Larry Dignan: Hi Ken, thanks for joining me.
Ken Silva: Thanks for having me, glad to be here.
Larry Dignan: Now, you're the CTO of Verisign and it's a company that protects more than 1 million servers with digital certificates. Can you give me a feel for the size and scope of the operation?
Ken Silva: In addition to the over 1 million digital certificates that we provide to online merchants who process the secure transactions that consumers do every day, we also are the custodian for the .com and .net domain name infrastructure, which is sort of the address book for the .com and .net, if you will. You as a consumer, if you were to go to any .com or .net website you would probably traverse our infrastructure for that. We do about 50 billion queries per day on that infrastructure as well and that's deployed in over 50 locations around the world.
Larry Dignan: As CTO what are your responsibilities?
Ken Silva: Well I'm responsible for all the operations and all of the platform development for that infrastructure, as well as overseeing security and the compliance aspects of that.
Larry Dignan: Now we've seen numerous security threats. We've got malware, phishing, pharming, pick your list, it goes on almost forever. What are the next threats on the horizon we have to worry about?
Ken Silva: Well those aren't going away, the ones that you mentioned. But you're starting to see a trend, in fact many consumers probably know someone either on their block or in their family or in their workplace that has had their identity stolen, either through phishing or through screen scrapers or spyware that's on their machines. The criminals are starting to figure out that as more money moves to the internet, where the money goes the criminals certainly go. So we'll some trends there, but we're also starting to see an increase in extortion attacks, where these box networks out there and they're attacking services and extorting companies and threatening to take them down for extended periods of time if they don't pay money.
Larry Dignan: Can we out-innovate the bad guys?
Ken Silva: I don't know that you can out-innovate the bad guys there seem to be more of them than there are of us. But what we can do is, not just prepare or try to prevent attacks from happening, but to prepare ourselves for when they do happen what is our response and then how would we respond?
Larry Dignan: What are the top 3 security problems currently?
Ken Silva: Well identity thefts are probably number one, denial of service attacks are probably number two. And that's, imagine if you will, that there are tens of millions of little weapons out there that can be deployed from anywhere in the world almost instantaneously. And lastly I think really, just actual hacking and the theft of personal information, or financial information or even medical information nowadays. Those are the kinds of things I think we need to worry about throughout 2009 and well into 2010 and 11.
Larry Dignan: Security and innovation have been perceived as not going hand in hand. Often, security is seen as an excuse to not do something. How do you manage that intersection?
Ken Silva: It's interesting when I worked for the federal government it was pretty easy, security was easy to manage, you just said no to everything. But when you go to a company that wants to be innovative, you pretty much have to say yes to everything. The two have always been at odds with one another. I think a good security professional would anticipate the kinds of things that are going to occur from an innovation perspective in a company and try to secure that as best as possible. Let me give you an example, just a use case on this, would be the iPhone, a very popular mobile device. It's extremely popular amongst consumers and because people who work in companies are also consumers, they want to be able to use that same kind of fun or cool technology in their company. So rather than try to block that kind of stuff you'll almost always fail by doing that because eventually you'll reach the level of the executive you can't say no to and they'll get to have one and then they'll show everyone that they have it. So ideally what you want to do is you want to anticipate these cool technologies or these innovative technologies making their way into the enterprise and try to put security measures in place that allow people to use innovative technologies but in a secure fashion, so rather than try to block them try to secure them.
Larry Dignan: But once you have the iPhone on the network, there's thumb drives, there's Blackberries, PDAs, I mean, pick your device that's connected to the network. Where do you say no and what's the security conundrum you face?
Ken Silva: I think if there's a legitimate business need for it, you can never say no. I mean, legitimate business needs have to be satisfied. If security is viewed as an impediment, then what will happen is that your budget starts to shrink, your scope of responsibilities starts to shrink. I think when you have to say no to things that truly endanger the enterprise and mobile technology has been a security risk for a long time. We only talk about it a lot now because the iPhone has made it's way in, but Blackberries and other mobile devices have essentially moved the edge of your network into someone's pocket walking around. If you were to go to an airport and just ask them how many mobile devices that they pull off of an airplane in a day, it would probably be in the thousands per day per airport that they actually find. Probably on every plane there might be 10 or so devices that get let on a plane. So what you do is, there are technologies that allow you to secure those innovative products, by putting passwords on them and putting PINS on them. So those are the kinds of things you have to do. If you continually block the technology, then you will either be replaced or your policies will be replaced.
Larry Dignan: Last year Verisign talked about Project Titan. It was a hundred million dollar project to diversify infrastructure. Can you describe that for us, and what you were hoping to achieve?
Ken Silva: Sure. It's a project I'm very excited about. We actually launched the project in early 2007. It was designed to be a 3 year project that would basically increase the capacity of the domain name system that we operate for .com and .net by 10x over what it was in 2007. And the idea here was that we've always measured the internet as the numbers of websites or the number of emails that get sent or the number of instant messages that get sent, and those were all sort of protocols and platforms that were developed for the internet by the internet, and the internet is changing. The amount of scale that we have to be prepared for are 100 year old monolithic infrastructures, like telephony, which will migrate to the internet in a big way and bring with it hundreds of millions of users--suddenly. So we have to be prepared for that growth in transactions. Today we do about 50 billion transactions a day on that system and we anticipate that going into 2011, 2012 we could be looking at as much as a trillion queries per day on that infrastructure, between things like RFID and instant messages that get sent from mobile platforms. So we're pretty excited about this project. It's well under way, we're certainly on schedule. We're very excited about it. We're meeting our objectives on that, and we'll certainly be prepared by 2010 for the scalability growth that we'll expect to see.
Larry Dignan: So imagine you're king of the internet for a day. I give you a whiteboard. You've mentioned previously that the architecture is just not quite there for what we need to do in the future. How would you re-architect things?
Ken Silva: Well, I think I would embed some security into the protocols themselves. Today the network itself provides zero security. There is no security in the network, virtually every packet is passed and pushed. So by embedding some security into the protocols and some of that was thought of when IP version 6 was developed, but trying to retrofit that on top of the existing infrastructure is going to be a challenge so I think that many of the protocols themselves would have to have some security embedded in them. And the second thing is that passwords as we know them today would not exist. They've actually been obsolete for more than a decade. The fact that we continue to use static passwords is mind-boggling to me.
Larry Dignan: I have about 60 of them.
Ken Silva: Well, so that's a challenge. And the problem is that what you wind up doing, what most users wind up doing, is that if you have 60 of them you really have two. Okay, which means that you have one for the stuff you really care about, and then you have one for the stuff you don't care all that much about, like your MySpace page or something like that. So you wind up becoming less secure, even though you're in 60 different locations. And that's where I think you'll see things like Identity 2.0 sort of come into play. That's where instead of identities being managed in a bunch of islands all over the internet you'll start to see centralization of those and that's where we're doing some innovation as well is, do you really want to have a separate password for everything or wouldn't it be nice to have a network where you could have a shared infrastructure? Like the ATM machines for example. If you look back when you maybe you're not old enough, but I'm old enough to remember when a bank issued you a card, you could only transact with that bank and their teller machines. So if you had a Bank of America card, for example, it only worked at Bank of America. And ultimately all the banks said, look, everyone's got a bank card, why don't we share a common network and then we can charge a small transaction fee across that. That's really where things will ultimately head, and I think if I could change anything I think I would have embedded that into the infrastructure from the start.
Larry Dignan: Finally, let's talk Homeland Security. You've spent a lot of time on Capitol Hill. One of the points you made was that the internet, 90 percent of it, 95 percent of it, is in private hands. So you have this security problem that's really about herding cats. How do you get those cats herded to the point where the internet is more secure from a department of Homeland security perspective?
Ken Silva: Well, it is a challenge. Look, the industry itself has primarily worked off of incentives. Whether those incentives are that consumers want to buy the product because it's more attractive or because the procurement system insists that they do it, so it's kind of a negative incentive. In other words, the public sector won't buy your products. It is very challenging to try to get everyone to first agree what the technology is, and second get them to actually deploy it. You have to realize that there's a lot of infrastructure out there that people have invested billions of dollars in, and in order to retrofit that infrastructure to newer technology is a challenge. It's a big investment. Without incentives of any sort, be it through insurance, tax or what have you, it's going to be a challenge. I think that the new administration is committed to that. I know that their transition team has been working through a number of issues. I know that Congress last year worked on a series of recommendations in working with industry and the public sector to make a series of recommendations that they would give to this president shortly after taking office and informing him of what the industry and the public sector at the time thought the challenges would be.
Larry Dignan: Ken, thanks for your insights today.
Ken Silva: Thank you for having me. It's been my pleasure.
Larry Dignan: I've been speaking to Ken Silva, CTO of Verisign. For CIO sessions, I'm Larry Dignan. Thanks for watching.
