Anastasiya Kazakova, Public Affairs Manager
It is generally thought that international norms and rules can help reach the desired level of trust in cybersecurity among actors in international relations, bring cyber-stability, make the world less chaotic, and minimize the risk of conflict. While we support the further active development of such ‘cyber norms’, we understand that it requires much effort and time and a strong will of states to create enforcement measures to ensure that such norms are followed. At the same time, such norms can be followed by states only, while non-state actors remain in a legal ‘grey area’ without a direct obligation to meet certain norms of behavior.
While diplomatic efforts continue at international forums, we, as a representative of the private sector, would like to propose a practical solution: a solution to help achieve both the desired level of trust among actors and cyber-resilience from modern cyberthreats.
Generally, trust in a company is based largely on its reputation, on the long-term relationship built with its audiences. The decision to trust or not relies on the personal opinion of each individual, based for instance on past experience, culture and values. Trust in a company or particular product may therefore be based on a number of factors, where fear of potential risks might prevail over a more evidence-based approach.
In the strategic field of digital technology, should we not think about a new approach that is more evidence-based than impression-based? In this perspective, we propose to shift to a paradigm of ‘verifiable trust’. The main way to do this is through the development of a new framework and mindset – digital trust and digital ethics – which provide clear and practical verification measures to assess risk.
Defining together the conditions of trust under Paris Call
We fully support President Emmanuel Macron’s Paris Call for Trust and Security in Cyberspace, since it represents an opportunity to bring together industry experts, academia, the public sector and civil society to work together to develop a shared comprehensive framework to assess the trustworthiness of IT products.
Such a framework would address IT supply chain risks to the benefit of all stakeholders: businesses, civil society, governments and citizens by helping assess what is an appropriate level of risk within the risk-based approach paradigm.
Kaspersky is ready to provide its infrastructure and systems, including its source code for evaluations needed to make the framework work.
Two primary factors would be the focus:
- Product integrity assessments: Do IT products contain any unintended functionalities?
- Data collection and processing assessments: How IT products collect, process, store, and protect user data?
In addition, we believe in the necessity to enhance the public-private cooperation under the Paris Call – the growing threat of fragmentation, divisions and protectionism worries us as it would undermine global stability and limit our capacities to address global challenges, including cybercrime. Lack of dialogue and cooperation would affect negatively the world community and make it less secure, while it is cybercriminals who benefit from such a divided world.
Hence, ‘multistakeholdersim’ as a concept needs to be ensured to define best practices and maximize efforts. Companies and non-state actors are of tremendous help to share a better governance in cybersecurity and ensure the balanced development of data-driven economies.
In this regard, under the Paris Call we call all signatories
- To establish a consultation platform through physical meetings to collect ideas and create collaboration streamlining between signatories. Such streamlining might focus on discussion of our (i) trustworthiness framework, (ii) cyber-norms and (iii) cyber-hygiene and education.
- To establish a consultation mechanism through physical meetings for developing the standardization approach and framework for cybersecurity products.
- To prepare a high-level publication with a more detailed analysis of possible steps to promote the values and achieve the goals the Call states.
Kaspersky is ready to engage in this effort with other partners to build a safer cyber future based on digital trust - the combination of cybersecurity, effective data protection, accountability and transparency.
We are open to hearing feedback (please contact us at TransparencyCenter@kaspersky.com) and proposals from other Paris Call signatories: industry players, academia, etc. to explore opportunities for further cooperation under the initiative.
[PDF] Kaspersky’s contribution to enhancing trust in cyberspace through the Paris Call.