Security management Toolkit

VeriSign's CEO hits back at critics

Tags:
Root Servers,
Security,
Verisign,
Attack

Charles Cooper

Published: 17 Oct 2003 12:35 BST

Q: Are security breaches of the Internet getting worse, or are they within the percentage range that should be expected, based upon the growth in traffic over the last year?
A: I'm not sure that it correlates to increases in traffic so much as the cleverness and evolution of hackers. What we've noticed on our networks is that the amount of worms, viruses and distributed denial-of-access attacks is growing at a 120 percent rate year over year.

The escalation in the number and impact of these attacks is forcing us to think about building early warning systems and preventive measures. The funny thing about digital security is that we've lived in a world where we only knew someone was attacking us when they hit our firewalls. It's time to evolve that world so that we get the information that an attack is coming before it hits our front door.

Should the US Department of Homeland Security take the lead on that? And how would you grade its performance to date?
I'd give us all a C+ -- the DHS included. You can't materialise an organisation of that size overnight. They're dealing with really hard issues of just pulling the agencies together. To have expected them in that same period of time to have been incredibly effective at getting the education, the data sharing and the public-private partnership together would be incredibly optimistic.

But do they get it?
I do believe that they understand the problem and realise that with 85 percent of the infrastructure in the private sector's hands, they better figure out a way to get the rest of us to wake up. You've now got an ecosystem -- from the consumer to the enterprise to the government -- linked at high-speed with always-on devices. We better figure out a way to build a better ecosystem of security that's got the same attributes as what we have in the physical world that's built around early warning and the sharing of intelligence.

On a recent conference call, one of your executives discussed the attacks on the domain name root servers last year. He said VeriSign's servers stayed operational because you had invested so much in security while others did not. People looked at that and said, "Well, the Internet is inherently insecure." Is that true? Can there be islands of security, or can there be some kind of bubble of security that's wrapped around the whole Internet?
If you go back to the mid-'90s, when we began talking about what impact the Internet would have, we always talked about the fact that it was a connection of networks and that no single path failure would bring the whole network down. You see the same resilience still there.

The DDOS (distributed denial-of-service) attacks last October on the root system -- hey, there are 13 global copies of that, and they're all operating. It should scare people that nine of the 13 went down. It's time for the Internet infrastructure to go commercial. On the core services of the infrastructure, it's time to pull the root servers away from volunteers who run them out of a university or lab or some other level. That's going to be an unpopular decision.