Casey's Technology Guru on Cyber Security
Interviewed by Louis James, Editor, International Speculator
Recently: Doug Casey on the Tea Party Movement
L: When we last saw our hero, Alex Daley was preparing to leap from medical devices to security in the Information Age, the other largest Casey technology division focus area. Entertainment technology is also important, but right now, security is hotter. So tell us Alex, what are the main trends, and how can people invest in them?
Alex: Anyone who's ever used a computer is familiar with security threats. We all get security patches from Apple or Microsoft, or other vendors — just about every computer out there is vulnerable to attacks if not properly defended.
L: And sometimes even then. Why can't the computer and software companies produce a secure product?
Alex: It's in the nature of the systems we use; they are all built on platforms written decades ago, before anyone envisioned anything like the Internet and how it would give almost any arbitrary person in the world a way to reach (and consequently to attack) the computer of almost any other arbitrary person in the world.
L: Wait a minute, are you saying that Apple's newest computers still rely on the same Unix code written back in the 1970s, and that the latest Windows systems rely on … whatever it is that Windows systems were built upon — or even DOS before Windows?
Alex: Yes. Apple is still based on Unix, and Windows is based on the same "NT" technology that was around in the early 1990s.
L: Wow — I didn't know that.
Alex: Well, the systems have been massively upgraded. There have been significant changes to the way the core — what they call the kernel — of the operating systems works, in order to try to make it more secure. And we've added extra layers of protection: firewalls that stop incoming or outgoing network connections that might not be authorized, security software pre-loaded onto new computers, including anti-virus and anti-spy-ware programs, and more.
The result of adding all this on is that security has become a very messy business. They call it "defense in depth." That's code in the technology industry for "as complicated as possible."
Alex: It just continues to grow. The number of vulnerabilities discovered each year is actually increasing, not decreasing. They do write software more securely with each passing year, but our understanding of how to commit attacks is growing even faster. It's an arms race — almost a cold war between hackers and the software vendors, with virtual missiles being lobbed around the world day in and day out.
L: Sounds messy indeed. And we like this field because… why?
Alex: Because there are companies that are providing security solutions that make things simpler. They make things easier for businesses to better secure their networks, and they are gaining a lot of traction. At the same time, there are companies that are going beyond the horizon of today's problems and offering new approaches to computer security, looking into deeper issues.
You have to understand that this messy security problem has become very, very costly for companies to manage. They have to have a firewall. They have to install the latest security patches. They have to have anti-virus software on their desktops and on their email servers. Web filters, spam filters, and more. It's come to the point where your average Fortune 500 company or large government agency will have dozens of vendors providing many different security solutions. That requires lots of people to manage those solutions and keep them updated and running smoothly. Any single product that can replace several others has great advantages.
L: Simplification sounds good, I can see the opportunities there. But what do you mean by deeper issues?
Alex: Go beyond worrying about the latest worms out there, and consider such things as detecting when employees steal from their own companies or access information they are not supposed to have access to, like personnel files. You can even treat noncompliance with regulations as a security threat, and develop solutions to detect that. They use heuristic scanning to detect unusual activity — you could call it artificially intelligent forensics.
L: Is there any thought of going to the root, and scrapping these decades-old programming languages the kernels are written in? Creating something new with security in mind from the get-go?
Alex: All the basic building blocks of software are the problem. It's not just the kernel code, but the compilers and the programming languages the operating systems are written in. And there are efforts at every level to improve security — even down to the hardware. Intel, for example, has long talked about a need to start with the hardware, and I think they are right.
Eventually, the architecture of computers themselves will have to change in such a way that the hardware doesn't just automatically execute any code. The root of harmful software — malware — is a piece of code inserted into a computer system in such a way that the processor will run it next. They call them stack overflows, heap overruns, and lots of fancy technical terms, but the gist of them all is that the computer looks at a chunk of memory, finds a piece of code and executes it, without any verification of where it came from or how it got there. Computers basically assume that all computer code is safe.
So, if you, as a hacker, can find a way to place your malware where it will be fed to the processor, you've found a security vulnerability.
L: How do they propose to fix that?
Alex: Well, Intel just acquired McAfee for $7.5 billion. They haven't said what they plan to do with all that security talent, but Intel is most certainly in the hardware business, not the software business. Many people assume — and I suspect that we'll see it validated by Intel soon — that Intel will try to integrate security more deeply into the hardware. If they do, that will necessitate more changes in the operating systems and other software, so it will be a co-evolutionary process.
There have been a few baby steps in this direction. There's a thing called the "no-execute bit" within modern computer architecture behind both Intel Apple and Intel Microsoft systems that allows a programmer to set portions of the memory to block execution of any code found there. That makes the memory data storage only and mitigates a lot of code-injection vulnerabilities, but it doesn't stop them all, not by a long shot.
L: Sounds promising. Does that make Intel a good investment now?
Alex: Not in the sense that it will see spectacular stock price growth, which is generally what we look for in an investment. Intel is a blue chip stock. This is a move the company needs to take in order for the computer to remain a viable platform, and it could give them a competitive advantage over other chip manufacturers that are starting to catch up to Intel in speed. Intel has lost a lot of ground in mobile and ultra-mobile applications — cell phones, tablets, etc. — most of which are not running on Intel platforms. So Intel is looking hard for ways to stay relevant and keep its margins up, while the PC itself becomes less predominant as a computing device. Making their hardware more secure is a necessary evolution, but I would not yet say that it makes Intel a growth stock.
One place where it could be a growth business for Intel is in the virtual computing area. Companies like VMware have sprung up over the last few years to become multi-billion-dollar companies by making computers virtual. That revolves around the ability to run dozens of different operating systems, serving different users, in a single piece of hardware — all at the same time. The trouble with that is that they've discovered major vulnerabilities in that type of architecture. This has yet to be tackled in any serious way, partly because it's been such a rapid growth industry. I think Intel sees this as an opportunity to get in to this new area by offering software/hardware combinations that offer greater security. That's all speculation on my part, but it would be one way to put Intel on the kind of growth track that would get your interest.
L: Okay, so not Intel. What else are you looking at?
Alex: As growth investors, we're looking at companies that have the potential to create new markets or new revenue streams. An example of a success story from our Casey's Extraordinary Technology portfolio is a company called Fortinet. This is a company working the simplification track in the computer security business that makes hardware devices that sit at the edge of your network and filter traffic in lots of ways. This is what they call "unified threat management" or UTM. Fortinet basically invented this business. They were the first UTM provider out there, and they continue to be number one in market share. Their FortiGate appliances are all-in-one hardware/software solutions that you can deploy cheaply and easily to keep viruses, worms, spam, etc., out of your network, and also do web filtering to keep people in your system from going to sites with illicit software, and so on.
Lots of governments and large businesses have adopted these things, and it's even moving down to mid-sized businesses, enabling the company to grow tremendously, adding double-digit percentages to the top line and the bottom line. We invested early enough, and it's been a big win for our portfolio.
L: I can see the simplification story there — makes perfect sense. How about an example in the new/deeper approaches area?
Alex: Another recent win we had in that field was a small company called ArcSight. ArcSight specialized in the sort of forensic and regulatory compliance software I was mentioning earlier. Let's say you're a large business, and you have a large pool of salesmen, and one of them gets a job at a competing company. There's often very little in place to stop that salesman from, for example, going into Outlook and downloading the entire corporate address book and taking it with him to his new job. Next thing you know, he's calling not only his old customers, but his colleagues' customers — raiding your whole list.
Companies have ways to react to that after it's happened, usually involving lawyers and occurring only after months have passed, but what they'd been searching for was ways to identify it when it's happening and get in front of it before it becomes a problem. ArcSight wrote software especially geared towards solving this problem, auditing internal systems, checking for back doors when the software is installed, and monitoring the system going forward to find anomalies in who is accessing what. The ArcSight software would, for example, notify the system administrator if an employee who'd been with the company for three years and never accessed financial data suddenly spent hours digging around in such data. It's up to a human to interpret such an alert, but he or she doesn't have to sort through billions of lines of log data to find the anomalies.
ArcSight was an up-and-coming company we'd been watching and bought into this August. Only a few weeks later, Hewlett-Packard bought ArcSight for $1.5 billion. We were lucky on timing, of course, landing a great premium for our subscribers in a very short period of time. But even without the acquisition, ArcSight was on a growth path that would have yielded great returns for our subscribers — that's what made them a buyout candidate to begin with.
L: Great story — congrats. You know, I'm starting to get spam via text messages, which can be pretty expensive if I'm roaming in Inner Mongolia or somesuch place. Is the battle moving in that direction?
Alex: The battle is definitely moving into the mobile front, but there have not yet been any major threats to storm the mobile space in a big way. That's for several reasons. The mobile space is different from the PC space. Smart phones are connected to the Internet, but there is a much smaller number of providers making those connections than there are ISPs connecting PCs to the Internet. Those providers have a strong vested interest in trying to protect those devices. There are also fewer hardware manufacturers, with similar incentives. If there's a problem with your iPhone, you call Apple right away. If it's your Droid, it's Verizon — they have a very strong motivation to keep those devices secure.
There's also a large number of different operating systems in the mobile space — no one dominates like Microsoft does the PC operating system market. With so many systems, you can't reach so many devices exploiting the weakness of a single system and it'd be hard to learn how to breach them all. It's what tech people call security through obscurity.
But, with the exploding popularity of smartphones, don't be surprised to see more threats aimed that way in the years to come. In technical parlance, the more features a device has the more "surface area" it has for an attack.
L: Hm. Is it possible that the bad guys could become so effective that they actually render computers useless? If people see their computers as traps that open their bank accounts to thieves, they might just pull the plug on them. A parasite commits suicide by killing its host.
Alex: I suppose that it's theoretically possible, but people get so much value from their computers; computers have enabled such enormous productivity gains, it seems pretty unlikely. Just imagine trying to do all of General Electric's accounting books on paper. People are not going to abandon computers or smart phones, they'll just demand better ones, and as long as that demand exists, carriers, device manufacturers, and third parties will bring solutions to market.
L: As you say, it's an arms race.
Alex: Yes, and there are some areas in which the criminals have certainly proved their mettle. One very successful threat that has called into question the way we build computers and program them, on the most fundamental level, is the commercialization of the virus. When most people think of the creator of a computer virus, they tend to imagine a lone hacker who's angry with his former employer, or with a chip on his shoulder for the whole world. But now there's a new Trojan horse virus called Zeus — but it's not just a virus, it's a product.
You can buy Zeus online, customize it to target whatever it is you want, and then release it to the Internet. It creates networks of "zombie" computers (other people's machines you've taken control of) that you can log into and use to send spam, or steal bank account numbers from. There are estimates of millions of computers around the world that have become Zeus zombies, unbeknownst to their owners. These zombie networks serve dozens of owners who bought the Zeus software from the original writer.
More than 60 individuals in an organized crime ring, including eleven people in New York City, were arrested recently for using a Zeus Trojan to steal more than $3 million. These people harvested credit card numbers from people's computers as they made purchases on e-commerce sites, and bank account numbers from people as they banked online. The criminals then proceeded to transfer funds via electronic "ACH" transactions — the way you get your direct-deposit paycheck or use the check-by-phone feature to pay some bills — to their own accounts and withdraw them.
L: Wow — does current anti-virus software protect against Zeus?
Alex: Yes, but a surprising number of people still have no decent security software, or don't keep theirs up to date. Worse, a few months ago, the authors of Zeus made a major upgrade to their software. They introduced what we call polymorphic encryption. What that means is that every time the virus copies itself, it changes itself slightly, which makes it impossible for the security software to search for exact matches. It's like a human retrovirus that mutates rapidly, rendering old antibodies less effective, or even ineffective. Now it takes a lot of heuristic scanning to figure out if something is, in fact, a virus.
L: A tough enemy.
Alex: Yes, and since it's a commercial success, the authors have the incentive to keep making it more and more effective. So far, frankly, the Zeus authors have been winning this particular branch of the software arms race.
L: How can you sell something like that online? The cops should be able to follow the money to your bank account and clap irons on you when you show up to collect it.
Alex: There are countries where you can set up a bank account as easily and anonymously as you can set up a Gmail account. There are countries that are happy to let criminals set up shop and sell malware, where it would be very difficult for the U.S. or European governments to reach out and shut them down. Nigeria, for example, is famous for its bands of scammers and computer hackers.
L: That's pretty scary…
Alex: It gets worse. There are signs now that governments or other large organizations are starting to develop software weapons. More and more of the systems that support modern life, whether that be the systems that operate the electrical grid, transportation systems, defense systems, or other vital systems, can be accessed through the Internet. Even some that are offline are vulnerable to attack via transferable memory devices, like USB memory sticks, directly or over a large private network. Few machines are not networked in any way these days.
For example, in recent weeks there has been increasing coverage in the media about a piece of malware called Stuxnet. Over 50,000 systems worldwide, 60% of which were in Iran, were found to have been infected with this virus. At first its purpose was a mystery, but we're learning more and more about it, and we're finding that it targets the industrial control systems at nuclear power plants and other electric power systems, mostly ones made by Siemens.
Iran has been having a terrible time trying to purge this thing out of its power control systems, particularly those of its new nuclear plant. No one has claimed to have written this virus, and the security industry is still unsure where it came from, or even exactly what its payload is, since it's largely encrypted.
It also appears that this worm has been specifically designed to be delivered into a network via a USB memory stick, and once there, it spreads itself around like other Internet viruses. That's pretty scary, when anyone can plug a USB stick into a computer inside a secure network and upload a virus that's very, very difficult to remove.
L: I agree — though I can imagine some people thinking this is a good thing, if they oppose Iran becoming a nuclear power. The attack seems to have thrown that program way behind schedule without having to bomb the place, and risk the spread of radioactive material.
Alex: Could be they might, but the nuclear power plants in France and the U.S. are, mostly, running the same systems. They are not attacking the country, but the nuclear power plant systems.
L: That is scary. Maybe it's some anti-nuclear group — but I wouldn't think they'd want to risk an accident. And I read that Iran's power plant seems to be the primary target, plus, that it seemed to be the work of a very large organization, probably a government.
Alex: There's a lot of speculation about this. There's still a lot of mystery about the attack, and the situation is still evolving day by day — right now. We don't know what the end of it will be, but it does appear that the initial target was Iran. Iran has even come out with press statements to the effect that this is a plot by Western powers to stop its nuclear program.
L: It'd be almost funny, if there weren't so much potential for truly catastrophic consequences, if a Western power did sic this thing on Iran, but then it kept going and boomeranged back on them.
Alex: Indeed. We can speculate about such things all day, but there's a deeper issue here. The industrial control systems this thing is designed to attack are ubiquitous around the world — they're very old in many cases, and very rarely updated, in many cases. Air traffic control systems, for example, or train switching systems. These things tend to be written by companies like Siemens and they are very expensive. So, once they are put in, they tend to stay in effectively forever. The possible need to update or replace such software has never even been considered in the cost structure of the entities that use them. There's no plan in place to deal with this new threat in most places, and even fewer would have the budget needed. This will have a decades-long impact on how large companies, utilities and governments operate essential systems.
L: Is there a company addressing this? One to invest in?
Alex: No. One reason this is drawing so much attention is that this whole area of critical industrial systems has been completely off the radar screen. Until now. Most of the effort has been aimed at securing Windows systems, Internet servers, etc. That's where the money has been — in very common systems. But these big industrial systems could be targeted by competing companies, or by governments that want to harm their enemies, so more and more of these smaller, strategic systems will get some attention. Today, however, there aren't many companies focused on this area — or even bad guys, for that matter. But Stuxnet is changing that, a real wake-up call.
So, we don't have a stock pick in this area, but we will be looking very, very closely at the companies that do enter this arena. I should also note that the companies that make the systems, like Siemens, stand to benefit hugely, as their customers decide to replace old systems with newer, more secure ones. There could be a renaissance in this whole sector.
L: Heh. Maybe it was them to begin with. But we don't need to go there. So, to wrap this up, our main focus for investing in new cybersecurity companies is on the simplifiers, and the new solutions companies?
Alex: Right. There's a lot of consolidation going on in this highly fragmented industry, as we see in the Intel-McAfee takeover, and the HP-ArcSight deal. A lot of big tech companies are flush with cash, but are not growing; that's adding to the drive to take over growing businesses, like security companies, which are in one of the fastest-growing tech subsectors. Such buyouts can be to our advantage, but we can't count on them, so we look for strong companies with excellent potential to grow both their top and bottom lines.
L: Great. Well, thanks. I think. I didn't know you could be as apocalyptic as Doug — I wasn't expecting such a sobering interview.
Alex: You know investors have to look at things as they are, not as they wish them to be. So you're welcome; I'm happy to help you see the situation more clearly.
Alex and his team are always hot on the heels of the next generation of high-growth tech companies; that's how they have made several 40%+ gains within a few months or even weeks for their subscribers. Their latest find — prominently covered in the current edition of Casey's Extraordinary Technology — is a company building surgical robots. Take a risk-free 3-month trial and get in now to win big…details here.
October 9, 2010
Copyright © 2010 Casey and Associates