Kaspersky makes case to avoid Australian govt ban

Kaspersky is fighting to retain access to Australian critical infrastructure operators in the face of proposed legislation that could make it harder for foreign IT vendors to sell products into utilities and ports.

It comes as the company also struggles to maintain business with Western governments following bans in the US and UK.

Late last year the Australian government unveiled draft legislation that would force operators of critical electricity, water and port infrastructure to detail their IT security postures and outsourcers to the government.

The legislation would give the government the power to order the operators to fix any perceived security holes.

The government wants more oversight of how entrenched foreign vendors and outsourcers are in Australia's critical infrastructure assets in order to ensure they are properly protected.

It is worried about the risk of “espionage, sabotage and coercion”.

Moscow-headquartered Kaspersky used a submission to consultation on the draft bills to lobby the government not to lock out foreign IT vendors.

Kaspersky has been banned from selling its security products into the US and UK over concerns they could facilitate Russian spying and threaten national security.

The company's repeated assertions that it has no ties to the Russian government and would not assist with cyber espionage have fallen on deaf ears.

In response it has launched a 'global transparency initiative' that promises independent reviews of its code and business processes, and this week also promised to open a data centre in Switzerland to address the Western government concerns.

In its submission to the Australian government consultation, released today, Kaspersky argued that governments should not assess their trust in cyber security products based on a vendor's physical location.

"We strongly believe that the cyber security industry needs to address the question of trust with more robust criteria than the geographic location of a company’s headquarters – be it Melbourne or Moscow," the firm said.

"Kaspersky Lab recognises that trust is not a given – it must be repeatedly earned through an
ongoing commitment to transparency and accountability."

Instead, the firm proposed a global "customised certification with multi-layered assurance" that relies on performance-based standards and industry best practice for customers to assess risk.

Kaspersky also argued the draft legislation risked pushing infrastructure operators away from "thorough risk assessment" of suppliers and towards "tick-the-box compliance", while locking Australia out of global developments.

"‘Localising’ or ‘regionalising’ cyber security regulation does little to help Australian
enterprises to gain a share of the global $93 billion information security market projected for
2018 by Gartner or the growing $22 billion market of industrial cyber security (by 2023)," Kaspersky said.

"The breakthrough technologies driving this market -- such as AI and machine learning --
require access to large troves of historical threat data from across the globe to develop
efficient threat detection and prediction models.

"Even the relatively niche segments of IoT security (estimated to reach US$547 million in 2018) and automotive cyber security (estimated to reach US$32 million by 2021) will depend on accessibility of local markets to the technologies developed in US, China, Israel, Japan, Russia, Europe and elsewhere."

The company also claimed that "regulatory fragmentation" in Australia could lead other Indo-Pacific countries to make similar moves.

This would 'hamper the potential of a global digital marketplace, and affect the exportability of Australian cybersecurity products and services', Kaspersky said.