It's a chief concern for VeriSign CEO Stratton Sclavos, whose company is the leading provider of domain name registrations. Currently, VeriSign processes more than 14 billion daily queries, on average, in its operation of the .com and .net infrastructure. The company's new ATLAS system-- short for Advanced Transaction Lookup and Signaling System--is designed to accept more than 100 billion queries per day and 25,000 updates per second.
Sclavos recently sat down with a group of reporters and editors from CNET News.com to discuss the state of cybersecurity, the future of the Internet Corporation for Assigned Names and Numbers (ICANN), and directions for his company in 2005.
Q: Earlier this year, Amit Yoran resigned. That makes the third online-security czar to leave the federal government within the last two years. Are you frustrated with the government's inability to get on top of cybersecurity?
A: I think I come at it with one foot in both camps. Raising the visibility of cyber within the Department of Homeland Security and the government--and U.S. society at large--I think it's very, very important. But I don't think it's a single step of appointing an assistant secretary. We also have to start with education, right in the schools. I think we need to get the school systems involved, teaching the kids what responsible surfing is all about.
I sit on the Telecommunications Advisory Committee, and it's just in the last year that we finally got to talking about next-generation networks and the impact of the threats to cybersecurity versus talking about physical telecom networks. So it's a slowly moving issue--for both government, as well as the telecom industry...That being said, after September 11 it would have been hard to argue that getting the physical job done right shouldn't be a higher priority than cybersecurity.
Where do you think we are in terms of IPv6 adoption in the U.S. and what are the implications for security?
It's a technology, so what's probably more relevant is how to deploy it as opposed to whether it's enabling more security or less security. It kind of dovetails with the (Department of Homeland Security) situation. Our opinion is that a concerted cyberattack is going to be coupled with a physical attack.
So when you talk about IPv6, what could that do to help prevent things? Well, if everything had a unique address, you're probably capable of tracking and tracing things much more quickly. Forensic analyses of where attacks are coming from can happen in a fraction of a second versus having to figure out network address translation buffers and shared IP addresses and revolving IP addresses. I think IPv6 gives you a footprint for figuring out how to track every point on the network and thereby develop the tools to be much more secure.
How far along is the U.S?
Other countries are farther ahead of us...I think there are a lot of us who believe it would be a good thing if we could move faster. I think that's one of the challenges right now with the standards committees. They are working on '70s and '80s kinds of time frames for adoption versus 1990s and 21st century frames of adoption.
When it comes to improving the peoples' security practices, do you think we need to begin in grade schools?
It has to start at that kind of level when the kids are first introduced to computers. This is the first generation that grew up with the Internet as something they use every day. My kid is piping her IM to her phone. We are into a generation where the technology is going to be taken for granted. The question becomes, can we get them to appreciate and understand the pain of implementing security? I think it will happen because of events that drive that kind of awareness.
We hear about broadband executives who talk about quarantining subscribers who aren't doing enough to protect their systems. That is, you wouldn't have a right to be on the network if you fail to meet certain obligations.
It's a stick-and-carrot problem...I think some combination of that is going to become part of the service contract in the long term.
What are the big issues related to Internet registration going to be in 2005? It seems to always be a perennial controversy.
Oh, I think there is more noise than there is substance at the moment. We are in a legal dispute with ICANN, where we are trying to get clarity on the contract. We would be thrilled--no matter what the outcome--just to understand what they have responsibility for governing with us and what they don't. If that clarity comes in 2005, that would be a good thing.
The .net rebid is going on and the bids are due sometime in March, while the award will come in June. I think we have a good chance of winning it again. VeriSign will do $1.4 billion in revenue next year, while .net is about $25 million of that. So it's not a big enough source of revenue to impact us negatively.
Do you think the government should be more active in its oversight of ICANN's processes?
"I don't know" is the honest answer. A significant amount of the economy is running on the Internet and a lot of traffic runs through those addresses. So I think that's a real challenge.
ICANN needs to make sure its processes are fair and transparent. It also needs to make sure they chose a provider who can actually do this at scale. I think the U.S. government is going to have to keep a close eye to make sure that there aren't some risks that potentially extend to the economy.
What do you think would be an appropriate level of government activism in this particular case?
I think it needs to ensure that the process is, in fact, transparent and objective...and that there won't be any subjective criteria. I think having the (government) have some oversight over that process and some dialogue with ICANN to make sure the process is followed is probably about the most they are willing to do.
There's been some discussion about the U.N. taking a more prominent role. Is that kind of change required?
Throwing it over to some (international) body is like trading one problem for another. Look, ICAAN was created at a very unique time, right at the height of the bubble. There was a dramatic amount of pressure on the U.S. because so much of the Internet was happening here and not elsewhere. The Clinton administration wanted to be more inclusive of international bodies and so it came up with a mission of increasing competition from what had been a monopoly operated by Network Solutions. I would love to see a strong ICANN with transparent processes focused on stability and innovation.
But that's not what you have now. Why is that?
That is not what the current infrastructure allows it to be because you've got a lot of political biases and archaic governing bodies that all have to vote. Many times, you have your competitors voting on whether or not you should be able to deliver a service. And in the meantime--while they delay you from delivering the service--they introduce a competing one themselves.
I don't think that's ICANN management's fault. I think their new management would agree with the stance that processes need to be streamlined and much more transparent and that the biases need to be pulled out of the system. If they can get there, then we're all in support of ICAAN. The reality is we should try to sort out the model for international regulation of a borderless infrastructure.
Where do you stand on forcing strong authentication of who has registries?
We are all for more privacy in the U.S. system, strong authentication for the registrants and a process by which the intellectual property community can challenge that anonymity?through due course. Unfortunately, VeriSign is a security vendor, so if we say that, it looks like we're trying to sell product. It's just not a battle we see ourselves being able to lead the fight on.
As your company heads into 2005, does VeriSign plan to go in any different directions or will it be more of the same?
When we walked into 2004 the question was, "Can you be a growth company again?" As we exit the year, the old businesses have come back to be double-digit growers. Meanwhile, we've introduced a couple of new services that will give us incremental growth legs for next year. And finally, things like RFID and VoIP and Wi-Fi roaming can be put on the road map... and then as those markets take off, we plan to reposition for some additional growth there...So we kind of like the portfolio initiatives we have.
What about acquisitions? Is that something you're going to look at for next year?
I think we like the assets we've got. We don't have anything on our strategic agenda. But if another large carrier or large enterprise--or the government--came to us and said, "We'd really like you guys to extend what you are doing in this space," we might go looking. But we're talking about it as an add-on or customer-consolidation play as opposed to big strategic entry into another business.
See more CNET content tagged:
cybersecurity, IPv6, cyberattack, VeriSign Inc., attack
The other problem is email virisus, despite the efforts of multi-billion dollar AV companies and 2+ years of trustworthy copmputing, viruses have continued to spread through email unchecked using THE SAME EXACT TRICK for the past ~10 years!
Is it too much to ask that Microsoft write a free secure email client and ship it with windows? scr, bat, exe, and vbs files should all be blocked by default and the user should have to figure out how to enable them if need be.
A few minor changes by Microsoft could eliminate 80% of the problem.
I'd love to say that your comment makes a lot of sense, but it doesn't. Most of the ROOT DNS infrastructure probably doesn't run on Windows. They run on Unix/Linux boxes at universities, etc. In terms of DDoS attacks, most of those servers are already attacked on a daily basis, and they're all redundant. That's why there are 12 of them. DNS is a distributed technology that is relatively effective.
Second, maybe you should check out the "minor change" called Windows XP Service Pack 2. It has your "secure e-mail client" and was recompiled using a different technology to reduce the number of "buffer overflow" errors that most viruses exploit.
I mean, I know it's the biggest company and everything, but what's the point in ALWAYS blaming Microsoft? Why not point some of the blame on virus and spyware propagators? Any system that is built by humans isn't ever going to be 100% secure/perfect/free of bugs. Until more virus writers are jailed, and spyware is against the law (and the law actively enforced), this stuff will continue.
The originators of the Internet new what they were doing. It was technology that was stout and managable. Thanks to big business, it is now unmanagable and we are actually talking about the the possibility of bringing it down.
Big business will in fact be the demise of one of man's greatest inventions. Mark my words!
Guess what. It can. Pull your head out of the sand.
The CEO of VeriSign is nothing but a true FUD-spreader. I hate the term "FUD", but it applies specifically to this sort-of interview.
Please, CNet, stop interviewing this guy. VeriSign needs to shut down and have its doors closed more-so than any other conglomerate of a company in existance right now.
GO AWAY VERISIGN, AND TAKE YOUR CEO WITH YOU.
sheesh. News?
The wild imaginations among you have jumped to the conclusion that the fear is about shutting down the internet, but that's not what's being discussed--a targeted coordinated attack would only have to shut down a limited part of the network that enables machinery in buildings or communications in certain locations. Those of us who live on the East coast know that on 9/11/01 we were unable to reach local web sites or even use the web at all in this part of the country because the World Trade Center was an antenna farm, telecom nexus, and home for numerous important servers. The effect has already been unintentionally proven in practice and terrorists may now be looking for specific instances where physical and communications attacks can be combined for greater effect. THAT is the issue, which neither heads of private corporations such as Mr. Sclavos nor schoolchildren are equipped to save us from...
- Why do use pictures of Macs...
- by davidlawless January 9, 2005 3:03 PM PST
- when you publish articles on internet security??? Macs are
- Like this Reply to this comment
-
(24 Comments)considered to be the least troubled by security issues and I've
noticed on numerous ocassions (in addition to the current,
Preparing for a doomsday attack) that you use pictures of Macs
with these articles. This particular article didn't even mention
Apple or Mac, so why the continued use of Macintosh pictures
(especially ancient ones such as the one used for the mentioned
article). Surely, you have stock graphics of other computers???