Home
Current Issue
Teen Center
Teacher Lounge
Professor Journal
Related Articles
First Class
Subscribe
Sponsor
Contact Us
About Us
 
 
FEBRUARY 2005 :: COVER STORY :: ONLINE

The Internet's
Security Guard
CEO of Symantec Talks
About the Never-Ending Battle
Against Online Threats

By David Bank
Staff Reporter of The Wall Street Journal

All the bad news about viruses, worms, spyware and other computer-security threats has been good news for Symantec

As the largest exclusive maker of computer-security software, the company has grabbed an outsize share of the surging interest in cybersecurity. In its last fiscal year, Symantec's revenue rose 33%, while profit soared nearly 50%.

A few years ago, Symantec was a middling provider of tools and utilities for Windows PCs. When CEO John W. Thompson took over in 1999, he focused Symantec entirely on computer security.

Mr. Thompson recently spoke with The Wall Street Journal about the scope of the threats to computer security, and what can be done about them.

WSJ: How serious are the threats to computer security that you see and what can be done about it?

Mr. Thompson: The Internet threat environment-hacker attacks, the propagation of worms and viruses and other types of activity like that-has accelerated beyond our wildest imaginations of just a few years ago. On average, every week you see about 100 new viruses [detected] in our labs. You see almost 50 new software vulnerabilities every week. In the past, an attack was typically localized to the operating system; now we're seeing more vulnerabilities in more products. That's led to an unprecedented level of activity in the hacker-cracker-virus-writer community.

The annoying challenge we all deal with is spam. There are some forecasts that in the U.S. alone [in 2003], spam was about a $10 billion productivity hit to the economy.

The more threatening and challenging task, however, is phishing. And I don't mean fly-casting. I mean phishing for credit-card information, Social Security numbers, mothers' maiden names. Popular Web sites or popular brands are hijacked to divert unsuspecting consumers and even small businesses off to a spot where their identities can be stolen. Phishing is growing, by the latest estimates, at 110% a month. There's an important role for government right now in helping the industry at large around education and training.

WSJ:You'd like government to pass a law saying that we've got to buy your products?

Mr. Thompson: Absolutely not. What I don't want is for government to step in and dictate a given solution, or what strategy or what technology a company or an individual should deploy; or step in and create the false sense of hope that what they're doing is going to protect them.

A good example is the "Can Spam" legislation [aimed at making spam-sending illegal]. Every one of our U.S. senators and House members was able to go home last November and say, "Yes, I voted for the spam legislation." And the net effect of that has not changed the volume of spam traffic downward one iota. As a matter of fact, it's accelerated since then.

But there are clearly a number of places where I think industry and government can work together to do a better job. First, awareness. It is unconscionable that somebody on a broadband connection would be without antivirus protection, without a personal firewall, without some of the simple protection tools that are so readily available in the marketplace, if not from me for a fee, from someone else for free. ... You have a responsibility to protect your own assets.

Why would you ever respond to a [phishing] e-mail? That's not the way Citibank works. That's not the way Amazon works. We have to tell people, "This is just stupid. This is not smart." If we can't change behavior, we're going to be chasing the problem with technology forever.

WSJ: What makes spyware a more insidious threat to PC users than things such as viruses?

Mr. Thompson: When a virus attacks or a worm attacks, it attacks a certain spot in the system and it's relatively easy once you have seen the pattern to identify it again and then eliminate it.

Spyware uses a slightly different technique. It distributes many little pieces of code and it embeds it in parts of your operating system, your applications and what have you. And then the task is not only to identify them but make sure you remove every single one of them. There are any number of products in the marketplace to help protect you from that. But none of them are as effective as they need to be because the state of the art is advancing as fast for the attackers as it is for those of us trying to block [them].

Spyware popped up a year or less ago and it's grown so rapidly that there are a dozen or more new companies in the industry trying to solve the problem.

WSJ: What can consumers do to protect themselves?

Mr. Thompson: There is a logical three-step process that both individual and corporate users should follow. The first is to be aware. For consumers, awareness comes in the form of an alert any time there's a new virus in the marketplace, an alert that comes any time a new vulnerability is discovered, an alert that comes from Microsoft every time they want you to upgrade or patch your system.

What, unfortunately, doesn't happen is the "act" step, which is to push a patch, do the software update, redeploy virus signatures, on and on.

And then there's a third phase: How do I control my environment? How do I set up a real-time backup? Now that I've got my entire family photo album online, I should have some idea as to how frequently I ought to back it up. Attackers don't want to necessarily take your photo album but they wouldn't mind rendering the drive on which you have it stored inoperable.

It's not unlike living in the physical world. If you live in a gated community you don't say, "Well, I don't need locks and alarms."

WSJ: Some of the most effective spyware-protection software is free. Is that a threat to your business?

Mr. Thompson: An organization that derives no revenue from a product and therefore has no visible means of support, how are they going to support you as the threat environment changes? It may very well be that the technology they have today is very effective today. How effective will it be tomorrow? We spend 4% to 15% of revenues on R&D. We'll generate $2.4 billion in revenue this year. We've got a visible means of support for customers as opposed to things that are free that you don't know where the support's going to come from.

WSJ: Do you recruit employees from the hacker community?

Mr. Thompson: No, we don't. We have people who are every bit as capable but they live by a moral compass or an ethical standard that is consistent with our brand.

We trade on trust. And so if customers ever thought that Symantec was at the root of some of this because we've had people who didn't live by the same ethical code or moral code that we believe in, that wouldn't be a good thing.

 
about us | contact us | subscribe | sponsor | advertise | privacy statement | home
Copyright © 2008 Dow Jones & Company, Inc. All rights reserved.