5 Questions with Dr. Paul Vixie, Chairman & CEO Farsight Security

dr.vixie.1.jpgDr. Paul Vixie
Chief Executive Officer at Farsight Security

5 Questions with Dr. Paul Vixie, Chairman & CEO Farsight Security

1) Forgery and impersonation remain a common attack method. Why is it such a difficult security problem to solve?

The Internet was born and raised in a trustworthy environment -- academic, military, government, and commercial actors whose broader interests were aligned and who jealously guarded their Internet connections which could be taken away if abused. As such, every part of the Internet's firmament is hopelessly and irrevocably trusting, especially IP source addresses, e-mail "From:" addresses, and online comment signatures. It's barely possible for social networks to detect non-human actors such as "bots" and prevent these actors from creating faked accounts, but even in that somewhat more modern technology ecosystem, all advantages are held by the attackers. Authenticity, where it exists, is an enterprise or government affair, involving expensive tools and complicated work flows that simply cannot work at full Internet scale. What this means is, we should not look for greater authenticity from the technology any time soon, and when we do get it, it'll likely be quite authoritarian in form and thus, a cure that some will say is worse than the disease.

We could consider a human rather than technological solution to this, if humans were not by nature so confident and so trusting. We are all at risk from hucksters and tricksters in every phone call we receive, every man-in-the-street who asks us for directions, every "new tech" company who claims to have our best interests at heart as they go about disintermediating our supply chain and thus intermediating themselves into our lives. A catch phrase from an economic boom of a few centuries ago was, "let the buyer beware". I don't believe that we are "suckers" or that a sucker is "born every minute" but I freely admit that the level of suspicion and distrust that's actually necessary for safety in our modern world is so corrosive and uncomfortable that most of us just can't stand to live that way. Thus, most of us are attractive victims for the exact forms of forgery and impersonation that the Internet now offers us in an unprecedented and constant barrage. We are evolved to face threats we can see and motives we can imagine. The Internet, by being so large and so fast, and by containing so many corporate and other non-human actors, is a world we aren't ready for.

2) Many organizations have a large enough inventory of domain names, network addresses, systems, software, and databases, that there can be no real understanding of the scope of it all, or how it interoperates or interdepends. How can responsible parties track and protect these assets against attacks?

Beyond our human tendencies to expect the best outcomes and to expect goodwill from other actors, we have real problems when we face complexity. Our only hope of mastering complex technical topics is to decompose those topics into bite-sized chunks to be digested independently, in the hope that they will add up to a set of instincts and reflexes that can approximately apprehend the totality. Sadly, this can work with calculus and quantum physics, but it will not work with hardware or software en masse. Epistemologically, we are better at decomposition than composition -- and we don't easily construct instincts or reflexes for apprehending totalities that lack commonalities, hierarchies, taxonomies, or structure. We are almost literally blind to devices and mechanisms above some threshold of complexity. We can build systems that make management and measurement of large scale activities possible -- consider logistics or economics as fields where this has been done successfully at various times for various lengths of time.This is a half-regressive step, however, since the systems we build to manage complexity will each contribute their own new complexity to our total burden -- so, wisdom relies on caution when choosing this path.

What will be necessary to achieve any kind of safety or even an understanding of our risks, is a systemic and disciplined approach to inventory, monitoring, life cycle management, diagnosis, repair, patching, and root cause analysis of each and every and all of our Internet connected or related assets. Those who research or attempt to practice discipline of this kind find it expensive -- indeed, it has only reached break-even at large scales. The trend therefore is toward outsourcing our complexity to others who we hope can reach the necessary economy of scale to keep track of how it all works and what it's all doing. This may be a rational choice, although examples abound of our outsourced supply chain being itself outsourced to lower bidders, often with the result that no one, anywhere, understands what's happening or how. Rational or not, outsourcing of complexity leaves us more ignorant but no less dependent.There may not be a rational choice here, unless it's to accept that the Internet and all its wonders will add capacity and reduce cost compared to the pre-digital era, while simultaneously reducing our awareness and autonomy and opportunities for creativity, due to added risks and costs that come along in a kind of a "devil's bargain."

3) Are we near any kind of inflexion point, where the costs and benefits of our digital tools that we've become attuned to will radically shift? Or is it Groundhog Day?

It's Groundhog Day. The contributions to our digital troubles far outpace and will continue to outpace our investments in understanding or risk management.

4) Farsight recently celebrated its fifth anniversary. What have you enjoyed the most as company CEO?

I am pleased that we still traffic in observations not threats. We inform the threat intelligence market, but technically speaking, we provide neither threat information nor human intelligence. Delightfully, this means our customers understand what we do, but many would-be competitors do not. I love knowing that this is a company only this team could have created, and also, is the only company that this team could have created. Willie Keeler's advice to "hit it where they ain't" remains uppermost in my mind.

5) What have you learned from your staff that has made you a better CEO?

These are my middle years, and I am no longer a wizard. This was probably obvious to everybody else in 2013 when we first brought Farsight out of my previous company in a management buyout, but as in all things, I had to learn it the hard way. This has meant learning to depend on the team, and serve the company in other ways than by invention or construction. As predicted by thousands of years of recorded history, this has ultimately made me stronger, and the company stronger, because there's more capacity, more amplification, more cross-pollination, and ultimately greater reach. I do not reject or fear further aging or further ebb of the powers I commanded as a younger man, because I now know that I can be even more useful learning and doing the new things I encounter every day.

Stay in touch, subscribe to the Farsight Security Newsletter