Newsmaker: For F-Secure, it's all about the safety net

There may be a dearth of dire news reports these days about worms rampaging around the Internet, but there's still plenty to occupy the time of a security company CEO.

Especially a new one, like Kimmo Alkio, the chief executive of F-Secure. Alkio recently rejoined the antivirus vendor from fellow Finnish company Nokia.

Silicon.com caught up with Alkio to discuss the security landscape, how governments should handle hackers, the need for a dot-bank domain name and his company's much-criticized stance on the potential threat of mobile phone viruses.

Q: You've recently rejoined F-Secure, and it seems your arrival has coincided with a very quiet time for the security industry. Is this fair to say?
Alkio: The public perception is that this industry may have become less active because three, four years ago there were these very high-visibility public virus outbreaks.

What we are now seeing is that the number of attacks and the quantity of malware is actually increasing. We are getting 7,000 new samples per day but it is being driven by new forces. What we see now is there is a criminal element acting purely for financial purposes and trying to stay hidden.

Phishing is still a major issue. There are markets such as India where the amount of phishing attacks has grown by 96 percent year on year.

Are a lot of threats targeting emerging markets as businesses and consumers in the West start to wise up and protect themselves? Are the criminals just dusting off the same attacks and targeting new regions?
Alkio: In emerging markets, the level of security is not where it is in the Western world. If you look at India, the number of broadband users is going from 8 million to 20 million in three years. Look at these markets where you have this number of people coming onboard. It does change the threat landscape.

I think there could actually be a big shift from commercial to political DDoS attacks, such as we saw recently with Estonia.

There are a lot of unprotected PCs, and online banking and e-commerce are growing. And we need to be very active in educating people.

These infected PCs in emerging markets are also being used in distributed denial-of-service (DDoS) attacks targeting Western businesses and governments.

How big a problem are DDoS attacks today? There was a lot of talk about extortion a couple of years ago, with criminals threatening to take down businesses' Web sites if a ransom wasn't paid. Is this still a problem?
Alkio: DDoS continues to harass people across the world. But is it more, is it less? What we are seeing is it is taking up a lot of bandwidth, and we need to protect people.

I think there could actually be a big shift from commercial to political DDoS attacks, such as we saw recently with Estonia (and Russia). Anyplace where you have political instability you could see an increase in DDoS attacks in that region.

What about mobile phone viruses? It's a drum that you have banged very loudly--leading to suggestions you're overhyping the issue. What do you say to accusations you've been irresponsible?
Alkio: If one recognizes that there is a healthy probability that Internet threats could be similar on the mobile side to the PC side then it could mean we're at the stage now that PCs were at in the late 1980s.

The devices, particularly smart phones, are becoming used more like PCs. So with a little bit of predicting and visioning into the future, based on past experiences, I think there is a tremendous need to ensure there is mobile security in place.

Do you think you've been as clear as you could be with the industry, with the media and with consumers, that what you are doing is visioning and predicting a scenario that could happen?
Alkio: Independent of how we have communicated this in the past, we are making it very clear today that the threat level on mobile malware is not severe today. There are only 323 known malware (exploits) on mobiles and over 300,000 on PCs. No hype. Period.

And a lot of that mobile malware is just proof of concept.
Alkio: Absolutely. Made by hobbyists. That's absolutely where we are today. But what's happening now is mobile phones are being used to download content from the Web and are increasingly being used for mobile e-mail.

They are increasingly becoming professional devices and it is obvious that you have to put the protection in place if there are mobile viruses and malware. We are protecting today and pre-empting a future virus.

More Newsmakers

[nedlohs]

new dot-bank top-level domain

I work for a community bank as its CFO. I understand the idea that a "$50,000" fee would deter some, that is prohibative for a small bank. For Wells Fargo/Chase and the big banks, its a blip. For us, with less than 100 employees, it would be devistating. Also, we own several names due to a name change a few years back and for abbreviation. This would run up very fast and be a budget buster for us.

[n3td3v]

security researchers should be held more accountable for security incidents

the government need to stop information and tools reaching the cyber terrorists in the first place by making security researchers more accountable for critical disclosures to the public.

for every security incident that occurs because of a security researcher disclosing information to the public domain, that security researcher should be held accountable.

supplying the bad guys with the tools to carry out the cyber attack should have the same weight as carrying out the cyber attack its self.

we're not saying full disclosure is banned, but what the government should be saying is, if your vulnerability/exploit code/information/tool is used in a cyber attack by someone, then that someone should be jailed or heavily fined as well as the security researcher who originally made it possible for that someone to carry out the cyber attack/security incident in the first place.

it should be the security researcher who decides how critical his disclosure will be and how many security incidents that dislcosure may result in, and its that security researcher who should decide after that if his potential legal position will lead to him being heavily fined or end up in jail or if he decides his disclosure isn't critical then feel happy about making a full disclosure to the public-at-large.

[Schratboy]

Accountability begins at home

Dude, the technology vendors are digging into exploits just so they can bleat the findings and positions themselves better in the marketplace. Notwithstanding the publicity seekers, every organization should focus on their own knitting: defining what's allowable business processes and zeroing out everything else. However, with sloppy policies and non-existent enforcement, seemingly innocuous employee entertainment opens the door to exploits and data leaks...and everybody is blaming the vendors?!

The massive over-spending on IT security is pseudo-comfort for the IT manager (look at how much money I've spent) and for the practitioners of fear, uncertainty and doubt. You're better of buying more than you need because you'll never know when you can be hit. Indeed! The narrow-mindedness of today's end-to-end technology vendors is stupefying and brazen. No technology can assure 100% security. Rule-based technology can't tell you what it missed. Only by examining what happening can you reasonable assess if incidents are held in check or if the wheels are slowly falling off the wagon.

Stop shooting the messengers (technology vendors) and start doing the job you're paid to do...and do it without exceeding your budget year after year.

[ColdMast]

why can't the government stop hurricans?

If flaws were never pointed out patches would never exist. Cyber-Terrorist would only be able to repeat the same attacks over and over again.

You act as the digital "enemy" doesn't research their own for exploits.

quote: GOVERNMENT -- should stop information
don't they already

[RacerX7]

It's called "Personal Responsibility"

The government is NOT my parent or babysitter.
Nor are software vendors.

The security researchers just make vunerabilities public. It doesn't mean they are the first to know about it. By making the public aware of a PRE-EXISTING flaw allows people to take precautions to defend themselves. If a person chooses not to take adequate precautions, that is their problem. Not the government's. Not the researcher's.

You want a 100% safe guarantee? Then unplug your computer and walk away.

Time to stop playing "victim" and take personal responsibility.