July 25, 2024 at 08:08AM
Kaspersky proposed a “comprehensive assessment framework” to verify its security products to the US Department of Commerce, aiming to mitigate supply chain risks and provide security assurances. Despite this, the Commerce Department did not respond to the proposal. The framework includes localization of data processing, review of data received, and independent validation of threat database updates and software code development. Kaspersky VP of Public Affairs Yuliya Shlychkova emphasized the need for a technical and evidence-based approach to evaluate cybersecurity products.
From the meeting notes provided, there are several clear takeaways:
1. Kaspersky is proposing a new “comprehensive assessment framework” to verify the security of its products to the US Department of Commerce, but it has been snubbed by Uncle Sam. This proposal builds on their earlier Global Transparency Initiative and aims to address ICT supply chain risks effectively and verifiably.
2. Kaspersky asserts that there is no evidence of wrongdoing to support the ban of its products in the US due to national security risks and calls for a technical-based, evidence-based approach to evaluating trustworthiness of cybersecurity products.
3. The proposed framework includes three pillars:
a. Localization of data processing to ensure that data is stored and processed in a specific region, with strict access policies.
b. Validation of data received in real-time to ensure no personally identifiable information or protected data is transferred to Kaspersky.
c. Review of threat database updates and product-related software code development to ensure no risks are posed to national security or otherwise.
4. Kaspersky acknowledges that implementing this framework is a long process due to different regulatory environments in various countries and will require significant advocacy and investment.
5. The meeting also discusses the ban on Huawei products in the UK and Huawei’s denial of compromised kit.
These takeaways provide an overview of the discussion around Kaspersky’s proposed assessment framework and the challenges it faces in gaining acceptance and implementation.