Interview with Kurt Sauer, CSO of Skype

As Chief Security Officer at Skype Technologies, Kurt Sauer is focused on delivering trusted communications services via Skype’s platforms. Both the software delivered to customers and the internal infrastructure needed to provide Skype’s services are developed with an eye toward design, implementation auditing, and software life-cycle management.

Before joining Skype in 2004, Mr. Sauer was a Principal Network Security Architect for Sun Microsystems at its European research laboratory. Sauer is a member of the ACM, IEEE, Mensa and the Forum of Incident Response and Security Teams (FIRST). He holds a bachelor’s degree in Computer Engineering from Texas A&M University and is fluent in English and French.

What has been your biggest challenge as the CSO of Skype?
The most difficult challenge has been keeping up with the diversity and speed of the development initiatives going on in the company. Skype is growing by leaps and bounds – it still takes a finite amount of time to investigate the nuances of the interaction among new innovations. I remember the story told by Frederic Brooks about the development of early operating systems, which basically distills the idea that “adding people to a problem does not necessarily solve it faster.” And this is equally true at Skype – it’s not having a lot of people that counts, it’s having bright and adaptable people that’s important.

With the constant evolution of threats, what kind of technology challenges does Skype face?
One of the biggest potential threats to Skype is from attempts to conduct identity theft. Criminals and hackers are using increasingly sophisticated and targeted attacks against computer users worldwide to gain access to end-users’ service and banking accounts. Internet users worldwide continue to fall prey to fake e-mail or so-called “phishing” attacks, supplying thieves with opportunities to install keystroke loggers and other malware on their computers. Skype works closely with eBay and PayPal, as well as with other industry partners, to identify and counter these and any other kinds of attacks.

How does Skype’s security compare with that of other VoIP systems?
Skype uses a sophisticated system of standards-compliant cipher and digital signature systems to preserve the security and to ensure the integrity and authenticity of the call from end-to-end. Most other VoIP systems provide no encryption or authenticity controls over the call, which puts Skype in a security leadership class of its own.

Many argue that the adoption of VoIP brings together a whole new set of security risks and problems. What can be done to mitigate those risks?
Most of the problems identified in the area of VoIP have to do with the complexities of interconnecting VoIP switches and other hardware components in an enterprise configuration. In addition to this, there have been persistent arguments that VoIP is insecure because the vast majority of VoIP systems do not provide any level of encryption by default for their users.

Efforts in the VoIP industry to use encryption more pervasively, to reduce the risk of equipment configuration errors, and to reduce the amount of infrastructure components needed to deploy the service will help. Skype has a distinct advantage in this area because its peer-to-peer design eschews hardware switches, thereby eliminating the risk of misconfiguration, and uses only encrypted communications links.

What is your general strategy for making Skype more secure?
Keeping Skype simple to use and retaining a public key infrastructure-based (PKI) authentication system are the keys to ensuring continued security for Skype.

In the old days it was all about phreaking, nowadays the term of VoIPhreaking is making its way into the news. Have you had any experience with it or is it just media hype?
The term “phone phreaking” predates “malicious hacking” and the myriad of Internet-age terms that have come to represent the analogue of phone phreaking in the modern age. By their very nature, all security systems pose a challenge to those who perceive themselves as being on the outside of the barrier.

What I think is the biggest sea change in telecommunications security is in the area of motivation. Phone phreakers were, by and large, interested in the security of telecommunications systems per se; it was viewed by the phreakers as a mostly intellectual pursuit.

Today, however, we see a bifurcation of objectives: while some continue their pursuit – rightly or wrongly – for purely intellectual challenge, the commercial benefits in the areas of unsolicited commercial calling (spam messaging) and in industrial espionage are perceived to be so great that very well-financed and sophisticated attacks are appearing at an alarming rate on the Internet. This is not just a risk for VoIP, but for the general computing milieu of which VoIP is merely one part.

What challenges do you face in the marketplace? What do you see as your advantages?
While Skype is a leader in the area of peer-to-peer communications and in converged messaging, there is always the possibility of becoming obsolete due to competition. The challenge we face is partly organisational – making sure we use our resources effectively and remain lean – and partly technological, ensuring that our developments are relevant, innovative and easy-to-use.

I suppose that the challenges we face in the marketplace are the same as any other new company: gaining customer acceptance and focusing on delighting our users every single day.