Interview: McAfee CTO George Kurtz

George Kurtz: Something positive can come out of the Google hacks

V3.co.uk: You recently commented that the Operation Aurora attacks on firms such as Google and Adobe marked a watershed moment. In what way was it a turning point?
George Kurtz: I said it was a watershed in a recent blog post not because of the type of malware that was used, because we see that sort every day, even though it was quite sophisticated. When you delve into the details it's the fact that a high-profile company says it has been attacked and is willing to pull out of a $1.2bn [£738m] market as a result, and that it was highly co-ordinated involving at least 20 firms. That number is just the tip of the iceberg. It's also allegedly government sponsored. We know government-on-government attacks are happening all the time, but government on the commercial world is a different story, outside of defence contractors.

Is it true that the hackers tried to target Google employees by posing as their friends on social networks?
Well, speaking generically here, we're seeing a lot more targeted attacks on firms where people focus on [employees with] the highest set of privileges and then work backwards, gaining access to secondary parties to get to the primary source. In this case we saw that much more reconnaissance had been done upfront, which is a shift maybe people aren't aware of. These attacks have shed additional light to upper management to say 'are we doing enough from a security perspective?'. For most chief information officers, anti-virus and firewall are enough.

So it could force companies to improve their own security?
The problem with the security industry is that security people like to convolute the issues and vendors are always talking about bad things happening, so something like this puts it all in context. If it can happen to Google, people may think 'what does it mean for my company?'. So there is a positive thing that has come out of it. I've had a string of chief security officers and Fortune 100 companies on the phone wanting to know what it's about, even if they weren't directly affected.

McAfee recently released a new report providing insight into the threats facing companies and governments providing critical infrastructure. What does it conclude?
In the US, at least 70 to 80 per cent of the critical infrastructure is privately outsourced. We've found that security around these systems is generally inadequate and presents a high degree of risk. Some systems are being left unpatched and unprotected and are very easy targets, so we're trying to shed light on how important they are and how the public and private sector can come together to protect them.

What problems lie at the heart of securing critical infrastructures?
Well, the private sector is financially motivated, and governments are motivated by security and the national interest, and these two sides can't always be reconciled. One way of going forward is if the government could provide tax incentives to critical infrastructure companies to secure and upgrade their systems. It would go a long way to helping because the technology exists but there's no money there for it. Governments also need to hold these firms accountable and be prescriptive in the security measures they need to adopt. They need to find a way of clearly measuring security and risk equally across departments.

Strategically what else is McAfee focused on at present?
Cloud-based protection. Trying to interlock all of our technologies in the cloud and provide better protection by using the information gleaned from another vector. So we're turning 100 million endpoints into security sensors, which is when anti-virus becomes more interesting. If we see an email attachment which looks suspicious on an email gateway, for example, we can check with the cloud and see if any other endpoints have seen it and if it's bad or not. It's about learning about that file from another vector, then pushing out protection to everyone even if we don't have a signature for it yet. The other element we're focused on is investments in virtualisation technology, server and virtual desktop infrastructure. This is stuff that works in the labs and is being commercialised now.