Technology Officer at Kaspersky. We have also invited third-party auditors to verify this and also chosen world-class facilities in compliance with industry standards for data storage and processing. With this holistic view, we hope to give the users of Kaspersky products a complete peace of mind on the security and privacy of their data.”
Together with the data relocation launch, Kaspersky started creating its global network of Transparency Centers — facilities where customers and partners as well as government regulators responsible for cybersecurity can check the integrity of the company’s solutions by reviewing their source code and also learn more about the company’s internal processes. Since the opening of the first Transparency Center in Zurich in November 2018, Kaspersky has opened eight more centers in Europe, North and Latin America, and also Asia-Pacific. To date, Kaspersky has organized briefings for nearly 60 requesting parties at its Transparency Centers worldwide, including national regulators and businesses from around the world.
By mid-2024, Kaspersky plans to expand its network of Transparency Centers to the Middle East and Africa and open its first Transparency Centers in each region, along with setting up a new center in the Asia-Pacific region. The three new facilities will serve as briefing centers for the company’s stakeholders to find out more about Kaspersky’s internal engineering and data management practices, but also about applicable industry standards and best practices.
In addition, Kaspersky is expanding the scope of the source code review offering at its Transparency Centers. Previously, Kaspersky offered for review only the source code of its flagship consumer and enterprise products, but starting from July 2023, the company is removing limitations in this regard and making the source code of all of its on-premise solutions available for our enterprise customers and partners. The decision came as a result of customers’ heightened interest in the inspection of source code of additional Kaspersky products. Another novelty in the offering of Kaspersky’s Transparency Centers will be the results of Kaspersky’s products self-certification, including such elements as design documents and threat models that relates to the recommendations outlined in the European Cyber Resilience Act proposal.
“When Kaspersky launched its Global Transparency Initiative, it was a pioneer in advancing digital trust and advocating vendor accountability to its customers,” comments Yuliya Shlychkova, Public Affairs Director at Kaspersky. “But today we see that transparency is in increasing demand by organizations worldwide, which are taking a more mature attitude toward their cyber protection and paying more attention to the reliability of their software vendors. This proves Kaspersky to be a visionary, anticipating the industry’s future areas of development and trends to reign.”
Other GTI highlights include:
- Regular third-party audits, which verify the security of Kaspersky solutions. Since 2019, the company’s data management systems undergo regular certification in accordance with ISO/ IEC 27001:2013 standard, which confirms that the company enables strong information security and its Data Service is compliant with the industry leading practices. In addition, Kaspersky regularly takes a SOC 2 audit by an independent auditor to review our process of developing and distributing virus databases and verify that it is secure and protected against unauthorized changes.
- Release of Transparency Reports, uncovering statistics on the number of requests for technical expertise and user data, received from law enforcement and government agencies. The latest report uncovered data on the requests in two categories — user data and technical expertise — received during the second half of 2022. During the second half of 2022, Kaspersky received 37 requests from governments and law enforcement agencies (LEAs) from six countries. At least 65 percent of those were rejected due to an absence of data or to not meeting legal verification requirements.
- Bug Bounty Program conduct, under which anyone can report critical vulnerabilities or bugs found in our systems and get a reward. As part of the GTI, we increased the awards for security researchers, who are now eligible for bounties of up to US$100,000 for reporting the most critical vulnerabilities. Since March 2018 we have received 55 reports on minor vulnerabilities, patched those and to date paid a total of US$77,450 in rewards.
- The Cyber Capacity Building Program (CCBP), designed to help organizations develop mechanisms and skills for security assessments of ICT products. Since 2020, six government bodies have taken the Kaspersky Cyber Capacity Building Program to develop skills in assessing software’s trustworthiness.