Xie Envisions Cyber Shield

SANTA CLARA, Calif. -- Ken Xie, founder and CEO of Fortinet, issued the following statement in response to the National Strategy to Secure Cyberspace Report: The technology necessary to detect and eliminate viruses and other cyber attacks from all of the Internet's main US access points can be deployed for an estimated $2 billion. This technology, which exists today, can enable the entire Internet infrastructure to be scanned for viruses continuously in real time without negatively impacting network performance. In comparison with funds spent on other elements of our homeland defenses, I believe this represents an especially effective and sound investment. The result of such an investment in an omnibus "Cyber Shield" will be a stronger, healthier economy -- not only for the telecom sector that includes the carriers of Internet traffic and the service providers who enable Internet access, but for all businesses and organizations that rely on the Internet. The Internet is the primary mechanism by which cyber attacks are launched and spread. If the Internet itself had a mechanism to automatically scan and reject malicious viruses and worms, their ability to spread and cause damage would be severely curtailed or eliminated entirely. The main objections raised against implementing blanket cyber attack counter-measures within the Internet itself are fears of cost increases for today's already strapped IP service providers, combined with the expected reductions in network performance that are often associated with complex security functions such as virus scanning. However, with these new Cyber Shield technologies and a more proactive approach by government, both of these hurdles can be overcome. Cybersecurity czar Richard Clarke's recommendations for improving computer security rely almost entirely on the actions of individuals and corporations to improve their security practices and thereby reduce the risk of cyber terrorism. While individual actions are clearly necessary and to be encouraged, I believe that the Clarke approach addresses only half of the problem. Numerous individuals and companies have been victimized by cyber attacks, suffering unforeseen expenses and losses totaling billions. Many of those companies successfully attacked were not unprotected, however. In fact, most of these organizations were compromised despite installing conventional antivirus products on their computer systems, which unfortunately don't even shield users against Webmail-borne infections, a major transmission vehicle for cyber attacks. Our vulnerability to widespread damage from computer viruses and worms is not due primarily to inaction or under-investment in conventional antivirus technologies by individuals and companies. Rather, the problem stems from the fact that today's threats -- which are transmitted over widely connected, high-speed networks -- are able to spread and do damage at unprecedented rates of speed and replication. In addition, because of the intolerable degradation in network performance caused by conventional antivirus technology, which is strictly software based, many individuals in corporations and at home disable their antivirus software altogether. The Internet and the computer networks connected to it are super highways inherently vulnerable to rapid propagation of cyber attacks. These attacks are able to easily out-maneuver conventional antivirus infrastructure, which was developed in an era when floppy disks and the "sneakernet" represented the predominant modes of infection. However new technology -- such as high-speed, network-based virus scanning using specialized microchip information processors -- has improved the performance of antivirus scanning by over 100 times. This makes it possible to stop threats in the network itself before they reach individual and corporate computers connected to the Internet. The Clarke recommendations avoid using legislation or regulation to force the private sector to act. In a free market economy, this is a reasonable approach. However, there are many examples in which the government, while stopping short of a mandate, is able provide the necessary resources and incentives that enable the private sector to respond more rapidly and vigorously. And, after all, since the US Government owns the Internet, it ought to provide a Cyber Shield to protect its users. To completely abrogate responsibility for helping individuals and industry to respond to today's threats is equivalent to asking the private sector to stockpile their own rations of smallpox vaccine. We urge Mr. Clarke to re-evaluate the available options and to consider a more proactive, industry-friendly approach to improving cybersecurity in a manner consistent with the national response to bioterrorism, airline security, and other key elements of our critical national infrastructure. Fortinet Inc.