VeriSign's Sclavos: "enable and protect interaction"
A slogan of the multinational VeriSign is: "enable and protect interaction." To this end, the company focuses on security and authentication, but also on guaranteeing the stability of the Web domain system. According to its president, Stratton Sclavos, "It is unclear how governments are evolving on issues of identification." In an interview with Navegante, Sclavos explained his new universal identification system for the Web, called VIP. This comes at a time when Spain is betting on the Internet with its new electronic NID (National Identification Document).
He also reviewed new Internet threats, such as "pharming," reminding us that security depends on the precautions we take, just as it does in the real world.
Question: What are the new threats and new security strategies?
Answer: Society is migrating toward a digitalized world. The Internet has been operating for more than 10 years now, and we're migrating from traditional to electronic commerce. Obviously, it's not surprising that money is also moving to these new kinds of transactions. There are also an increasing number of attacks, and they're more sophisticated. We believe we must take action on two fronts: on one hand, develop new, improved tools to block and prevent these attacks, and on the other, increase user education. We have to realize that in the same way that we take certain security precautions in the real world, such as padlocks and deadbolts, we must also take precautions in the digital world.
Q: Regarding new threats, what are the trends for the immediate future?
A: "Phishing," which we consider a "direct attack," is still a problem, but now we're seeing that users are becoming more knowledgeable and are not so easily fooled. The new attacks are coming from "pharming," such as "Keyloggers," for example - computer programs that observe and record information from one computer and send it to possible attackers without the user ever being aware of it. We consider these potentially more dangerous precisely because the user usually doesn't have enough technical knowledge to know that his or her computer is sending this information.
So, we believe that "pharming" is the new big threat we must face on the Internet, and we are one of several companies developing tools that can block computers and not let them connect to the Internet unless they are "clean."
Q: Do those tools now exist?
A: They exist for companies and businesses. Where they haven't been developed yet is for home use, for private individuals, and more work needs to be done on that.
Q: When will it be available to consumers?
A: Yes, well, there are some now under development, not only by VeriSign, but by other companies like Microsoft and Cisco.
Q: How important is authentication in VeriSign's global operations?
A: VeriSign's security business is about $400 million a year, of which half comes from authentication. So that's $200 million a year.
Q: With regard to that, could you explain what the VIP (VeriSign Identity Protection) network is - the concept and how it works?
A: Well, we started our business as a website authentication firm, and later we worked on authentication of computers, and for 10 years now we've been looking for an effective way to identify people; consumers. That's VIP. We got the idea from the banks. Before, the first bank cards worked only at the ATM machines that belonged to the banks that had issued them, but later, networks were set up that would let you use the same card at different ATMs (VISA, MasterCard, etc.) The VIP idea is the same: using a single device, you can operate on any website that uses the VeriSign verification system. Plus, you need only one device instead of a dozen cards for different operations on the Web. It's very easy for consumers to use, and it's quite inexpensive.
Q: How does the device work?
A: Most of the system's complexity is on the Web, which is something new, so it's very easy for the consumer. For example, this is a device in the form of a token, which is also a 256Mb flash drive. If we press the button, a number appears that is always different from the previous one. It stays on the screen for 30 seconds, and that is our key for operating on the Web at a given time, which is linked to the user name and password. The way the device communicates with the VeriSign network, as well as the rest of the information it sends, is secret, and guarantees that the system will work.
Q: And what is the price?
A: In the U.S., this token can cost about $20, although that price may go down -especially for volume orders. We're also working with cell phone manufacturers, for example, Motorola, to have it added to some models.
Q: When will the first cell phone with this system come out?
A: We hope it will be on the market by the end of this year. In fact, Spain is actually a very strong market, with a growing number of broadband and "online" banking users, and we believe this market offers us a great opportunity to offer our services.
Q: Have there been talks with any Spanish banking entities?
A: Yes, we've been talking with one group for three months. But I can't go into that right now.
Q: We talked about authentication at a time when we are implementing the electronic NID (National Identification Document), which is the public way to verify a citizen's identity, and which will also allow "online" transactions because of its electronic signature, which is guaranteed by the national government. What is your opinion on this? Do you think it will affect your prospects in any way?
A: The VIP network is what's called neutral technology. It can be found as a device like this token, but also as a card that you can press your thumb on to generate your code. What the electronic NID will do is say who you are on a national network, but its validity will be limited to the national level. The VIP network contributes added value to international trade. Banks, for example, demand this additional authentication for critical operations on the Web. The code generated by the VIP network, in addition to the user name and password, serves as that additional guarantee.
Q: But wouldn't an electronic passport, also generated by the national government, fulfill the same function?
A: It's just that it is unclear how governments are evolving on issues of identification. I believe that both governments and the private sector are always looking for ways to perfect identification and verification systems, because the need exists. VeriSign's strategy is to create a global, worldwide system that's private but very flexible, one that will work for both public and private networks. Also, every country has different policies, so that an electronic NID is being introduced in Spain, but not in the U.S., and Japan has its own system.
Q: With this system, if you lose your national health insurance card, for example, what guarantees does the system provide? Because I understand that in the end, security is more of a personal issue than a technological one.
A: One of the big advantages of this system is that because it's managed over the Web, it's very easy to invalidate a card or device immediately.
Q: VeriSign has recently announced acquisitions such as M-Qube and Kontiki. What does this mean for the group? What is its strategy?
A: VeriSign's strategy is simple: We look at the market and see how the world has changed and how we are relating to each another, how business or recreational activities are changing. These new acquisitions focus on services that aid in this transformation, specifically, new forms of digital entertainment, such as for example, cell phone ring tones and songs, games played on cell phones, as well as broadband video games, movies....
Q: And what does that have to do with VeriSign's business?
A: Well, VeriSign was created in 1995 as a supplier of security tools. From the beginning, it looked for new lines of business. It was the first company to provide security services over the IP network. During the 10 years since the company's founding, we've tried to develop other services and include them in our offerings. For example, Google's purpose is to organize all the information available on the Internet, and VeriSign's slogan would be to "enable and protect interaction." These new acquisitions are aimed at interactive services, possible new interactions, and that's the rhyme and reason of these purchases.
Q: Your company manages the ".com," ".net," ".cc" and ".tv" domains. You recently reached a controversial agreement with ICANN, by which VeriSign is assured exclusive management of ".com" domains until 2012, with annual price increases of 7%, which will begin to be applied in two years. VeriSign will also be given preference for renewal rights to this agreement. What do you have to say in answer to criticism from other companies aspiring to manage these domains?
A: I think it's very hard for the general public to understand the enormous complexity involved in managing domains as extensive as ".com". There are 50 million ".com" domains in the database, and as many as 15 billion requests. This complex and immense system must always be 100% functional - it cannot fail, regardless of growing threats. We have been managing all of this for eight years now and have never had a failure. Recent reports indicate that we receive more DNS attacks than anyone else; we're the number one target. That's why we have to increase our investments. We feel that the price increase is very small (from about $6.00 to between $7.00 and $7.50). It's a small price to pay for the cost of providing this quality service. In my view, Internet security and stability are more important than a small price increase.
[This interview has been translated and supplied by VeriSign, sponsors of Compliance and Privacy, from the original Spanish article by Pablo Romero which appeared in El Mundo Navegente on 29 March 2006]
Discuss This Interview