An Interview with Ken Silva, CTO of VeriSign, Inc.
March, 2008
Ken Silva, the CTO of VeriSign, Inc., is a long-time contributor to internet innovation. We talked in March 2008 about the continuing rise in internet activity: its causes and consequences, particularly in net security.
Emily Nagle Green: I like to say the internet is going 3D—from the two-dimensional screen-based mode to one in which devices of all kinds use the net to enhance their value. Agree?
Ken Silva: Absolutely. We are at the knee in the curve at the consumer level. People don't leave the internet. I like to say that even if what people do on the net is always changing the net itself has no retention problem. The number of users will only always get bigger. Look at India for example: today they have something like 36 million internet users. With a population of 1.3 billion, they haven't even scratched the surface.
Beyond that, though, the game-changer for the "internet of things" was when the iPod became a Wi-Fi device. Technology adoption used to be driven by the enterprise world, not by consumers. So when the iPhone with Wi-Fi and a better user interface became a must-have device that for me was the tipping point on connected devices. It's just a coincidence that it's a phone. It was the Wi-Fi access that raised the bar for everyone. Who will buy a handheld entertainment device in '09 or '10 that isn't connected? Who'll buy a car in the next 2 years that doesn't have on-board GPS navigation? What about a GPS system giving you real-time traffic—soon, who will buy one that doesn't?
ENG: People have accepted that connectivity should be available anytime and anywhere they want… it's becoming a right. Given your perspective at VeriSign, what's the impact of more things on the network?
KS: The first impact will be on raw capacity: We'll need more of it than people can imagine. And if we think that we'll just be able to throw more fiber into the ground, or that Ciena can find enough new ways to multiplex existing capacity, we're wrong. Petabyte-sized databases can't live all in one place; no one can possibly serve it all up. Content delivery will have to take a different shape, using P2P techniques and segmented storage platforms. We will need lots of innovation in bandwidth and content management besides just increasing or exploiting capacity.
The second impact is lots more transactions. Users don't care if it takes an extra 20 milliseconds for a site to appear on their screens. But what happens when devices are using the net? Truckloads of razor blades will be reporting their locations, fridges will be ordering food, every channel change on your TV will create net activity… We'll see huge new surges in transaction rates. Domain queries could surge from today's half-million per second to 50 million.
ENG: And 20 milliseconds is a lot longer for a device to wait for something than it is for a human being. There will be a raising of expectations across the board, for network performance, reliability, all that.
KS: Right. That's why we have fortified the infrastructure. This is still the Wild West, and we're trying to pave the road and avoid the gullies. We know that the phone system is moving to IP. So is TV, and radio has already migrated. 3G or 6G, it's all going to happen—whether we forecast it successfully or not.
ENG: What do you think are the three biggest security problems in the Anywhere Network today?
KS: First, compromised usernames and passwords. Second, stolen data. And third, targeted hacking attempts. Before Kevin Mitnick, people did hacking for its own sake, to learn something about the operating system. We're now seeing a move away from high-profile massed attacks, blasting domains with traffic. Now they're targeting particular executives with phishing schemes designed to capture specific information.
ENG: I've experienced it already myself, with that phony Better Business Bureau complaint with the Trojan horse attached.
KS: Right. Bad people are going to get into the network and stay there. They'll live for a while and get all they want. That's the scariest one in some ways.
ENG: So what are the additional security risks ahead in the expansion we're talking about?
KS: The big new question is simply this: Who or what will be authenticating all these additional devices on the network? Imagine when you have all these devices with all this bandwidth and the ability to go anywhere. What's needed is true end-to-end security. This means asking questions like: Are you authorized to use that machine? Is that machine authorized to use the network and to talk to this application?
With these additional risks, we have to start now to lay the foundation for expanded security mechanisms. You wouldn't want us to try to retrofit authentication onto your connected fridge to protect your home network. So we have to do it today.
ENG: Will it add hassle to internet activities that seem fairly easy to do today?
KS: That's why we have already had to rethink the way two-factor authentication is going to work. We have to provide options that consumers will accept. Usernames and passwords have been obsolete as a security solution for 10 years, but no consumers demanded tougher authentication—it was tough to figure out, and they weren't sure why they needed it.
We've changed the game; we've put an authentication token on a credit card. It changes people's willingness to do things on the net (medical, financial, etc.) if they can have a simple, low-friction way to verify identity.
ENG: But this is going to require incredible cooperation across the industry.
KS: True. But technologies never evolve broadly until there's a reasonably cooperative infrastructure. Air travel, for instance, was not that good until there was good takeoff and landing support in most places. Train travel wouldn't have evolved as it did without telegraphy. And it wasn't until the wireless industry got together over roaming that mobile adoption took off. The same thing will happen in authentication: People will figure out that they have to share authentication solutions if they want broad adoption.
We should expect more issues, bigger ones, around privacy and data protection. People will be doing so much on the network. The ease of moving data around is a force for bad as well as good. Every time I open the paper, I read about a laptop lost with personal information. Sadly, we should expect more compliance and regulation activity in this space. Behind every FAA regulation was a plane crash. When enough people have had bad things happen in this space, the government will take action. When that happens, it's usually overaction.
We have a 21st century innovation schedule riding on a 20th century network. VeriSign operates a part of that infrastructure, which is the DNS, but everyone has to do their part. If you're responsible for a portion of that, you have to be sure you're ready for that to happen. If we don't, there will be a meltdown, a failure. All of a sudden, this marvelous flywheel will turn in a different direction. The openness of the network has been what's fueled that innovation. That's the beauty of it so far. We just have to find a way to do it securely.