Kimmo Alkio, CEO of F-Secure, recently rejoined the antivirus vendor from fellow Finnish company Nokia. silicon.com recently caught up with Alkio to discuss the security landscape, how governments should handle hackers, the need for a dot-bank domain name, and his company's much-criticized stance on the potential threat of mobile phone viruses.
silicon.com: You've recently rejoined F-Secure and it seems your arrival has coincided with a very quiet time for the security industry. Is this fair to say?
Alkio: The public perception is that this industry may have become less active because three, four years ago there were these very high visibility public virus outbreaks.
What we are now seeing is that the number of attacks and the quantity of malware is actually increasing. We are getting 7,000 new samples per day but it is being driven by new forces. What we see now is there is a criminal element acting purely for financial purposes and trying to stay hidden.
Phishing is still a major issue. There are markets such as India where the amount of phishing attacks has grown by 96 per cent year-on-year.
Are a lot of threats targeting emerging markets as businesses and consumers in the West start to wise up and protect themselves? Are the criminals just dusting off the same attacks and targeting new regions?
In emerging markets the level of security is not where it is in the Western world. If you look at India the number of broadband users is going from eight million to 20 million in three years. Look at these markets where you have this number of people coming onboard. It does change the threat landscape.
There are a lot of unprotected PCs and online banking and ecommerce are growing. And we need to be very active in educating people.
These infected PCs in emerging markets are also being used in distributed denial of service (DDoS) attacks targeting Western businesses and governments.
How big of a problem is DDoS attacks today? There was a lot of talk about extortion a couple of years ago, with criminals threatening to take down businesses' websites if a ransom wasn't paid. Is this still a problem?
DDoS continues to harass people across the world. But is it more, is it less? What we are seeing is it is taking up a lot of bandwidth and we need to protect people.
I think there could actually be a big shift from commercial to political DDoS attacks, such as we saw recently with Estonia [and Russia]. Any place where you have political instability you could see an increase in DDoS attacks in that region.
What about mobile phone viruses. It's a drum that you have banged very loudly--leading to suggestions you're over-hyping the issue. What do you say to accusations you've been irresponsible?
If one recognizes that there is a healthy probability that internet threats could be similar on the mobile side to the PC side then it could mean we're at the stage now that PCs were at in the late 1980s.
The devices, particularly smart phones, are becoming used more like PCs. So with a little bit of predicting and visioning into the future, based on past experiences, I think there is a tremendous need to ensure there is mobile security in place.
Do you think you've been as clear as you could be with the industry, with the media and with consumers that what you are doing is visioning and predicting a scenario that could happen?
Independent of how we have communicated this in the past, we are making it very clear today that the threat level on mobile malware is not severe today. There are only 323 known malware on mobiles and over 300,000 on PCs. No hype. Period.
And a lot of that mobile malware is just proof of concept.
Absolutely. Made by hobbyists. That's absolutely where we are today. But what's happening now is mobile phones are being used to download content from the web and are increasingly being used for mobile e-mail.
They are increasingly becoming professional devices and it is obvious that you have to put the protection in place if there are mobile viruses and malware. We are protecting today and pre-empting a future virus.
You're very close to your domestic market. Is it unfortunate that the few reported outbreaks we have seen have been in Finland and it therefore looks like more of a problem to you?
In some instances threats are concentrated on some markets, in this case Scandinavia, because that is one of the most mature markets for smart phone deployments so there is a logical connection there.
So if we look back in a couple of years' time and it turns out you were right, and all your rivals are offering mobile malware protection, will you feel any criticism you've received was entirely unjust?
We are pioneers. You could argue that we started investing too early but I would say it's a great thing--we have gained the competency and have the products up and running.
When it comes to fighting cybercrime, it helps to understand why attacks happen and what motivates the criminals. How much insight do you have into the criminal world?
We have some visibility into these communities, particularly when we are working with governments to help them, which we do. If we have information, for example, on a DDoS attack happening and we can see it we will share that.
And what trends are you seeing?
A lot of threats do come from very definite sources and as I have said we are seeing a lot of activity in emerging markets in particular.
But if you are a talented individual born on the West Coast of the U.S., what kind of career opportunities do you have? How about if you are an equally talented individual but you're born in the slums of Sao Paulo or in Siberia? What's the difference in professional and educational opportunities?
And yet what's the common factor? Access to the Internet.
So the picture you're painting is of cybercrime growing for the same reasons many other crimes do--as a result of socio-economic factors. Do you think governments and law enforcement have failed to realize this and failed to make the connection that cyber crime is like all other crime and something which needs to be targeted with some urgency?
Governments need to very proactively ensure ISPs are offering protection to users, that is the first thing governments must do. One of the best ways to solve these issues is through the ISPs.
Governments should also take a very active and strong role. When things actually take place the proper actions need to be taken to take people to court.
So what measures need to be brought in and what should the penalties be?
I'm the wrong person to answer that question but I think all governments need to talk to one another about how they address this problem. And all governments need to look at this with the same weighting.
Given this is a global problem, do you think we could ever see success going to the Chinese government and telling them Western businesses are annoyed at the amount of malicious code coming out of China, or going to the Nigerian government and complaining about scam emails? These aren't issues which will resonate as much as their own local issues.
It is right to say that different governments are definitely at different stages. A global initiative should be looked into but who will take the lead... that is a difficult issue. At the EU level there are some very good developments.
You've recommended that ICANN, the internet domain name body, introduce a new dot-bank top level domain and make it prohibitively expensive so only legitimate businesses would register it, as a means of tackling phishing. This sparked some criticism because of workarounds criminals would use such as domain spoofing and DNS hacks. Do you still think dot-bank domains are a good idea?
We've done the right thing. We've started the discussion and we've raised the level of the discussion and by speaking to financial institutions we've learned this initiative is one measure which could help.
But you accept it's far from perfect?
It's not the silver bullet. It's not the one thing. But there are practical things which would help immediately. If it cost, for example, $50,000 to register a dot-bank domain name, that would already make it more challenging. While this doesn't stop the problem on its own, and while people could still replicate that URL, a further level of education is still required.
Is it worrying that to date the industry has had more discussions about having a dot-sex domain name and a dot-xxx domain name than it has about introducing something such as dot-bank?
Yes, it's very worrying. This is why we've brought up this issue. We've now had good discussions with leading financial institutions and this has raised the discussion. Discussions continue with ICANN also.