“It’s like that joke,” Gil Shwed tells me, “you don’t need to run faster than the lion, you just need to run faster than your friend.” He is referring to the malicious cyber threats now facing governments and private organizations alike—if you’re easy to attack, you will be attacked, it’s a simple as that. “So just make your network and systems harder to penetrate than those around you.”
Shwed should know. He’s the CEO of Check Point, one of the largest and most influential cybersecurity firms in the world. His fortune has been generated from enterprise security software and, more recently, researching threat actors and their methods, as well as weaknesses in the consumer software platforms used by us all.
Forbes lists the 52-year-old’s net worth at $3 billion—he still owns 19% of the firm he founded 27 years ago. “I had the idea for network security in the late 1980s,” Shwed explains, “but there was no market for it. Then in 1993 the internet opened up, the web started, and that was a huge opportunity for a change in the world. It’s hard to imagine the world without connectivity now. But that was the world back then.”
I am speaking to Shwed from CPX 360, his firm’s convention in New Orleans. Several thousand delegates are signed up for cyber keynotes and breakouts. “The internet became a thousand times bigger than we imagined,” he says, “so did Check Point.”
I ask about the conference—it’s an interesting time for the industry on almost every level. “It’s busier and more hectic than ever,” he says, “but that’s not surprising—it’s a cyber audience.” The backdrop is near continual news stories as Russia and China continue their subversive hybrid campaigns against the U.S. and its allies. It’s just a few weeks after Suleimani, with the escalated threat from Iran. Earlier in the day the U.K. had announced its decision on Huawei, prompting U.S. fury.
When Shwed talks network security it’s worth listening to what he has to say. After all, this is the man credited with inventing the computer firewall. “I was in a small country, I was in Israel,” he says. “We felt isolated from the rest of the world. The internet looked like a huge revolution. But the question was what about security—how do we keep everyone outside our network? And so we matched a good idea in tech with the most revolutionary of markets and demand. We started Check Point.”
In the last few weeks, Check Point has generated its own headlines, stressing its mantra of “prevention over detection,” exposing critical vulnerabilities in Microsoft Azure, WhatsApp, Zoom, even Philips smart lightbulbs. The research team is on something of a mission to prove that everything is hackable, the issues are demonstrated, responsibly disclosed, patched and then published.
The more interesting aspects of the firm’s research delve into the darker world of state-sponsored threats and criminals networks. As we chat, Shwed talks of blurred lines between state-sponsored hackers—threats to the west from groups in China and Russia, Iran and North Korea—with organized crime. The tools and methods are the same, it’s the objectives that change—albeit many groups double-hat.
“We try to protect against everything,” he tells me. “When you analyze some of the most sophisticated nation-state malware it is super sophisticated, but if you defend yourself at the right level, it’s still difficult for the attackers. If you make it easy to get into your network, then expect them to go deeper.”
But Shwed also tells me that the world is not a simple division of good and bad, that his company works in those markets as well—“but not Iran, of course,” he caveats.
In the aftermath of the killing of Suleimani, as the media warned of cataclysmic cyberattacks from Tehran and its proxies, Check Point cautioned that such a response was unlikely. There would be no major campaign, nothing significant off-plan, just a surge in noisy nuisance attacks. The firm’s research team also told me that, in their view, Iran would not unveil any of its more potent cyber weapons, the timing was not right, the risk of exposure too serious. Thus far, their viewpoint has played out.
The cyber standoff between the U.S. and Iran is characterized by the asymmetry of the weaponry at their disposal. In the past I’ve described Iran cyber-attacking the U.S. as being akin to throwing rocks at a tank, arguing that this is what has pushed the country towards softer targets—the commercial sector, mass-market malware, steering clear of the more hardened military and government sectors.
Shwed, though, takes a different view. “The scary thing,” he says, “is that in traditional security we think that a superpower has weapons but that’s okay, we don’t need to deal with them, it’s not against us. But in cyber that’s not the case. If the U.S. or any other government has weapons, sooner or later they will be exposed and sooner or later they will be in the hands of every kid around the world, every government and criminal organization. So we need to deal with all the threats.”
Last September, Check Point reported on Chinese state hackers setting traps, planting machines on their networks to trap NSA exploits, advanced U.S. cyber weapons. “The Chinese want the same capabilities as the U.S.,” one of their researchers told me at the time. “But they want to be equal not by investing, but by cheating.”
Shwed didn’t set out with research in mind, he’s a software guy. “Initially we said we’re building this firewall, we don’t need to know who’s behind the wall, we just need to know the wall is strong enough that no-one can penetrate it.”
And so, seven years ago, the research side started to take shape. “In the last decade things have changed, the world has become much more sophisticated, everything is open. We made a strong wall but there are lots of windows and doors. When you think how you’re connected, it’s not just the network, it’s everywhere. It’s your mobile and the cloud and IoT. We’re all outside the perimeter. The need to provide better security has grown as has the need to understand the vulnerabilities.”
Cyber is now integrated with conventional warfare as never before, we’ve seen attacks in one domain and responses in another. And beyond cyber, we have the facets of hybrid warfare—social media manipulation, playing the mainstream media cycles. And, for Shwed that has evened the playing field as never before.
“The risk is that those tools will fall into the wrong hands and be used against us. Not many people can afford to maintain a fighter jet,” he says, “but maintaining software or attacking a system doesn’t require that level of resources. And in the next five years it isn’t going to get any better, it will only get worse—unfortunately.”
Shwed references recent attacks in the U.S., attacks on Baltimore and New Orleans, “some of that ransomware,” he says, “is using exploits and vulnerabilities developed by the NSA. The wrong people got their methodology and are using it against us.”
It’s hard to think hybrid warfare without thinking Russia—with all eyes on the U.S. election this year and the role Russia will likely play. Last September, just weeks after exposing China’s NSA traps, Check Point published what it said was Russia’s network of cyber threats. A vast array of capabilities duplicated at great expense—designed to attack from all angles with minimized risk of compromise.
“My view of the world is simple,” Shwed says now. “Our job is to prevent attacks. If we discover after it’s happened then it’s too late—and if you look at our industry, 80% of the innovation is detection not prevention. In conventional warfare, when you discover something you have time to react to minimize damage. Cyber is the opposite. When cyber hits, the damage is done. The malware is much faster than you.”
Shwed’s point is that the research is part of a generational progression of cyber defense. While, he says, the world is fixated on detection and interception, the real answer lies in behavioral analysis, multi-vector fencing, recognising that the threat is likely to come through a naive user and a socially engineered message on a mobile device, not a brute force network attack within the corporate fencing. “When you ask people, they say they haven’t seen attacks on phones. The reason is that most attacks on phones steal credentials to use someplace else. So you have seen an attack on your account or the cloud, but you protect the phone and it doesn’t happen.”
As we close, Shwed returns to his theme. “The challenge is not Country X attacking Country Y. It’s not us attacking China or China attacking us. The new big risk is that somebody takes the tools developed somewhere and uses that against us. That’s the real risk we need to protect against.”
His advice is simple and not unexpected. Stay patched, stay updated, use the tools available to protect your extended networks and devices. “Just like you don’t need to be a medical expert to follow best practice, to get immune, for example.”
And that means that the malware developed in the west should worry us as much as anything developed further afield. “All the malware in the world can attack anyone and usually does. That’s a challenge you don’t have in other fields.”