Call Gil Shwed an optimistic pessimist.
The CEO of Check Point Software Technologies expects the sophistication of virus writers to improve -- but he's not particularly worried about the Internet's ability to withstand major attacks.
"As much as I'm a security vendor and I like people to buy more security products, you have to realise that the Internet is not in bad shape," he says.
To be sure, customers have hardly stopped buying Check Point's security products. Earlier this week, the company posted better-than-expected third-quarter earnings and raised its outlook for end-of-year sales. The company continues to register strong demand for its virtual private network, firewall and management products.
But Shwed is managing his company at a critical juncture. Check Point now contends with competition on all sides.
On one flank, it faces formidable networking challenges from the likes of Cisco Systems and Juniper Networks; on the other, it must fend off smaller security firms such as Symantec. Shwed recently dropped by ZDNet UK sister site CNET News.com's San Francisco office to talk with reporters and editors about the security scene.
Q: Is the fight to provide security getting any easier?
A: No, I don't think it's getting any easier. I think it's getting more complicated.
Why? Is it because end users are still not doing what's needed? Or is it because of increasing sophistication among the bad guys?
It's both, and it's also the fact that our dependency on networking is increasing. Think about it: Ten years ago, if somebody attacked your network, you probably wouldn't even notice, because most of your network would have been connected through Novell. The fact that there were a few computers connected to the IP (Internet Protocol) network or to the Internet wasn't a bad thing. Today, if you have a small disruption to the network or to the connection; it affects the entire organisation. Attacks spread very quickly.
What's your big challenge for the rest of this year, into 2005? Where is the front line of the battle?
I think there are multiple fronts. The biggest one is the fact that many of the attacks today are not attacks that you can easily identify.
Is the weak link the network administrator? Is it because administrators are less than scrupulous about putting updates in the system, thus leaving themselves open?
No. I used to be a network administrator, and when I am downloading software to my system, I still can't tell for sure if it's safe. For instance, I have to trust CNET when I am using Download.com.
What fraction of the attacks you intercept are from the outside, and what fraction are from internal computers?
It comes from all directions. One user getting is enough for an entire network to get infected. The other thing to remember is that a lot of it is about the policies companies use. A company that says, "If I buy enough technology, it will protect us" -- that's definitely not enough.
Since 2001, there have been several major attacks on the Internet. Some have argued that it's only a matter of time before we see a real meltdown or real catastrophe. What's your view?
Like everything, it's a matter of probability. I think the Internet has a very resilient architecture.
The fact that it is not controlled by one entity is the bad part, because things can spread quickly. But it is also a good thing, because nobody can shut it down, whether it is by one worm or by one administrative decision that says, "There's something bad going on; let's shut down everything, and then we will fix it."
As much as I'm a security vendor and I like people to buy more security products, you have to realise that the Internet is not in bad shape. We have millions of people on the Internet. Companies today depend on the Internet, and their uptime is pretty high.
What do you think the arrival of Microsoft's Service Pack 2 is going to mean? Do you think it's going to increase the security of the individual PCs?
It's good that SP2 is here, but I don't think it changes anything significantly.
Why do you think it's been so challenging for Microsoft to get its arms around security?
My view, as a technologist, is very simple. Go back 20 years or so, in terms of the operating system. There were Unix and VMS. Unix was extremely simple, extremely powerful and easy to master. You could have gone to the Unix kernel and made changes and introduced new applications. Every Unix programmer knew all the APIs (application user interfaces), because they were very simple.
The VMS approach was the opposite. Everything you wanted to do was available there. It was very, very powerful but extremely complicated. Everything was a big bureaucracy. For everything you wanted to do, you needed to read 50 pages or 100 pages of manuals to learn how to do it. Microsoft historically picked the VMS approach. It actually hired the same guy who was in charge of VMS development.
Dave Cutler?
Yeah, and they got a pretty complicated system.
If you have a pretty complicated system, every small step you make can touch hundreds of places. It's not just one programmer, where you can get into the code and isolate a problem. When you've got hundreds of megabytes of code, there is likely to be lots of bugs, and that's what happened.
Microsoft has done wonders to bring computing to every user, but its system is not there, internally. Externally, to the user, it's a completely different story, but internally, that's why it's susceptible to so many bugs.
Do you see Linux as inherently more secure because it's based on Unix?
Generally, yes.
Unix has had a certain period in which to accumulate a very large amount of complexity.
And it is more complicated.
Linux picked up some of that, too.
That's true. I don't think that either Linux or Unix is error-free. But if you look at the level of sophistication, I still think that the complexity of Unix and Linux is still simpler than Windows.
When you look at security problems, one of the ways that viruses typically work is that they find some new channel that hasn't been monitored. What are some of the channels out there that are relatively vulnerable right now?
I think hackers will try to find anything, just like we found the recent bug in JPEG files.
Some protocols are well-designed and are relatively easy to deal with. Some protocols are pretty bad -- like all of the VoIP stuff is bad -- it's just a complicated design and very hard to monitor what's going on.
Do you think criminal penalties for virus authors should be substantially increased?
I think that for any technology person, going to jail or being confined to home -- whether it's for one month or for two years -- that's a bad record, at least in Western countries.
I think the main issue is not the level of the penalty but rather the fact that penalties are enforced. Law enforcement is catching as many people as it can. The biggest problem is that most of these crimes are not considered crimes by too many people.
Is the problem, then, that we just have not created a strong enough deterrent?
That's one of them. The other is the fact that this is a global market. If somebody breaks into an office, the police here have all the forces they need to deal with it. With this, you are talking about something with which law enforcement simply doesn't know how to deal. The laws weren't written to handle the Internet.
To catch somebody committing an electronic crime, you need to do it within a very, very short amount of time. If you look at how the police work, investigating a murder crime can take two years. But if you take two years to investigate a computer crime, there's nothing left around. Even if you record the most amount of data, in two years, nobody will tell you which IP address belonged to which person over one night.
Does IPv6 make it easier to track people?
No, I think it makes it only worse. We support IPv6, but it is a much more complicated system. The reason the Internet was successful was because it was designed to be simple. The more complicated you make things, the less likely they are to be widely deployed. The more performance, the more problems you are going to have -- and IPv6 is complicated. People have been trying to deploy it for eight to nine years now, and there's still a very low acceptance rate.
Do you think it will be more brittle, more prone to attack or just prone to random breakage?
If you look at an IP packet, it's extremely simple, and yet people still find hundreds of ways to exploit that. If you look at an IPv6 packet, it's at least a 100 times more complicated. So there are more places to introduce bugs and vulnerabilities. If it took the Internet 20 years to build the good network that we have today, with IPv6, it is going to take longer.
