(Based on a speech at the Group of 77 Workshop on Preventing and Combating Cybercrime, supported by the Russian Federation and the United Nations Office on Drugs and Crime, Vienna, September 11-12, 2018).
By Evgeny Grigorenko, Head of Public Affairs, Europe
Today, an important topic related to fighting cyberthreats and cybercrime is about challenges related to data management, the resulting deficit of trust in cybersecurity globally, and the respective responses by the private sector. As an example of such a ‘response’ strategy, we would like to provide details of our flagship project – the Global Transparency Initiative.
In their digital investigations of late, public agencies face the issue of data access and collection of so-called e-evidence. While most parties recognize that the right balance should be struck between the two concepts of security and privacy, in reality it’s not easy to get it right – even among like-minded countries. To give few examples:
- In joint statement by ENISA and Europol (May 2016), the agencies said: ‘…intentional weaken[ing of] technical protection mechanisms’ [encryption and implanting backdoors] ‘will weaken the protection against criminals’. Thus, they stress the importance of privacy.
- On the contrary, statement by the governments of the Five Eyes (August 2018) said: ‘…privacy is not absolute. Access to information … is critical to the ability of governments to protect our citizens by investigating threats and prosecuting crimes’.
- Even within the EU, currently there are two draft laws – e-Privacy and e-Evidence Regulations – which (some argue) are definitely two sides of the same ‘data governance’ coin.
Globally, law enforcement and security services and, more broadly, nation states, define ‘limits’ to which they can control and manage data in different ways. Related to this, challenges like data localization, access, and suspicions about intentional backdoors and vulnerabilities do not make the lives of data collectors and processors – digital companies – any easier.
Meeting some set of data management rules – nascent regulatory practice – is only part of the challenge. Balkanization, militarization and the collapse of cyber-dialogue are making the task even harder:
- A practical example of how inaction in the digital sphere may be damaging both for cybersecurity and trust between countries is the lack of legislation or even a general approach to vulnerabilities’ retention and use by nation states (attacks last year like WannaCry and NotPetya reveal what can be the result). There are some discussions on this – in which Kaspersky takes part – but it looks like we are still far from an agreement on how and when nation states should disclose information about detected vulnerabilities in software to providers.
- Undetected (zero-day) vulnerabilities are only one facet of trust erosion. The second is about intentional actions or backdoor planting. Since some digital companies are multinational, the question is posed: may digital companies be forced to cooperate with their government to the detriment of other countries where they provide their software? (under or without specific laws about this).
- A consequence for digital companies is that the risk-based approach prevails over presumption of innocence in decision making: no wrongdoing needs to be proved to take restrictive actions against digital companies if it is suspected that it spies on behalf of, or helps in any way your adversary.
- This erosion of trust spills over to the level of businesses and citizens, and the cybersecurity ecosystem is hurt even further.
What do we – as a private company – see as a way of handling the emerging deficit of trust?
We are focusing on international cooperation with other actors to fight cyberthreats – regardless of the origin and purpose of those cyberthreats. For this goal, we work with organizations like INTERPOL, national CERTs and cyber-police agencies. We organize regular training sessions for them and assist in their cyber-investigations.
In addition, the trustworthiness challenge may be addressed with more transparency – we are ready to give answers to questions about our data management practices and security of products and even to change IT infrastructure to address some theoretical concerns. We are working on putting into practice our Global Transparency Initiative and storing and processing users’ data at our Swiss Data Center. In Switzerland we are also going to open the first of our Transparency Centers. For some regions, we plan to relocate the assembly line of Kaspersky products and threat detection rule databases (AV databases) to Switzerland, where they’ll also be signed with a digital signature before delivery to endpoints. Finally, a new, non-profit organization qualified to conduct technical software reviews and process requests from governments for data access will be established. Its role may be even wider – to create a framework of transparency and trustworthiness for software development.
Overall, we believe that these and some supporting measures will become a kind of gold standard for the cybersecurity industry, and look forward to IT companies, public agencies, NGOs and academia – joining us to become partners in building a safe and secure model for raising trust.