• silicon.com
• Technology
• Security

By Will Sturgeon, 1 June 2007 13:00

NEWS

Kimmo Alkio, CEO of F-Secure, recently rejoined the antivirus vendor from fellow Finnish company Nokia. silicon.com recently caught up with Alkio to discuss the security landscape, how governments should handle hackers, the need for a dot-bank domain name and his company's much-criticised stance on the potential threat of mobile phone viruses.

silicon.com: You've recently rejoined F-Secure and it seems your arrival has coincided with a very quiet time for the security industry. Is this fair to say?
Alkio: The public perception is that this industry may have become less active because three, four years ago there were these very high visibility public virus outbreaks.

What we are now seeing is that the number of attacks and the quantity of malware is actually increasing. We are getting 7,000 new samples per day but it is being driven by new forces. What we see now is there is a criminal element acting purely for financial purposes and trying to stay hidden.

Phishing is still a major issue. There are markets such as India where the amount of phishing attacks has grown by 96 per cent year-on-year.

Are a lot of threats targeting emerging markets as businesses and consumers in the West start to wise up and protect themselves? Are the criminals just dusting off the same attacks and targeting new regions?
In emerging markets the level of security is not where it is in the Western world. If you look at India the number of broadband users is going from eight million to 20 million in three years. Look at these markets where you have this number of people coming onboard. It does change the threat landscape.

There are a lot of unprotected PCs and online banking and ecommerce are growing. And we need to be very active in educating people.

These infected PCs in emerging markets are also being used in distributed denial of service (DDoS) attacks targeting Western businesses and governments.

How big a problem are DDoS attacks today? There was a lot of talk about extortion a couple of years ago, with criminals threatening to take down businesses' websites if a ransom wasn't paid. Is this still a problem?
DDoS continues to harass people across the world. But is it more, is it less? What we are seeing is it is taking up a lot of bandwidth and we need to protect people.

I think there could actually be a big shift from commercial to political DDoS attacks, such as we saw recently with Estonia [and Russia]. Any place where you have political instability you could see an increase in DDoS attacks in that region.

What about mobile phone viruses. It's a drum that you have banged very loudly - leading to suggestions you're over-hyping the issue. What do you say to accusations you've been irresponsible?
If one recognises that there is a healthy probability that internet threats could be similar on the mobile side to the PC side then it could mean we're at the stage now that PCs were at in the late 1980s.

The devices, particularly smart phones, are becoming used more like PCs. So with a little bit of predicting and visioning into the future, based on past experiences, I think there is a tremendous need to ensure there is mobile security in place.

Do you think you've been as clear as you could be with the industry, with the media and with consumers that what you are doing is "visioning" and "predicting" a scenario that "could" happen?
Independent of how we have communicated this in the past, we are making it very clear today that the threat level on mobile malware is not severe today. There are only 323 known malware on mobiles and over 300,000 on PCs. No hype. Period.

And a lot of that mobile malware is just proof of concept.
Absolutely. Made by hobbyists. That's absolutely where we are today. But what's happening now is mobile phones are being used to download content from the web and are increasingly being used for mobile email.

They are increasingly becoming professional devices and it is obvious that you have to put the protection in place if there are mobile viruses and malware. We are protecting today and pre-empting a future virus.

You're very close to your domestic market. Is it unfortunate that the few reported outbreaks we have seen have been in Finland and it therefore looks like more of a problem to you?
In some instances threats are concentrated on some markets, in this case Scandinavia, because that is one of the most mature markets for smart phone deployments so there is a logical connection there.

So if we look back in a couple of years' time and it turns out you were right, and all your rivals are offering mobile malware protection, will you feel any criticism you've received was entirely unjust?
We are pioneers. You could argue that we started investing too early but I would say it's a great thing - we have gained the competency and have the products up and running.

(Continued on page two. Read on for Alkio's views on hackers, virus writers and what governments should be doing to crack down on criminals.)