The Cryptography Guru

Founder of Internet Security Firm Inspires Reaction: 'We Trust Bruce'

By Dan Lee
Mercury News
March 23, 2005

Bruce Schneier, founder and chief technical officer of Counterpane Internet Security, might be as close as the computer security industry gets to its own celebrity.

Although not as well known as Larry Ellison at Oracle or Bill Gates at Microsoft, Schneier is still the public face of his company, recognized by industry insiders as one of their gurus. Businesses hire Counterpane to guard their networks from hackers and viruses in the same way a nervous homeowner would pay a home-security provider like ADT to watch for fires or burglars.

But unlike most entrepreneurs, Schneier admits that he spends much of his time not focused on his creation.

Schneier helped build the Mountain View start-up through his technical expertise and the exposure he brings as a high-profile security guru, but he has turned its operations over to others to run. While they introduce new services to make the company profitable after five years and $78 million in venture funding, he focuses on what he sees as loftier issues.

"I tell people how to think about security: what works, what doesn't and why," Schneier, 42, a New York native, said of his role. "I'm not involved day to day with Counterpane, but I never intended to be."

Schneier, who lives in Minneapolis, divides his time between Counterpane and writing and speaking on security. He tackles issues from the debate over national ID cards to how scam artists trick computer users into divulging personal information.

He began his career in search of a perfect mathematical solution to computer security through cryptography, the technology of putting data into a secret code so it's unreadable except by those allowed to see it. His book "Applied Cryptography" remains a widely read introduction to the complex field.

Paul "Tony" Watson, a network security architect for Google, credited Schneier with "bringing an understanding of encryption to the masses."

Rare exposure

Counterpane Chief Executive Paul Stich said Schneier's witty and opinionated ways bring the company a level of exposure rare for a start-up with just 100 employees.

"A lot of people say, `the reason we trust Counterpane is we trust Bruce,' " Stich said. "He does it naturally. It would be foolish to discourage him."

And when Schneier talks, it can be wild.

Some cheer. Others fume.

At last month's RSA Conference in San Francisco, the nation's largest gathering of computer security professionals, Schneier said he couldn't even grab a meal at a hotel bar without being mobbed by strangers.

Tom Rowley, who founded Counterpane with Schneier in 1999 after a lunch conversation and served as its first chief executive until Stich took over in 2003, told a similar story about Schneier at a security gathering. "As we walked down the hall, there were people who were bowing to him," he said. "They were kind of joking but kind of not."

His Crypto-Gram newsletter goes to 120,000 e-mail inboxes each month, and he said his blog at www.schneier.com has an audience of 20,000.

But Schneier's exposure has also caused Rowley some headaches. Schneier's newsletter showcases a "Doghouse" for what he calls "stupid security companies or products." He dismisses some technology as "snake-oil cryptography."

"I used to get sued or threatened to be sued about once a quarter by someone who Bruce had offended," said Rowley.

Counterpane began by monitoring corporate customers' networks for security breaches but has since added more offerings. That includes services added last month for scanning e-mail or protecting against attacks known as a Distributed Denial of Service, in which a Web site is flooded with junk data in an effort to cripple it.

The company feeds information from a customer's existing security hardware -- such as firewalls and intrusion-detection devices -- through its own security device and analysis system to thwart attacks. Counterpane said its 65 security analysts in Mountain View and Chantilly, Va., provide constant watch over 500 networks in 38 countries.

Counterpane's approach to watching so many networks gives it expertise in spotting new attacks and security trends, said Peter Christy, principal analyst with NetsEdge Research.

"Security is exactly one of those things where you want some of the best people in the world sleeping in the firehouse, eating chili waiting for the fire alarm to go off," he said.

At odds with Cisco?

However, Christy added that Counterpane could find itself at odds with networking giant Cisco Systems, a leading seller of firewalls and other devices to protect corporate networks. He said the start-up has tended to recommend that customers go with a mix of mostly non-Cisco products, an approach that holds risks if Cisco comes to dominate the security field as it has networking.

Counterpane also faces competition from security-software maker Symantec and Internet services company VeriSign.

The company is "close to breaking even," Stich said. It has about 150 business customers, including Pacific Gas and Electric, General Mills and Royal Bank of Canada. Stich said an average customer spends roughly $15,000 to $20,000 a month for Counterpane's services.

Watson, the Google security expert, remembered when Counterpane came up during a chat he had with Schneier several years ago while the two sat in heavy Chicago traffic.

"He made an offhand comment about how all the traffic seemed so unnecessarily, wasteful and inefficient," Watson recalled. "We debated the issue, and at some point I commented that without commerce and traffic, his new Counterpane business wouldn't make any money.

"The response I received was that he would be more than happy to trade his business if it would help make the world a little better. At the time, it struck me as somewhat eccentric, odd and idealistic, but I believe those are terms that describe Bruce quite well."

earlier story: An Interview with Bruce Schneier
later story: 2005 CTO 25 Award
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..