Can He Watch?

The Thinker: Computer-security and encryption expert Bruce Schneier. The Setting: A counterpane surveillance room, Mountain View, California. The Question: How fast can you react when hackers attack your site?


Every second counts when you’re trying to stop a break-in. Home owners and burglar-alarm companies know that. That’s why they install motion detectors, loud alarms, and trip wires that alert police immediately. Safe manufacturers know that too. Each safe is actually rated according to approximately how long it can withstand fire, as well as how hard it would be for a veteran safecracker to break into it. This caught-in-the-act logic isn’t meant to stop attempted break-ins, but rather to bring help almost instantly — making it likely that burglars will give up before much damage has been done.


Shouldn’t Web security be guided by the same principles?

For the past year, that question has tantalized computer-security expert Bruce Schneier, 37. In the early 1990s, Schneier created the Blowfish algorithm, a popular encryption formula that has yet to be cracked. He has also authored or coauthored five books, including “Applied Cryptography: Protocols, Algorithms, and Source Code in C” (John Wiley, 1994), which still frequently appears on’s list of its top 1,000 best-selling books.

Schneier has spent most of his career on the classic priorities of computer security — that is, figuring out ways to put sensitive data behind bigger padlocks and thicker lead walls. Now he’s widening his ambitions, believing that prevention is only part of what a good Web-security system should do. If break-in attempts are inevitable — and, as the Web becomes more visible, it becomes a more inviting target — then, he contends, it’s time to focus on an infrequently asked question: How fast can you react when trouble strikes?

“I had an epiphany last year,” Schneier says. “I realized that lots of security products work wonderfully when they’re used properly,” but that haphazard implementation often makes them vulnerable. That increases the need for a system that can spot the first stirrings of an attempted break-in, while there’s still time to react. “Think about credit-card data thefts on the Internet,” he says. “Many result from a flaw in a popular piece of software for which a patch has been issued but that merchants fail to use.”

To help shore up security in an imperfect world, Schneier and his colleague Tom Rowley, 52, a computer engineer, last year founded Counterpane Internet Security Inc. Their company doesn’t make data firewalls, encryption algorithms, or other familiar types of security software. Instead, it focuses on detecting suspicious activity and responding to trouble — fast. So far, Counterpane has raised $34 million in venture capital from such companies as Goldman Sachs and Morgan Stanley Dean Witter. It has attracted more than three dozen customers that rely on Counterpane to spot signs of mischief on their networks and then to help them quickly take countermeasures.


“When an attack happens, you have very little time to react,” says Rowley, president and CEO of Counterpane. Indeed, as chief technology officer Schneier points out: “When someone hacks into your Web site and stays there for an hour or more, it’s very difficult to get that person out because hackers will compromise your security in many places. But if you can spot a hacker immediately, you can turn off the point of access before much damage is done.”

To put their ideas into action, Rowley and Schneier decided to create a secure operations center (SOC) at the farthest corner of Counterpane’s San Jose, California offices last winter. In that small, brightly lit room, technicians watched computer screens around the clock for signs of possible intrusions into clients’ Internet operations. That first SOC has since been replaced by a bigger facility in Mountain View, California, and a second, nearly identical site is located in Chantilly, Virginia. Each facility is physically hardened against attack and is under constant video surveillance.

Data analysts join Counterpane only after passing a psychological-profiling test. Even so, their every keystroke is monitored. “We’re looking for people who have a very strong sheltering and protective side,” Rowley says. “People who, if they weren’t working for us, might be police officers or firefighters.” Two types of workers are attracted to computer-security jobs, he adds. “One type is exactly what we want. The other is exactly what we’re fighting against.”

Inside an SOC, security analysts put in nine-hour shifts of tedious but exacting work. In many ways, it is the post-Cold War equivalent of sitting in a bunker somewhere on the Great Plains, watching satellite images of the Soviet Union and looking for suspicious activity near nuclear-weapons sites. On many days, nothing happens. But every now and then, blue-and-white warning messages pop onto computer screens, warning of “suspicious” — or even “critical” — behavior.

On March 20, 2000, for example, Julio Calderon, 25, a Counterpane senior security analyst, noticed a deluge of attempts to log onto one client’s Internet service, all coming from Internet addresses in the Middle East. He emailed the client at 3:03 PM, advising it to close one of its data ports through which users can log on. The client did so — and the attacks stopped.


To be sure, Counterpane’s services aren’t for everybody. For one thing, very large companies usually set up their own traffic-monitoring departments, paying in-house analysts to do nothing but look for suspicious activity. For another, Counterpane’s “high-touch” approach isn’t cheap. Clients typically pay about $12,000 a month.

Counterpane sees big client opportunities in online businesses that are early enough in their growth curve that they want to outsource specialized functions like security monitoring. And the company contends that beyond strategic focus, there’s another virtue of outsourcing: As it grows, Counterpane’s analysts will have especially up-to-date and comprehensive knowledge about hacker practices, simply by seeing so many surveillance reports every day.

Among some of the first clients trying out Counterpane’s service is Conxion Corp., a Web-hosting business based in Santa Clara, California. Conxion handles, among other things, most downloads of Microsoft’s Internet Explorer software. Reading audit logs of Web-site traffic “is a mind-numbingly boring thing to do,” says Mark Kadrich, 42, Conxion’s director of security. He says he would much rather hire Counterpane to handle that task — and to have someone from Counterpane call him at work or at home, day or night, if anything abnormal shows up — than have to recruit and manage a staff of data analysts himself.

This spring, after several months of calm, Conxion became the target of a small-scale, attempted hacker attack. And within 10 minutes of the intrusion, Counterpane sounded the alarm, Kadrich says. Conxion was then able to tell the hackers that they were under surveillance, which discouraged the intruders from proceeding further, he adds. Even before that incident, a pre-Counterpane skirmish last year made Kadrich decide that detection and response needed to be prominent parts of his company’s security package — a realization that led him to seek out Counterpane.

Last year’s hacker attempt involved Conxion’s Web-hosting work for the World Trade Organization’s Internet site. As part of widespread disruptions at the WTO’s Seattle meeting in December, protesters began bombarding the organization’s Web site with spurious requests. “We spotted this activity early on and took steps to redirect the traffic back to the protesters,” Kadrich recalls. “As a result, they were the ones who ended up getting swamped.”


That tussle worked out well enough that Kadrich is able to laugh as he recalls the incident. But he says that immediately after the WTO flap, as he thought about the prospect of more such challenges ahead, he decided that he didn’t want to face hacker attacks entirely on his own. “That was one of the factors I used to help justify bringing in Schneier and Rowley’s expertise,” he says.

Schneier is hoping that more and more dotcom executives who are charged with maintaining security will reach the same conclusion: The only safe Web site is one that’s always being watched.

George Anders ( is a Fast Company senior editor. Visit Counterpane Internet Security Inc. on the Web (