KL-2017: the proof of the pudding is in the preliminary financial results.

Hi folks!

Going against tradition just this once, this year we’ve decided not to wait for our official financial audit results, and instead publish preliminary sales results for last year straight away.

The most important business figure of the year is of course revenue. So, for all 12 months of 2017, our products, technologies and services were sold for US$698 million (in accordance with the International Financial Reporting Standards) – a 8% rise compared to the previous year.

Not a bad result at all, if I don’t mind saying so; a result that shows how the company is doing well and growing. What’s more, we have some real promising technologies and solutions that make sure we’ll keep on growing and developing into the future.

But here’s what is, to me, the most interesting thing to come out of the preliminary results: for the first time in the history of the company sales bookings of corporate solutions overtook those of our boxed products for home users – this riding on the back of a 30% increase in the corporate segment.

Another very pleasing fact: the good rate of growth of the business has come largely not from sales of our traditional endpoint products, but from emerging, future-oriented solutions like Anti Targeted Attack solutions, Industrial Cybersecurity, Fraud Prevention, and Hybrid Cloud Security. All together these grew 61%. Besides, forecast growth in sales of our cybersecurity services comes in at 41%.

Geographically, sales bookings in most of the regions overshot their annual targets. For example, in Russia and the CIS sales were up 34% on 2016. In META (Middle East, Turkey, Africa) sales skyrocketed up 31%; in Latin America – 18%; and in APAC – 11%. Japan demonstrated moderate growth (4%), while Europe was slightly below expectations (-2%).

The only region that didn’t do well was, as expected, North America, which saw a fall in sales of 8%. Hardly surprising this one, given that it was this region that was the epicenter of last year’s geopolitical storm, which featured both a disinformation campaign against us and an unconstitutional decision of the DHS. Nevertheless, despite the political pressure, we continue to operate in the market and are planning on developing the business further there.

It only remains for me to give huge thanks to all users, partners, and cybersecurity experts, and to anyone else (including most journalists and bloggers that covered us) for their support, and also a big up to all the KLers around the globe for their continued excellent work in these difficult times. Customer loyalty, impressive growth of the business, and high team morale are all clear indicators of our global success. Well done everybody!

More detailed info on the preliminary financial results can be found here.

7 200 000.

Hi folks!

Along with the snow and ice (at least in my home city), December brings with it an unbearable desire to take stock of the past 12 months, to be amazed at what’s been achieved, and to make plans for the future. Then, after a brief pause for festive fun and frolics, it’s time to get back at it (and them!) once again.

Now, to me, one of the most impressive KL projects of the year – among a whole host of them – was the global launch of our free antivirus. In just several months this product has demonstrated curiously extraordinary success, and it’s that success I want to tell you about here today.

Kaspersky FREE was pilot-launched almost two years ago after an intense public discussion about its functionality. For a year and a half we kept a close eye on how the product worked, also on the user feedback thereon, the effectiveness of the protection, competition with our paid products, and so on… and it all confirmed – we were doing things just right! Then, six months ago, we had the global rollout of our freebie!

Half a year: is that a short or a long time? Well, on an uninhabited island it’s a long time, I guess. But for a popular antivirus it’s no time at all. Still, what can you get done in such a short time? Turns out quite a bit, if you put your mind to it…

First off: back to the title of this post: 7.2 million.

7.2 million is the total number of installations of FREE up until December 1, 2017. Around four million of those are active users, which is a real good result for such a new product. In just November FREE was downloaded nearly 700,000 times: around 23,000 times a day. But what’s even more curiously surprising is the loyalty of the users of FREE: some 2.5 times higher than the trial versions of our paid products: 76% of users who install FREE stay with us for several months of more. Woah. That’s a nice fat figure for Christmas ).

Now a little about the effectiveness of FREE

Although the product is loaded with just the basic essentials of protection (for £39.99 you can get the full suite of protective whistles and bells, including VPN, Password Manager, Parental Control, mobile device protection, etc.), it works on the same anti-malware engine as our other consumer products. In 2017 FREE protected its users from almost 250 million cyberattacks, 65 million detections of which occurred thanks to our cloud-based KSN. In just a year the product detected 17.5 million unique malicious programs and ~50 million malicious websites/pages. No wonder then that FREE is regularly and deservedly in among the top ratings in tests and reviews all around the world with enviable regularity.

There are three more things I think will be interesting to you, dear reader.

Read on…

An Open Letter from Kaspersky Lab.

This week, Kaspersky Lab filed an appeal with a U.S. federal court challenging the U.S. Department of Homeland Security’s (‘DHS’) Binding Operational Directive 17-01, which requires federal agencies and departments to remove the company’s products from federal information systems. The company did not take this action lightly, but maintains that DHS failed to provide Kaspersky Lab with adequate due process and relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the Directive. DHS has harmed Kaspersky Lab’s reputation and its commercial operations without any evidence of wrongdoing by the company. Therefore, it is in Kaspersky Lab’s interest to defend itself in this matter.

About Kaspersky Lab

As a global cybersecurity company founded over 20 years ago, Kaspersky Lab has proudly called the United States home to its North American headquarters in Woburn, Massachusetts, for over a decade. With nearly 300 employees in Massachusetts and throughout the country, Kaspersky Lab’s corporate mission is to protect its customers from cyberthreats, regardless of their origin or purpose. The company regularly submits its products and solutions for independent testing and assessment, consistently receiving more first place finishes and top-3 awards than any other cybersecurity vendor. Furthermore, the company collaborates with law enforcement, other IT security companies, and government organizations globally to combat cybercrime, providing technical assistance and forensic malware analysis, as well as world-renowned security research into cyber-espionage and targeted attack campaigns.

Kaspersky Lab has a clear policy concerning the detection of malware: it detects and remediates any malware attack. There is no such thing as ‘good’ or ‘bad’ malware for the company. Its research team has been actively involved in the discovery and disclosure of several malware attacks with links to nation-state and organized cybercrime entities. Over the past decade, Kaspersky Lab has published in-depth research into some of the biggest cyber-espionage and financially motivated cybercrime operations known to date. It does not matter which language a threat ‘speaks’: Russian, Chinese, Spanish, German, or English. The following list of threats, as reported by Kaspersky Lab’s Global Research and Analysis Team (‘GReAT’), shows the different languages used in each case:

Kaspersky Lab’s Good Faith Efforts to Engage DHS

Kaspersky Lab fully supports DHS’s mission and mandate to secure federal information and federal information systems, which align with its own corporate mission of protecting customers from cyber threats regardless of their origin or purpose. Given its longstanding commitment to transparency, the trustworthy development of its technologies and services, and cooperation with governments and the IT security industry worldwide, Kaspersky Lab reached out to DHS in mid-July as part of a good faith effort to address any concerns regarding the company, its operations, or its products. DHS confirmed receipt of Kaspersky Lab’s letter in mid-August, appreciating the company’s offer to provide said information and expressing interest in future communications with the company regarding this matter. Kaspersky Lab believed in good faith that DHS would take the company up on its offer to engage on these issues and hear from the company before taking any adverse action. However, there was no subsequent communication from DHS to Kaspersky Lab until the notification regarding the issuance of Binding Operational Directive 17-01 on September 13, 2017. The July and August communications are referenced below.

July 18, 2017, Kaspersky Lab Letter to DHS

“Given Kaspersky Lab’s longstanding commitment to transparency, the trustworthy development of its technologies and solutions, and cooperation with governments worldwide and the IT security industry to combat cyber threats, we write to offer any information or assistance we can provide with regard to any Department investigation regarding the company, its operations, or its products.

…The integrity and assurance of our products and technologies remain our utmost priority, and we maintain that a deeper, collaborative examination of our company and its products will assuage any concerns.

Kaspersky Lab looks forward to working with the Department and its staff and welcomes further dialogue. Please contact *************** via email or phone to discuss how we might communicate more directly with you or your staff and explore ways we might work together to make cyberspace safer.”

August 14, 2017, DHS Letter to Kaspersky Lab

Jeanette Manfra, on behalf of the (then-)Acting Secretary responded:

“Thank you for your letter of July 18, 2017 addressed to then-Secretary of Homeland Security John F. Kelly. The Acting Secretary has asked me to respond on her behalf.

We appreciate your offer to provide information to the Department about your company and its operations and products as well as to communicate with the Department about making cyberspace safer. We look forward to communicating with you further on this matter and receiving such information from you, and we appreciate your patience as we work through timing and logistical issues.

We will be in touch again shortly. Thank you again for your letter.”

Addressing DHS’s Binding Operating Directive 17-01

One of the foundational principles enshrined in the U.S. Constitution, which I deeply respect, is due process: the opportunity to contest any evidence and defend oneself before the government takes adverse action. Unfortunately, in the case of Binding Operational Directive 17-01, DHS did not provide Kaspersky Lab with a meaningful opportunity to be heard before the Directive’s issuance, and therefore, Kaspersky Lab’s due process rights were infringed.

In the September 19, 2017 Federal Register notice announcing the issuance of Binding Operational Directive 17-01, DHS stated that Kaspersky Lab could initiate a review of the Directive by submitting written information, which the company did on November 10, 2017. However, this ‘administrative process’ did not afford Kaspersky Lab due process under U.S. law because the company did not have the opportunity to see and contest the information relied upon by DHS before the issuance of the Directive. As I have said before, ‘genuine due process provides you with the opportunity to defend yourself and see the evidence against you before action is taken; it doesn’t ask you to respond once action is already underway.’

Furthermore, DHS primarily relies upon uncorroborated media reports to support its assertion that Kaspersky Lab products present information security risks to government networks, not evidence of any wrongdoing by the company. DHS also cites technical arguments that apply to antivirus solutions generally, including broad levels of access and privileges to the systems on which solutions operate, the use of cloud-based technologies to process malware samples and deploy detection signatures, and data collection and processing practices. These capabilities are not unique to Kaspersky Lab’s products, and if they are of concern, DHS could have taken action to address these issues holistically across the IT security industry instead of unfairly targeting a single company without any evidence of wrongdoing.

Despite the relatively small percentage of the company’s U.S. revenue attributable to active software licenses held by federal government entities, DHS’s actions have caused a disproportionate and unwarranted adverse impact on Kaspersky Lab’s consumer, commercial, and state, local, and education (‘SLED’) business interests in the United States and globally. Through Binding Operational Directive 17-01, DHS has harmed Kaspersky Lab’s reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community. Its presence in Russia and the CIS region, its technical knowhow, and its linguistic expertise uniquely position the company to advance the fight against malware and protect its customers from cyber threats. These assets have enabled Kaspersky Lab to share cyber threat information and vulnerability research with various U.S. government entities, including constituent agencies of DHS, involved in protecting U.S. cyberspace. Dissuading consumers and businesses in the United States and abroad from using Kaspersky Lab products solely because of its geographic origins and without any credible evidence does not constitute a risk-based approach to cybersecurity and does little to address information security concerns related to government networks.

Conclusion

In undertaking this action, Kaspersky Lab hopes to protect its rights under the U.S. Constitution and U.S. federal law, receive adequate due process, and repair the reputational and commercial damage caused by Binding Operational Directive 17-01. The company continues to welcome constructive and collaborative engagement with the U.S. government to address any concerns about its operations or its products, as it stated in its letter to DHS five months ago. Kaspersky Lab’s Global Transparency Initiative could serve as a mechanism for such dialogue. Regardless of this action, Kaspersky Lab remains committed to continuing its mission and business of protecting customers in the United States and around the world from cyber threats by providing market-leading antivirus software, threat intelligence and analytics.

KL wins Gartner Platinum Award!

Hi folks!

As you’ll probably have noticed, the news stream around our small (but very technologically progressive) IT company has of late turned into a veritable Iguazu Falls. But that doesn’t prevent good news coming down that stream too – apolitical, technological, and based on named sources ). So here’s some of just that: the latest bit of good news…

There are several large and respected research agencies in the world, and Gartner is one of them. It’s known most of all for its expert assessments of how well vendors manufacture IT equipment and software: how well their products meet the needs of their customers and help them deal with problems.

Some time ago Gartner decided to add to its already multi-faceted evaluations another important dimension: the opinion of customers themselves. This was to make the overall ratings yet more accurate and objective and thus more practically useful. Thus, a little over a year ago Gartner announced its new peer review program – Gartner Peer Insights – in which business customers could voluntarily and anonymously (that is, being able to say absolutely anything they might not be happy about without the risk of any negativity boomeranging back at them) rate the products of different developers. And that includes ‘Endpoint Protection Platforms’.

Gartner approached adding this new facet to its analysis very seriously. Gartner Peer Insights hopes to “transform the way enterprise software is bought and sold by creating another source of trusted information in the software buying process. Gartner’s review platform is a place for all IT buyers to find advice they can trust from fellow IT professionals. Gartner Peer Insights includes more than 40,000 verified reviews in more than 190 markets. For more information, please visit www.gartner.com/reviews/home.”

Collecting and collating all the feedback took a year, while our industry – of course including us – eagerly awaited the results. In order to win, the vendor must have at least one product designated by research analysts as relevant to the market, and the vendor must have 50 or more reviews published during the submission period (12 months). To ensure that the awards are given to vendors who represent the Peer Insights’ end user base, vendors are eligible for Gold, Silver or Bronze awards subject to three criteria: 1) Maximum 75% of the deployments reported by the reviewers from non-North America regions; 2) Maximum 75% of reviews from one industry; and 3) Maximum 50% of reviews from non-enterprise end users. ‘Enterprise end user’ is defined as the reviewer’s company size being >$50M USD. If vendors qualify for the award but don’t meet the three criteria above, they may still be eligible for an honorable mention for their focus.

Read on: The real litmus test…

More transparent than the air you breathe.

Hi folks!

I think it’s always possible – if you try hard enough – to be able to find something good in a bad situation.

The recent negative campaign against KL in the U.S. press hasn’t been pleasant for us, but we have tried hard – and found – some good things: it allowed us to make certain curious observations and deductions, and also gave a magic kick up the proverbial on planned KL business initiatives that never really came to anything long ago – one of which initiatives I’ll be telling you about in this post.

The cybersecurity business is based on trust: trust between users and the developer. For example, any antivirus, in order to do its job – uncover and protect against malware – uses a number of technologies that require broad access rights to users’ computers. If they didn’t have them, they’d be defunct. But it can’t be any other way: the cyber-bandits use all available methods to be able to penetrate computers to then lodge their malware in those computers’ operating systems. And the only way to be able to detect and smoke that malware out is to have the same deep system access privileges. Problem is, such a truism also acts as fertile ground for all sorts of conspiracy theories in the same vein as the old classic: ‘antivirus companies write the viruses themselves’ (with that kind of reasoning I dread to think what, say, the fire service or the medical profession get up to themselves when not putting out fires and treating the sick). And the latest theory growing out of that fertile ground is the one where a cyber-military has hacked our products and is spying on another cyber-military via those same products.

There are three things that all the separate U.S. media attacks on KL have in common: (i) a complete lack of evidence provided as a basis for their reports; (ii) use of only anonymous sources; and (iii) the most unpleasant – abuse of the trust relationship that necessarily exists between users and us. Indeed, it has to be admitted that that trusting relationship – built up over decades – has alas been impaired. And not just for KL, but the whole cybersecurity industry – since all vendors use similar technologies for providing quality protection.

Can this crisis of trust be overcome? And if so – how?

It can. And it must. But it needs to be done only by taking specific, reasoned steps that technically prove how trust is, in fact, being threatened by nothing and no one. Users, just as before, can trust developers – who always have, currently have, and will always have, one single mission: protecting against cyberthreats.

We’ve always been as open as possible with all our plans and undertakings, especially technological ones. All our key tech is documented to the fullest (falling short of revealing trade secrets) and publicly cataloged. Well a few days ago we went one step a huge leap even further: we announced our Global Transparency Initiative. We did so to dispel any remaining doubts as to the purity of our products, and also to emphasize the transparency of our internal business processes and their conformity to the highest standards in the industry.

So what are we actually going to do?

First, we’ll be inviting independent organizations to analyze the source code of our products and updates. And they can analyze literally everything – right down to the last byte of the very oldest of our backups. The key word here is independent. Closely behind it is another key word: updates; the analysis and audit won’t be just of the products but the equally important updates as well.

Second, we’ll have a similarly independent appraisal of (i) our secure-development-lifecycle processes and software, and (ii) our supply-chain risk-mitigation strategies that we apply in delivering our products to the end user.

Third, we’ll be opening three Transparency Centers – in the U.S., Europe and Asia – where customers, partners and government representatives can get exhaustive information about our products and technologies and conduct their own analyses and evaluations.

And that’s only the start of it. We’ve plenty more plans to become even more transparent – as transparent as air (and no jokes please about pollution or smog in large cities:). We’re only just kicking off this project, but we’ll be regularly sharing with you more as we go along. Stay tuned…

PS: If you have any ideas, suggestions or other comments – do let us know, here.

Here’s to aggressive detection of maliciousness!

In recent years there’s been all sorts written about us in the U.S. press, and the article last Thursday in the Wall Street Journal at first seemed to be just more of the same: the latest in a long line of conspiratorial smear-articles. Here’s why it seemed so: according to anonymous sources, a few years ago Russian government-backed hackers, allegedly, with the help of a hack into the product of Your Humble Servant, stole from the home computer of an NSA employee secret documentation. Btw: our formal response to this story is here.

However, if you strip the article of the content regarding alleged Kremlin-backed hackers, there emerges an outline to a very different – believable – possible scenario, one in which, as the article itself points out, we are ‘aggressive in [our] methods of fighting malware’.

Ok, let’s go over the article again…

In 2015 a certain NSA employee – a developer working on the U.S. cyber-espionage program – decided to work from home for a bit and so copied some secret documentation onto his (her?) home computer, probably via a USB stick. Now, on that home computer he’d – quite rightly and understandably – installed the best antivirus in the world, and – also quite rightly – had our cloud-based KSN activated. Thus the scene was set, and he continued his daily travails on state-backed malware in the comfort of his own home.

Let’s go over that just once more…

So, a spy-software developer was working at home on same spy-software, having all the instrumentation and documentation he needed for such a task, and protecting himself from the world’s computer maliciousness with our cloud-connected product.

Now, what could have happened next? This is what:

Malware could have been detected as suspicious by the AV and sent to the cloud for analysis. For this is the standard process for processing any newly-found malware – and by ‘standard’ I mean standard across the industry; all our competitors use a similar logic in this or that form. And experience shows it’s a very effective method for fighting cyberthreats (that’s why everyone uses it).

So what happens with the data that gets sent to the cloud? In ~99.99% of cases, analysis of the suspicious objects is done by our machine learning technologies, and if they’re malware, they’re added to our malware detection database (and also to our archive), and the rest goes in the bin. The other ~0.1% of data is sent for manual processing by our virus analysts, who analyze it and make their verdicts as to whether it’s malware or not.

Ok – I hope that part’s all clear.

Next: What about the possibility of hack into our products by Russian-government-backed hackers?

Theoretically such a hack is possible (program code is written by humans, and humans will make mistakes), but I put the probability of an actual hack at zero. Here’s one example as to why:

In the same year as what the WSJ describes occurred, we discovered on our own network an attack by an unknown seemingly state-sponsored actor – Duqu2. Consequently we conducted a painstakingly detailed audit of our source code, updates and other technologies, and found… – no signs whatsoever of any third-party breach of any of it. So as you can see, we take any reports about possible vulnerabilities in our products very seriously. And this new report about possible vulnerabilities is no exception, which is why we’ll be conducting another deep audit very soon.

The takeaway:

If the story about our product’s uncovering of government-grade malware on an NSA employee’s home computer is real, then that, ladies and gents, is something to be proud of. Proactively detecting previously unknown highly-sophisticated malware is a real achievement. And it’s the best proof there is of the excellence of our technologies, plus confirmation of our mission: to protect against any cyberthreat no matter where it may come from or its objective.

So, like I say… here’s to aggressive detection of malware. Cheers!

We aggressively protect our users and we’re proud of it.

Another sensationalist media story was released today stating among other things that Kaspersky Lab helps a certain intelligence agency in getting their hands on sensitive data from another intelligence agency through the home computer of a contractor. Another accusation in the article is that we are very ‘aggressive’ in our methods of hunting for new malware.

The first statement sounds like the script of a C movie, and again – disclosed by anonymous sources (what a surprise). I can hardly comment on it besides the official statement.

However, I couldn’t agree more with the second claim about being aggressive in our hunt for malware. We absolutely and aggressively detect and clean malware infections no matter the source, and have been proudly doing so for 20 years. This is the reason why we consistently get top ratings in independent, third-party malware detection tests. We make no apologies for being aggressive in the battle against malware and cybercriminals – you shouldn’t accept any less. Period.

While protecting our customers, we do – as any other cybersecurity vendors – check the health of a computer. It works like an X-ray: the security solution can see almost everything in order to identify problems, but it cannot attribute what it sees to a particular user. Let me elaborate a bit more on what we do and what we don’t when protecting our users from cyberattacks:

What we do

Every day, we develop new heuristics and advanced detection mechanisms that flag suspected malware and send it to machine-learning-powered back-end for automatic analysis. These heuristics are designed in a way so that they focus only on a particular type of data – one that has characteristics potentially dangerous to computer health. And the data’s risk is the only feature the heuristics care about.

We focus on high-profile cyberthreats that have the potential to impact many users. Such threats are usually very sophisticated and may consist of multiple components – not necessary malicious at first glance. Please read our recent ShadowPad story as an example.

To betray user trust is easy and it would be immediately spotted by the industry. In its 20 years in business Kaspersky Lab gave zero chance to question its dedication to customers’ security

We hunt for and analyze all kinds of threats. We ignore none. We also invest a lot of resources into systems that protect our users from malware, make their computers more secure, and allow them to enjoy their user experience as opposed to worrying about it.

In the wake of this latest article I want to emphasize the following: if our technologies detect anything suspicious and this object is identified as malware, in a matter of minutes all our customers – no matter who or where they are – receive protection from the threat. In the most serious cases – such as global malware outbreaks like WannaCry or sophisticated cyber-espionage platforms like Equation – our researchers analyze the threat deeply and publish the research with indicators of compromise openly, so not only our customers, but all other users and our colleagues in the cybersecurity industry can learn how to protect against the new threat. Customers’ security is our mission, and we’re committed to protect against all kinds of cyberthreats regardless their origin or purpose. This approach is the foundation of our business and is what our users pay for.

This is the one and only way of how we deal with cyberthreats. The new allegations look to me like this: someone just took this process of how we deal with a threat, added some fictional details, and here we go – the new C-movie script is ready.

What we don’t do

With big power comes big responsibility. We never betray the trust that our users place in our hands. If we were ever to do so just once, it would immediately be spotted by the industry and it would be the end of our business – and rightly so.

To understand why something like this would be impossible for Kaspersky Lab or any other reputable security company, one needs to understand how the cybersecurity industry works. In our industry there are mainly two types of folks: first, those who do offensive things: breaking software, creating espionage tools, exploits, and – to the extreme – helping governments with their spy efforts. And second, folks who fight for users, take their side, protect them from attacks, create software that defends computers, and cause all manner of headaches for spy agencies.

The allegations look like this: someone just took the process of how the cybersecurity industry deals with a threat, added some fictional details, and here we go – the new C-movie script is ready

This is a fundamental separation, which expresses itself in many ways – from what is considered ethical by one category or the other, to reputation and separating right from wrong.

For 20 years, KL has been fighting for users. It’s pioneered many technologies, including machine learning and cloud security, created one of the world’s best security products, and strived to ONLY hire people who abide to the highest ethical standards.

Any of our experts would consider it unethical to abuse user trust in order to facilitate spying by any government. Even if, let’s say, one or two such people would somehow infiltrate the company, there are dozens of internal technological and organizational strategies to mitigate the risk. There are also 3000+ people working at Kaspersky Lab and some of them would notice something like that. It’s impossible to hide it from everybody.

Now to the complicated part

But no matter how great security technologies and measures are, the security of millions can be easily compromised by the oldest threat actor there is – a $5 USB stick and a misguided employee

Even though we have an internal security team and run bug bounty programs, we can’t give a 100% guarantee that there are no security issues in our products; name another security software vendor that can! Software is made by people and people make mistakes – no getting round that.

Now, if we assume that what is reported is true: that Russian hackers exploited a weakness in our products installed on the PC of one of our users, and the government agencies charged with protecting national security knew about that, why didn’t they report it to us? We patch the most severe bugs in a matter of hours; so why not make the world a bit more secure by reporting the vulnerability to us? I can’t imagine an ethical justification for not doing so.

In the end, I can’t shake off a disturbing thought: no matter how great security technologies and measures are, the security of millions can be easily compromised by the oldest threat actor there is – a $5 USB stick and a misguided employee.

Dissecting the recent WSJ cybersecurity story: truth, lies and disturbing details by @e_kaspersky himselfTweet

Chronicles of a very long week.

What a week! A working week, I mean – and one that included both weekends each end of it.

It started on Saturday, September 9, and finished nine days later on Monday, September 18. It was long and it was tough – so quite typical really – and it went like this…

On the Saturday I needed to be in St. Pete – so I off I popped. As I’ve said before on these here pages, I don’t get one bit the bad rep St. Petersburg has in terms of weather. I’m sure it’s an anti-St.P rumor-based conspiracy. Why? Because when I come here the sun’s always shining and the Petersburgers are strolling about all leisurely and tanned – some even wearing shorts. It’s in Moscow where the bad weather’s at – all murky and sticky and blustery and rainy. Meanwhile in Leningrad…

When in St. Petersburg – have a Belgian craft burger ).

Read more: Good news!..

Five Years Trudging Through the Evolving Geopolitical Minefield.

[Originally published at Forbes]

“The hardest thing of all is to find a black cat in a dark room, especially if there’s no cat.”
– Ancient wisdom, commonly attributed to Confucius

For nearly five years, Kaspersky Lab has been in the line of fire from a handful of sources, which falsely report that we have covert and unethical ties to government organizations, possibly pose a threat to U.S. national security and/or our U.S. business is failing. That’s half a decade of news investigations, assumptions, hearsay, rumors, manipulations of publically available data, anonymous sources, conspiracy theories and fabrications. After five years – how much proof and concrete facts have they come up with? None. Nada. Zero. Zilch!

When politics use the news to shape facts, no one wins

And unfortunately, yesterday, a U.S. government agency sent out a directive for federal agencies telling them to stop using our products. I guess the good news is that U.S. government sales have not been a significant part of the company’s activity in North America. So, while unfortunate, we’ll continue to keep our focus on protecting our real customer base, enterprises and consumers.

Why are all these events occurring, you ask?

As I’ve stated numerous times, there is no evidence to confirm these false media reports, because Kaspersky Lab does not have inappropriate ties to any government.

In a way, I’m thankful for such an elaborate, long-term audit that’s found nothing amiss, but if anything is helping to verify my company’s commitment to transparency. As our customers and partners know firsthand, transparency and trust are the foundations of our 20-year-old business, and these guiding principles will never change, regardless of geopolitical tensions or inaccurate media representations.

Geopolitical debates don’t need truth; blame can be assigned by default without any evidence

During recent months, the heat has been cranked up several notches, as Kaspersky Lab became a talking point during U.S. Congressional hearings in which government officials express their concerns about KL’s products. But similar to sensational media reports, there’s a lack of facts or proof to validate any potential concerns, given that we haven’t done anything wrong.

In fact, I’ve repeatedly offered to meet with government officials, testify before the U.S. Congress, provide the company’s source code for an official audit and discuss any other means to help address any questions the U.S. government has about Kaspersky Lab – whatever it takes, I will do it. And I look forward to working with any agency or government officials that are interested.

And while we continue to suffer from these meritless accusations, the U.S. government continues to take actions against our products. These moves have even led to reports of a former national security expert agreeing that Kaspersky is being treated unfairly. In addition, serious concerns have been raised by some of the actions among cybersecurity experts, journalists and analysts as it violates an established transparency and due process for government contractors, breaks the presumption of innocence principle and sets up a very disturbing precedent that fuels national cyber protectionism.

So what exactly is going on? Well, it looks to me like the reason for being shunned (despite our many offers to assist) can only be one thing: geopolitical turbulence.

Whenever there are tensions at the government level, the business is always the one to suffer. But what is there to do when the selected target (my company) happens to provide the best cybersecurity products and cyberthreat research in the world? There is only option left: concentrate on the origin of the given company.

A recent article in the Washington Post sheds some light on the possible prime cause of the situation, which was being considered during the former president’s administration:

Despite a lack of evidence as to the reasons why we’re being targeted, one thing does seem to be crystal clear: we are caught in the middle of a geopolitical fight. And there will never be any evidence to prove these false accusations against us since we’re innocent; but instead you’ll just continue to see a lot of unfounded allegations, conspiracies and theories – which are alarmingly and unfortunately contagious.

As I’ve said before, it’s not popular to be Russian right now in some countries, but we cannot change our roots, and frankly, having these roots do not make us guilty.

Perhaps what’s most unsettling of all is that other cybersecurity companies from other countries may soon be in the same position as us. Geopolitical debates don’t need truth; blame can be assigned by default without any evidence.

Let’s take a look at the even bigger picture — these reckless actions can negatively impact global cybersecurity by limiting competition, slowing down technology innovations and ruining the industry and law enforcement agency cooperation required to catch the bad guys.

For several years, the landscape has become even more treacherous for companies caught in the minefield of geopolitics, and as a result, different businesses have become unwitting pawns in the game of high-level geopolitical chess. Australia bans China, the U.S. bans Russia, Russia bans the U.S., China bans everyone…sometimes I can’t believe my eyes when I read what’s going on in the 21st century. Why are countries ceasing to cooperate in the fight against the common cybercriminal enemy?

Tackling cybercriminals is possible only if we – the good guys – can overcome national boundaries, just as the cybercriminals do. Only joint efforts by law enforcement agencies of different countries can lead to success, and during recent years, thanks to such cooperation many cyber-villains have been put behind bars. That’s why we legally cooperate with cyber-police of different countries, and also international organizations like INTERPOL and Europol. Without cooperation, there won’t be any coordinated actions against cybercrime; consequently, there’s impunity for the cybercriminals and cyberattacks continue to thrive. People, businesses and economies all suffer.

I see how the fragile foundations of international cooperation in cybersecurity are splitting at the seams. Relationships between some countries are being pushed back 15 years. It’s not clear when the seemingly interminable geopolitical storm will pass, or how long it will take to reestablish good working relationships.

Who will win from the Balkanization of the security industry? Yes, that was a rhetorical question.

In any situation, it’s possible to find the positive. Thanks to this long-winded geopolitical storm, we’ve become more transparent than any other cybersecurity company in the industry. We’ve rallied around our company cause like never before, and our employees continue to stand with their heads held high knowing we will prevail in the end.

Despite the challenges, we continue to protect our users around the globe from any cyberthreat there is, regardless of its origin or intention. Now let me get back to work – there’s always much to do when saving the world from cyberthreats.

Politics is a dirty sport, sad to see it shape #cybersecurity. @e_kaspersky comments on recent DHS directiveTweet

Separating The Facts From The Assumptions.

[originally published at Forbes]

I was both astonished and, more so, frustrated by the recent op-ed by U.S. Senator Jeanne Shaheen in the NYT. It is not only damaging the reputation and livelihood of the 300-plus Kaspersky Lab employees in the United States, but also detracting from valid concerns about the ability of different nations to engage in cyberespionage and to direct digitally enabled attacks against critical infrastructure.

But I won’t argue almost every point in the piece here; you can see our post in which we explain how the ‘facts’ in it are anything but accurate.

I want to tell you another story here. A story of our interconnected world  – where geopolitical fears are not driving trade wars or aggressive protectionism. In this world, we have the opportunity to choose not just American, Russian, Chinese or Japanese – we can choose the best. Or the worst. Or proudly choose domestic. But we have the right to choose. And that is a cornerstone of modern democratic society – freedom of choice. And it’s a cornerstone of U.S. economic dominance. Customers all around the world can choose the best operating systems, the best smartphones, and the best software. And almost always, it’s an American product. And people choose it not because of its origin or because the government told them to, but because they want to. Look at the top-10 largest companies based on market value. Eight are American, two Chinese. Do you think they’d be doing so well if governments around the world banned them?

Are we now banning companies based on its origin? Is it really the path we go on now? Imagine just how easy it is for any other country to exclude, for example, Microsoft, Oracle, SAP, Hitachi from governmental contracts based on allegations and speculations, without evidence saying “They’re a potential threat…; we’re very concerned about them [foreign software developers] and the security of our country!”

Also, information security is a different challenge all together. To be the most effective, the cybersecurity community needs to work side-by-side with industries and governments to actively fight cybercriminals and cyberterrorists. Given that these attackers don’t respect geopolitical borders, working together, versus isolation, is the key to making significant steps in the fight against cyberattacks. Unfortunately, misinformation and inaccurate perceptions are driving forward a dangerous agenda that may impact global cybersecurity, as origin may start dictating what technology is used instead of being able to choose the best solutions and experts available.

Internet balkanization is already here. More and more countries developing protectionist legislation making it harder and harder for global companies to cooperate and share data. Trust between countries, companies and customers is corrupted. CEOs of well-known companies warn against such policies. “The biggest barriers I think that we see are not around engineering. It is around regulation. It is around protectionism. It is around trust, or lack thereof. It’s around policies and procedures,” says Xerox Chairman and CEO Ursula Burns. Apple CEO Tim Cook also praised globalization as generally “great for the world” and cautioned against isolationism.

No less important is the fact that the main beneficiaries of internet balkanization are cybercriminals. “US citizens lost over two billion personal records…over 100 million Americans had their medical records stolen,” according to Steve Langan, chief executive at Hiscox Insurance. Moreover, we are ready to support U.S. law enforcement agencies in the fight against cybercrime, in particular with the fight against Russian cybercrime. We have many cybersecurity experts based in Russia who are often the first to detect and protect from the threats coming from the cradle of cybercrime. They did it two years ago with Carbanak, one of the biggest cyber gangs in history. They did it earlier this year when we announced our research on Lazarus, the North Korean hacking group attacking many victims around the world, including Sony Pictures. We want to help, but unfortunately the current geopolitical turbulence and recent allegations do not help us in protecting America.

Are we returning to the days of McCarthyism? When did it become OK to declare a company is guilty without one shred of public evidence? In addition, while the U.S. has talented cybersecurity experts, smart people, who are dedicated to fighting cybercriminals, are born and educated all around the world. If the most sophisticated cyber threats are coming from countries outside of the U.S., don’t you think using cyberthreat data and technologies from experts located in those countries might be the most effective at protecting your valuable data, especially given that they are fighting against those local threat actors every day?

It is time to separate geopolitics from cybersecurity. We need to work together globally. Kaspersky Lab has good relationships and regularly helps law enforcement agencies all over the world fight cybercrime, and we hope the U.S. will also consider learning more about us, and who we truly are, versus the rhetoric and false assumptions. We’re ready to demonstrate that we have nothing to hide, and that we only want to help defeat cybercriminals and prevent cyberattacks.

With that said, I previously offered to meet with Senators, Representatives, Committees, and federal agencies, publicly or privately, to answer any questions regarding my company or me. The offer still stands.