AVG: Hacktivism is slowing down business

Czech security company AVG has about 98 million customers and users worldwide, thanks in large measure to its highly popular free antivirus software.

AVG's footprint as one of the planet's largest antivirus vendors gives it a good view of the threat landscape, according to the company. Its free product drives its paid-for business software, which is aimed at small businesses.

In recent years, a salient trend in cyberattacks has been online activism, which some commentators have labelled 'hacktivism'. Attacks by hacking groups such as Anonymous and LulzSec, which are designed to draw attention to political or other causes, have garnered numerous headlines over the past year. Anonymous and LulzSec have attacked organisations ranging from Visa to the UK Serious Organised Crime Agency (Soca).

AVG chief executive JR Smith, who used to own the Telecoms Solutions Group, talked to ZDNet UK about hacktivism, government responses to cyberattacks, and mobile security issues.

Q: Hacktivism isn't a new phenomenon — so why do you think groups such as Anonymous and LulzSec have caught people's attention now?
A: There have always been various forms of activism online, but [Anonymous and LulzSec are] a bit more malicious. It's not just making your point, it's hurting commerce, slowing down business, and hurting people. They have a cause, but when you think about it, this is stopping business, and the Bart protest was stopping people from travelling — I'm not a big fan.

The Comodo hacker recently claimed to have compromised DigiNotar certificates as a protest against Netherlands soldiers' actions in surrendering to Serbian forces before the Srebrenica massacre.

He claimed to be protesting against the Netherlands government, but how is punishing the government going to help? Governments don't tend to respond to that kind of pressure very well. They are not going to be blackmailed.

The reason for doing many kinds of hacking has evolved, unless it's purely for profit. This guy has a new tool to make a point, which may be malicious. His motives are definitely questionable.

What should worry small business more — hacktivism, or attacks designed to steal data such as financial details?
These [hacktivist] guys aren't attacking consumers, but attacks have helped people wake up to the need to secure small businesses, as well as how to secure big enterprise networks. I don't think hacktivists are doing anything financially malicious with user information. These are kids, who may or may not be devious, but who may want to hack into systems and take customer information for other purposes.

Hacktivism is about raising awareness and swaying public opinion. For small businesses especially, different types of criminal activity are much more of a problem. Guys are looking to steal personal information from small businesses or personal details — that's the interesting information for criminals.

After successful attacks, small businesses in the US are learning that...

...banks don't necessarily reimburse. There was a lawsuit recently where a small business in US lost $300,000 (£190,000). The court found they were not properly protected, so the banks did not have to reimburse.

Cyberattacks seem to be moving up the political agenda. Do you think governments are ahead of the curve, or are they playing catch-up?
Governments are starting to pay more attention to security. We are working with both the European Commission and the US government. We went to Capitol Hill with their top guys to talk about how to protect government websites and incentivise people to use security software.

Seventy percent of people [in the US] file their tax returns online. If they get hacked, it takes 30 seconds to ship that data out. Our position is, you don't want to tell people you need this, this, and this — governments should never govern what good security means. I don't think the government should control or dictate a level of security. I don't see the government as a regulatory body for what users should do about security, and how they do it.

What do you think of the state of international efforts in information security?
There are a lot of cyber-initiatives going on, but it's tough to get it together. There's competition between some countries to get hold of confidential data. It is truly a new form of warfare.

There are lots of Western complaints about cyber-espionage by China, but the US and the UK also have cyber-capabilities. Do you think this is two-way traffic?
I hate to think of the government of the US or the UK engaging in that kind of action. I hate to think they would try to thwart innovation to protect their own interest.

AVG has its own mobile security products, and works with both Apple and Google to create them. Which operating system is more challenging to write security products for?
Proprietary phone platforms are by nature a closed system, Google is open. To interface with Mac OS and iOS is really hard. You have to work with Apple to do that. They are so locked down, they are a lot tougher to protect.

In terms of the nature of Android, it's easier to integrate the technologies because it's open source, but the nature of open source is that it is a little tougher to stay on top of, because a lot of code can be introduced.

There's more malware on open source [mobile platforms], so there's more need to keep it updated, but it's harder to protect closed source. We struggle to make a good security Mac product. Apple locks it down for security reasons, and because it wants to control the ecosystem.