Security Q&A: Trend Micro boss Eva Chen

(Credit: Darren Pauli/ZDNet Australia)

Name: Eva Chen

Position: chief executive officer and co-founder of Trend Micro

Born: Taipei

Education: Masters of Business Administration and a Masters degree in Information Science from the University of Texas. Chen also holds a degree in philosophy from Chen Chi University in Taipei.

Career: worked in the research department at Acer, leaving to co-found Trend Micro in 1988. Chen held the title of chief technology officer between 1996 to 2004, and has remained chief executive since.

ZDNet Australia: why did you enter the information security industry? What do you find most interesting about it?

Eva Chen: the most interesting part about information security is that you are playing chess with the hacker. You need to anticipate their next move, and try to move before them. The hacker, the dark side, is my competitor. That is what interests me, because never a day in 21 years is boring.

What do you find is the most pressing issue in the information security industry and what can be done to fix it?

Security vendors need to be focused because the threats change so much. But vendors nowadays are worrying about mergers and acquisitions, who is acquiring who, and not focusing on how to deal with the threats better. They need to refocus on the service we provide.

Secondly, we need to look at how we interact with infrastructure players. Telecom companies, IT, we need to integrate with them to defend against modern threats.

There seems to be a sentiment in the security space to not hire former hackers or virus writers. Would you?

No.

Is it a matter of ethics?

The skill set is very different. People think hackers are very smart. They are, but in another way. If you create software, you have to make sure you don't conflict with other processes and applications, and that requires a whole different set of skills. Hackers don't care if they crash your computer, or conflict with other processes.

Some say blacklisting, while valuable, cannot work on its own. So how important do you think whitelists are?

In embedded systems, whitelists are important, but the freedom of computing is [also] important. Freedom is why we use computers and I'm a big advocate of this. How many new applications are there now? It is enormous. So if you keep whitelists, you need to keep a much bigger list than the blacklists. But it is different between environments.

You should use whitelists for systems hardening of SCADA [Supervisory Control and Data Acquisition] systems, but for user environments, blacklisting is a better way.

A NICTA (National ICT Australia) researcher was quite critical that operating systems are big bloated things that are now fundamentally insecure. What do you think?

The more code you bring together, the more likely you will have problems, and I'm all for a simplified operating system. But all operating systems must have [an] open API (Application Programming Interface) to enable developers to create applications — this idea of freedom of computing.

Unfortunately security will be a problem. You can build a house that is really secure, without doors and windows, but how will you live? Security people need to weigh the balance between usability and security.

It has been said that failures in security are failures in software reliability. Do you agree?

[Laughs] It is inevitable that you will have defect in code, no matter how hard you try. Not to mention the size of devices. Major software will have bugs, and there will also be a need for security measures.

Is it acceptable?

I will start to show my age but I would say software developer training is not that good. It used to be that we developers would write assembly code, meaning we knew the architecture even down to the CPU level, memory flow, memory rejection; but now these developers all use API, and they don't know this, or not even how the TCP stack works.

No wonder there is so many problems. It is a matter of education.

A reader asked if you would consider describing your internal testing procedures before releasing updates.

We do all the regular code-checking first, two engineers looking at each segment of code for the pattern update, and have thousands of computers doing the pattern database testing through terabytes and terabytes of data. We have about 1200 researchers including pattern and product development and testing. We are automating the product testing more and more, but at the last part, you cannot automate. There is no way you can replace engineers.

Some people firmly believe in the concept of cyberwar: that flood gates will open, and electricity will be shut off. Others say the concept is just a fancy word for hacking. What is your take?

If human beings must have war, then killing computers is better than killing people. Information technology is everywhere, and attacking the critical infrastructure will be severe. I think the outcomes could be severe and every government needs to think about this.

It is said that nation states have the best offensive capabilities, but would be reticent to attack for fear of the conventional response — bombs. Do you see a time when nations will all-out attack each other online?

Yes. I think it has already happened before. North and South Korea government websites — it has already happened.

Would this escalate to attacks on critical infrastructure, not just websites?

Sure. However, I think terrorists will not. Their intention is to make people frightened, and killing people is much more dramatic.

Our government is looking at more and more online public services but there has been a lot of criticism of its information security systems.

Why do you rob a bank? Because there is lot of money there. So if you are putting more and more transactions online, you need to have a lot better security.

Videos from the recent Trend Micro Enterprise Security Conference can be found here.