Computer Crime Research Center

SYMANTEC CORP. On the record: John Thompson

Date: February 16, 2004
By: John Thompson

John Thompson, 54, is chairman and chief executive officer of Symantec Corp. in Cupertino, which is involved in Internet security technology. Symantec, which employs more than 5,000 people in 36 countries, develops and sells a broad range of content and network security software to individuals and businesses. A 27-year veteran of IBM Corp., Thompson joined Symantec in 1999. He sat down last month with a group of Chronicle reporters and editors to discuss his company and industry. The following interview has been edited for space and clarity..

Q: Consumers know Symantec because they've seen that yellow Norton box in the store. Perhaps you could provide a picture of where the company's been and where it's heading.

A: Symantec probably has been best known for its Norton brand of (anti- virus software) products. The company was founded in 1982, taken public in 1989 and acquired the Peter Norton Group in 1990. Symantec concentrated during the first 15 years or so of its existence primarily on PC tools targeted at the consumer and the small business buyer.
It was my impression when I arrived that that had become less relevant as a strategy, because it was more oriented around distribution than technology itself.
We needed to center our portfolio around a collection of technologies, and that collection of technologies became security. Today, we are a security- focused company targeting individual consumers and large corporate or governmental users..

Q: How vulnerable is the United States to a terrorist attack via the Internet, particularly since Sept. 11, 2001? What precautionary steps have been taken since Sept. 11, and what more needs to be done?

A: I don't think 9/11 created new vulnerabilities for America's cyber infrastructure. What 9/11 did was raise awareness around the world that our infrastructure is interlaced, that you can't separate the cyber-infrastructure from the electricity grid.
Furthermore, in the cyber arena right after 9/11, specifically on Sept. 18, we had a watershed event around the world -- the attack of the Nimda worm. That created a broader level of awareness that many individuals and small businesses were awakened to.
Then came the (computer virus) attacks of August 2003. Never before had we seen four broad-based attacks in a span of 10 days or less.
Those events raised awareness of the need for people to secure their environments. It's also been a catalyst for growth for many of the companies that play in this sector..

Q: Tell us about the joint venture you've got with Cisco and several other companies to come up with a coordinated defense against these problems.

A: You cannot solve the security problem that has emerged in the connected world in isolation. Companies that deliver technologies that create connectivity must work together.

After 18 months to two years of discussions, we've come to terms on an approach that would allow an individual or corporate user who has a certain set of technologies deployed on their PC device to be checked for the status of that device when they access a network.
It would be like airport security. You get checked when you're trying to gain access to the airport, to make sure you don't have -- or do have -- certain things. You do have a driver's license or a valid ID card. You don't have explosives, guns or knives.
What you'd love to be able to do in the cyber world is make sure that a device that's trying to gain access to the network doesn't possess a virus or isn't carrying a malicious payload of some sort that could create harm to other parts of the network..

Q: How do you respond to those who say Symantec hypes the threat of viruses and worms as a way to increase sales?

A: There's an old expression that opinions are like noses. Some people choose to blow theirs more often than not. I think that opinion stinks, because there's nothing further from the truth.
Now I can't speak for others in the industry. But we have a very rigorous process by which we evaluate an attack and put a rating on it..

Q: I've talked to a lot of security experts who say companies like Symantec are just taking a Band-Aid approach. They say what really needs to be done is that Microsoft and other companies need to start making secure products. Do you look at it that way?

A: This is not about Microsoft. Every company in the industry can do more to create a more-secure product. The interesting conflict we have is that software development is a combination of both science and art.
When you practice the science to its fullest extent, it's likely you'll create more-secure code. But the art is the exciting part and the part that gives companies user excitement. When you blend the two, sometimes you create a problem.
The issue for Microsoft is it has more code in the environment than anyone else, hence it's a more target-rich environment. So Microsoft happens to be the beneficiary of those kinds of activities..

Q: Have we just been lucky so far? For all the problems created by hackers or by those spreading viruses on the Internet, we haven't been hit by terrorists or by those seeking some greater evil.

A: The Internet has facilitated an opportunity for people with more than just simple maliciousness to take advantage of unsuspecting companies or individuals.
It's created an opportunity for people who have a financial motive, a geopolitical motive or a criminal motive to exploit the vulnerabilities that exist in software products, and more importantly, the vulnerabilities or lack of awareness that exist in individual users and small businesses. That is the most significant issue we face.
These people might have an intent to steal your identity, which has become a huge problem on the Web. They might have an intent to steal your credit cards.
Consumers don't understand the simple precautions they can take to protect themselves when they're online. If we could raise the awareness level around the world to this problem, we could drive down the impact of a virus attack or worm attack exponentially. .

Q: Do you have a couple of suggestions for our readers?

A: It took us awhile to get from the awareness of the benefit of seat belts to the point where it's now instinctive to buckle up.
It's going to take that level of repetitive messaging to get to the point in the cyber world where you wouldn't think of going online without having an anti-virus product. You wouldn't think of going online with a broadband connection without having a personal firewall..

Q: You were appointed by President Bush to the National Infrastructure Advisory Council in 2002. Does Washington understand these issues?

A: The council is made up of about 25 executives from all critical infrastructure components of the U.S. economy. Craig Barrett of Intel and John Chambers of Cisco are members. There are representatives from the airline, electric utility and banking industries.
The project I've been most involved with is how we manage the release of information about vulnerabilities and systems. That's an important issue for us to have some general agreement on, given how cyber-connected we all are..

Q: And it's controversial how to release these things, too, right?

A: Well, in my mind, it shouldn't be. There's a code of conduct.

Q: Microsoft doesn't want it to be public.

A: That's not true. What Microsoft wants is for people to follow a standard code of conduct. If we can agree on a code of conduct and adhere to it, I don't think anybody would have an issue with it -- including Microsoft..

Q: You talked about codifying conduct. What about the open-source community? What's your take on this incredibly robust community of computing that might not be as easy to rein in?

A: I'm not sure I understand what you mean by "might not be as easy to rein in." Do you think Microsoft is easy to rein in? (Laughter) Did I miss something?.

Q: I guess my question is: Can you secure an open-source environment?

A: There isn't anything inherently less or more secure about open source. The issue will be: To what extent are people willing to avail themselves of free software that has not gone through the same quality standards, the same security process? It's an issue of buyer beware, I would argue..

Q: What do you think of the Patriot Act and its implications for Internet privacy?

A: Legislation that is well-intended, that is to make sure you and I are confident and comfortable with the way in which our private information is being dealt with, I think that's reasonable.
The question becomes the implementation cost of such an act compared with the advantages of it. That's probably a better question for people in financial services than me.
It's going to cost them a fair amount of money to get that implemented. You go ask the guys at Wells Fargo and see what they think..

Q: We've talked about Microsoft, but one way we haven't talked about it is as a competitor to you. It has shown some interest in your industry. Does that scare you?

A: I'm not scared of anything. You don't live to be 54 being scared. Our company is 21 years old. We have partnered and competed with Microsoft for 21 years. It's inevitable..

Q: You used to work for IBM. Is it inconceivable that some entity like IBM or Microsoft would want to buy Symantec?

A: Nothing is inconceivable in that context. We're a publicly traded company. My first responsibility as CEO is to...
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo