Company Will Open Transparency Center in Zurich by 2019; Data From Customers in North America Will be Stored and Processed in Switzerland

As part of its Global Transparency Initiative, Russia-based Kaspersky Lab today announced that it will adjust its infrastructure to move a number of "core processes" from Russia to Switzerland.

The security firm has had problems with the U.S. government. In September 2017, the U.S. Department of Homeland Security (DHS) instructed government departments and agencies to stop using products from the Russia-based firm.

There is no hard evidence that Kaspersky has ever colluded with the Russian government; and the lost U.S. government market is small in global terms. The bigger problem, however, is the knock-on effect that U.S. government criticism has on trust levels in the wider market.

In December 2017, Lithuania banned the use of Kaspersky Lab software within certain critical national industries. In April 2018, Twitter stopped accepting ads From Kaspersky Lab; and now, on May 15, 2018, the Dutch government announced it will phase out Kaspersky Lab anti-virus software 'as a precautionary measure'.

Justice Minister Ferdinand Grapperhaus told the Dutch parliament, “The (Dutch) cabinet has carried out an independent review and analysis and made a careful decision on that basis. Although there are no concrete cases of misuse known in the Netherlands, it cannot be excluded.”

In December 2017, the UK's National Cyber Security Center published a letter it had sent to government permanent secretaries. It included, "In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used."

It is to maintain or regain trust that is behind Kaspersky's Global Transparency Initiative, announced in October 2017.

"The new measures," the firm announced, "comprise the move of data storage and processing for a number of regions, the relocation of software assembly and the opening of the first Transparency Center," which will be in Zurich.

The measures in question include customer data storage and processing for most regions; and software assembly including threat detection updates. Transparency will be provided by making the source code available for review by responsible stakeholders in a dedicated Transparency Center.

The company said that by the end of 2018, its products and threat detection rule databases (AV databases) "will start to be assembled and signed with a digital signature in Switzerland, before being distributed to the endpoints of customers worldwide."

The firm is going further by making plans for its processes and source code to be independently supervised by a qualified third-party. To this end, it is supporting the creation of a new, non-profit organization able to assume this responsibility not just for itself, but for other partners and members who wish to join.

“The third-party organization is a non-profit organization to be established independently for the purpose of producing professional technical reviews of the trustworthiness of the security products of its members (including Kaspersky Lab)," the firm told SecurityWeek.

“Since transparency and trust are becoming universal requirements across the cybersecurity industry, Kaspersky Lab is supporting the creation of a new, non-profit organization to take on this responsibility, not just for the company, but for other partners and members who wish to join. The details of the new organization are currently being discussed and will be shared as soon as they are available.”

Switzerland has been chosen as the site of the Center as much for its symbolic importance as anything else. “We considered several locations for our first Transparency Center, and Switzerland most closely met our criteria as well as our policy of complete neutrality," Kaspersky Lab told SecurityWeek.

"We detect and remediate any malware, regardless of its source or purpose, while Switzerland has a long and famous history of neutrality. We also value Switzerland’s robust approach to data protection legislation.” Noticeably, Switzerland is one of just a handful of non-EU companies that has been recognized by Europe as having 'adequate' privacy controls.

Noticeably, Kaspersky Lab does not link the move specifically to the effects of the U.S. ban, but sees wider issues of global trust emerging. “We are implementing these measures first and foremost in response to the evolving, ultra-connected global landscape and the challenges the cyber-world is currently facing," it said.

"This is not exclusive to Kaspersky Lab, and we believe other organizations will in future also choose to adapt to these trends. Having said that, the overall aim of these measures is transparency, verified and proven, which means that anyone with concerns will now be able to see the integrity and trustworthiness of our solutions.”

Related: The Increasing Effect of Geopolitics on Cybersecurity