If a concerted cyberattack is coupled with a physical attack, will the system hold up? VeriSign CEO Stratton Sclavos talks about what's being done to prepare.
Staff Writer, CNET News.com
The Internet has withstood major assaults to bring the system crashing down, but each new cyberattack raises the specter of a doomsday scenario.What if terrorists launched a physical attack in combination with a major cybersalvo aimed at bringing the Internet to its knees? Because of the increasing overlap between the various energy, electrical and communications grids, the potential risk is no longer theoretical.
It's a chief concern for VeriSign CEO Stratton Sclavos, whose company is the leading provider of domain name registrations. Currently, VeriSign processes more than 14 billion daily queries, on average, in its operation of the .com and .net infrastructure. The company's new ATLAS system-- short for Advanced Transaction Lookup and Signaling System--is designed to accept more than 100 billion queries per day and 25,000 updates per second.
Sclavos recently sat down with a group of reporters and editors from CNET News.com to discuss the state of cybersecurity, the future of the Internet Corporation for Assigned Names and Numbers (ICANN), and directions for his company in 2005.
Q: Earlier this year, Amit Yoran resigned. That makes the third online-security czar to leave the federal government within the last two years. Are you frustrated with the government's inability to get on top of cybersecurity?
A: I think I come at it with one foot in both camps. Raising the visibility of cyber within the Department of Homeland Security and the government--and U.S. society at large--I think it's very, very important. But I don't think it's a single step of appointing an assistant secretary. We also have to start with education, right in the schools. I think we need to get the school systems involved, teaching the kids what responsible surfing is all about.
I sit on the Telecommunications Advisory Committee, and it's just in the last year that we finally got to talking about next-generation networks and the impact of the threats to cybersecurity versus talking about physical telecom networks. So it's a slowly moving issue--for both government, as well as the telecom industry...That being said, after September 11 it would have been hard to argue that getting the physical job done right shouldn't be a higher priority than cybersecurity.
Where do you think we are in terms of IPv6 adoption in the U.S. and what are the implications for security?
It's a technology, so what's probably more relevant is how to deploy it as opposed to whether it's enabling more security or less security. It kind of dovetails with the (Department of Homeland Security) situation. Our opinion is that a concerted cyberattack is going to be coupled with a physical attack.
So when you talk about IPv6, what could that do to help prevent things? Well, if everything had a unique address, you're probably capable of tracking and tracing things much more quickly. Forensic analyses of where attacks are coming from can happen in a fraction of a second versus having to figure out network address translation buffers and shared IP addresses and revolving IP addresses. I think IPv6 gives you a footprint for figuring out how to track every point on the network and thereby develop the tools to be much more secure.
How far along is the U.S?
Other countries are farther ahead of us...I think there are a lot of us who believe it would be a good thing if we could move faster. I think that's one of the challenges right now with the standards committees. They are working on '70s and '80s kinds of time frames for adoption versus 1990s and 21st century frames of adoption.
When it comes to improving the peoples' security practices, do you think we need to begin in grade schools?
It has to start at that kind of level when the kids are first introduced to computers. This is the first generation that grew up with the Internet as something they use every day. My kid is piping her IM to her phone. We are into a generation where the technology is going to be taken for granted. The question becomes, can we get them to appreciate and understand the pain of implementing security? I think it will happen because of events that drive that kind of awareness.
We hear about broadband executives who talk about quarantining subscribers who aren't doing enough to protect their systems. That is, you wouldn't have a right to be on the network if you fail to meet certain obligations.
It's a stick-and-carrot problem...I think some combination of that is going to become part of the service contract in the long term.
What are the big issues related to Internet registration going to be in 2005? It seems to always be a perennial controversy.
Oh, I think there is more noise than there is substance at the moment. We are in a legal dispute with ICANN, where we are trying to get clarity on the contract. We would be thrilled--no matter what the outcome--just to understand what they have responsibility for governing with us and what they don't. If that clarity comes in 2005, that would be a good thing.
The .net rebid is going on and the bids are due sometime in March, while the award will come in June. I think we have a good chance of winning it again. VeriSign will do $1.4 billion in revenue next year, while .net is about $25 million of that. So it's not a big enough source of revenue to impact us negatively.
Do you think the government should be more active in its oversight of ICANN's processes?
"I don't know" is the honest answer. A significant amount of the economy is running on the Internet and a lot of traffic runs through those addresses. So I think that's a real challenge.
ICANN needs to make sure its processes are fair and transparent. It also needs to make sure they chose a provider who can actually do this at scale. I think the U.S. government is going to have to keep a close eye to make sure that there aren't some risks that potentially extend to the economy.
What do you think would be an appropriate level of government activism in this particular case?
I think it needs to ensure that the process is, in fact, transparent and objective...and that there won't be any subjective criteria. I think having the (government) have some oversight over that process and some dialogue with ICANN to make sure the process is followed is probably about the most they are willing to do.
There's been some discussion about the U.N. taking a more prominent role. Is that kind of change required?
Throwing it over to some (international) body is like trading one problem for another. Look, ICAAN was created at a very unique time, right at the height of the bubble. There was a dramatic amount of pressure on the U.S. because so much of the Internet was happening here and not elsewhere. The Clinton administration wanted to be more inclusive of international bodies and so it came up with a mission of increasing competition from what had been a monopoly operated by Network Solutions. I would love to see a strong ICANN with transparent processes focused on stability and innovation.
But that's not what you have now. Why is that?
That is not what the current infrastructure allows it to be because you've got a lot of political biases and archaic governing bodies that all have to vote. Many times, you have your competitors voting on whether or not you should be able to deliver a service. And in the meantime--while they delay you from delivering the service--they introduce a competing one themselves.
I don't think that's ICANN management's fault. I think their new management would agree with the stance that processes need to be streamlined and much more transparent and that the biases need to be pulled out of the system. If they can get there, then we're all in support of ICAAN. The reality is we should try to sort out the model for international regulation of a borderless infrastructure.
Where do you stand on forcing strong authentication of who has registries?
We are all for more privacy in the U.S. system, strong authentication for the registrants and a process by which the intellectual property community can challenge that anonymity…through due course. Unfortunately, VeriSign is a security vendor, so if we say that, it looks like we're trying to sell product. It's just not a battle we see ourselves being able to lead the fight on.
As your company heads into 2005, does VeriSign plan to go in any different directions or will it be more of the same?
When we walked into 2004 the question was, "Can you be a growth company again?" As we exit the year, the old businesses have come back to be double-digit growers. Meanwhile, we've introduced a couple of new services that will give us incremental growth legs for next year. And finally, things like RFID and VoIP and Wi-Fi roaming can be put on the road map... and then as those markets take off, we plan to reposition for some additional growth there...So we kind of like the portfolio initiatives we have.
What about acquisitions? Is that something you're going to look at for next year?
I think we like the assets we've got. We don't have anything on our strategic agenda. But if another large carrier or large enterprise--or the government--came to us and said, "We'd really like you guys to extend what you are doing in this space," we might go looking. But we're talking about it as an add-on or customer-consolidation play as opposed to big strategic entry into another business.