Good guys versus bad guys--who's ahead?

Symantec CEO John Thompson says the battle of wits between mischief-making hackers and security firms is escalating.

Michael Kanellos Staff Writer, CNET News.com
Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.
Michael Kanellos
8 min read
For Symantec CEO John Thompson, there's always something new to worry about.

"More than 100 new viruses are identified every week--and 60 new software (problems) every week," he said in a recent keynote speech. "We saw a 19 percent increase in attack activity in the first half" of 2003.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Spam, of course, is also on the rise, along with arguably ill-advised attempts to curb it.

On top of that, Microsoft, Computer Associates International and other software companies are beginning to encroach on the security market. Still, it's not Thompson's style to come across as perturbed. Awareness about security problems is growing, and so is Symantec.

Since Thompson's arrival from IBM in 1999, the Cupertino, Calif.-based company has more than doubled its revenue in the teeth of an industrywide downturn. Symantec has also completed a series of acquisitions to move deeper into the market for generalized management tools.

Thompson sat down with CNET News.com to discuss the growing problem of worms, spam legislation and other security issues.

Q: When we look at viruses, is it ever going to get any better?
A: What we know of traditionally as a virus is no longer the state of the art for attacks. Now, we don't see many viruses. We see mostly worms that have Internet propagation techniques.

We saw a 400 percent increase in attacks that use peer-to-peer or instant-messaging infrastructure in the first half of the year. It is a small number of attacks, but it's a whopping increase. The kind of attacks we are likely to see are more complex, will move more rapidly and do more harm. It's a horrible world out there, and we need to do a better job.

What is motivating the attacks? Has fraud overtaken the general urge to commit vandalism?
That element is certainly creeping in. Corporate espionage, credit card fraud, identity theft, rogue nations preparing for cyberwarfare.

Clearly, the tools available to the good guys are also available to the bad guys.
Clearly, the tools available to the good guys are also available to the bad guys. The knowledge people have about the Internet's infrastructure and technologies--al-Qaida has the same knowledge, people in North Korea have the same knowledge--so if they really wanted to use the Internet as a way to probe into the infrastructure of this country, they clearly could.

Now, the vast majority of the activity is still kids, 18- to 23-year-olds in the dark of their bedroom doing what I call electronic graffiti. They don't go to the store anymore and buy 27 cans of spray paint. They just go to their bedroom and pull some macros off the Web and send them out. It's like the kid who reconfigured the MSBlast worm and sent it out as a new variant.

With all of this activity, how is Symantec's business going to change? On one level, it looks like you might have to do a lot of acquisitions or at least hire more people?
We will continue to look for promising technologies in which customers have a real interest. Time to market is critical. That, typically, is the basis on how we look at an acquisition. We've had the great luxury of being able to grow our company at a decent rate during the technology downturn. When I joined, we were 2,300 people and $630 million-something in revenue. This year, we will finish the year at $1.73 billion in revenue, and we will have more than 5,000 employees.

Will you have to move deeper into consulting or professional services?
I think that there will come a day when Symantec's ability to help customers will have to expand beyond the current software and services we have. More and more, customers are starting to suggest to us that they need help with the technical integration of our products into their environment. We rely very heavily on our partners to do a large portion of that, but some of our customers are suggesting that we should do more. As for almost everything we do, it is driven by what customers want and by how we believe we can effectively manage and monetize it. Someday, we will probably expand our business in that regard.

This is a growing opportunity for everyone. What we think is important is that we get everyone to participate--because there is no way we could ever deliver everything to everyone. There are channel partners that can fulfill a great part of that need.

Any thought of moving into the general-management tools area?
We announced two acquisitions, PowerQuest and On Technology, both of which add management capabilities for managing the configuration of a device and the distribution software. Those are important technologies, synergistic with our security products.

I wonder if you could give us a report card for different players in the security industry. First, businesses and home consumers. After the MSBlast worm and the August of hell, are they finally on board with the message that they need to constantly monitor and update their systems? Is that the case?
I think that the awareness on the consumer level is growing, and attacks like we had in August raise the profile of the threats. What we've seen over the course of the last three to four years is that every time there is a highly publicized attack, there is a rash of consumers and small businesses that run into the marketplace to acquire technologies. There is a step function every 15 to 18 months. Hence, the penetration rate of the technology is getting better and better.

What we have to do is make sure that the technology is easy to use. One of the simple things we did on our consumer product is that if you are on the Internet, we will look to see that you have the most current definitions, and in the background, we will update your virus files. That way, you won't have to think about it. Security should be invisible.

Consumers always question the estimates of damage. It's always $2.5 billion or $3 billion, but I always get e-mails asking where those figures come from. Where do they come from?
There are external organizations. You can argue about their methodologies, but they're consistent.

The volume of the activity is increasing, the complexity of the activity is increasing and therefore, the associated costs are increasing.
They look at opportunity costs, productivity losses and, in some instances, real damages to machines. They look at how much network traffic was interrupted, how many people were affected, how many devices were affected. And then, here's your number.

I don't care if we like the methodology or not. One true thing is that the volume of the activity is increasing, the complexity of the activity is increasing, and therefore, the associated costs are increasing. It's on a trajectory we all need to be concerned about.

How about the government?
The issue of securing the government's infrastructure has gotten a lot of attention over the last couple years, certainly as a result of the National Cybersecurity document produced earlier this year. It said the government needs to serve as an example--a role model--for the private sector on how to secure an infrastructure. A lot more money has been allocated and applied to securing the government's infrastructure. But there is a long way between raising awareness in the government, getting buy-in from both sides of the house and getting programs implemented. We're not quite there yet.

What do you think of security professionals? There are a lot of mavericks and eccentrics. Does the culture of security experts need to be changed a bit?
I think that we need to create a culture of security. We've been able to change things in our country by reinforcing messages. Seat belts--terrific example. When seat belts first came out, they were a pain in the ass. Everyone wanted to take them out of their car. Now, you don't even think about it. You get in your car and buckle up. Forest fires. Smokey Bear. Wonderful campaign.

Time and time again, when there was a societal threat, we used the power of the public broadcast system to raise the consciousness of the public, and I think that's where we are in this digital world. More and more of what we do will be connected, and more of what we do will depend on that connected infrastructure. We need to raise the awareness of individuals to the largest governments of the world that there are simple steps that they can take to be more secure.

What do you think of the skills gap in the United States? How dire is it?
In the security domain alone, there is a forecast that we will be short almost 50,000 security professionals--to build the right products, to be the practitioners, to serve as the teachers and professors--over the course of the next five years. If we don't do something about it, if we don't create awareness programs, if industry doesn't step up to see how we can fund university initiatives, if the government doesn't pitch in--this is a better use of the government's time than screwing around with spam. We will be facing a big problem.

There's an argument floating about that companies can better insulate themselves from attacks by deploying heterogeneous environments--Windows plus Linux, etc. Will this help, or will the managerial headaches outweigh the gains?
I think that enterprises already run a heterogeneous environment. Does it help security? I don't know if it does, but I don't know that it doesn't, either. Security is a process. As you introduce new technologies into that environment, you need to embrace and protect it, as you do the current infrastructure.

Too many people may be putting too much emphasis on "Is Linux more secure?" The issue in my mind isn't that; it is "Is it a more cost-effective infrastructure than the alternative?" That is the reason you make the decision.

The minute the Linux environment becomes as target-rich as the Windows environment, people will find ways to crack it. Why would you spend all your energy trying to attack a desktop system in limited use?

On spam, you suggested that carriers could solve the problem by charging spammers to carry their messages. How come they aren't doing that?
I don't know. I think you have to ask them what their motivation is for not making the necessary changes for controlling the flow of this stuff. If you think about it, computers started out with a very simple task: to count. That's all they did. So, if they did it 50 years ago, why can't they count today how many mail messages come from your mailbox or your identification? I can simply count how many mail messages your ID sends out and say, "Whoops, you've just exceeded the limit" and shut it down. Simple. Why they won't do it I don't know.

I agree that the antispam legislation is going to be fairly unenforceable, but wouldn't a carrier payment system require some sort of regulation so that a lowest-common-denominator carrier doesn't decide to carry it free?
Well, at some point somewhere in the network, a piece of traffic flows through where it can be blocked. The Internet is a network of networks, so somewhere along the way, someone can detect a flood of traffic coming from one place. All I am suggesting is this: Why use regulation for something that is almost unenforceable? Why don't we as an industry look to see if we are contributing to the problem in some way and see what we can do to stop it?