In this exclusive online interview, International Security Journal sits down with John Merrill, CEO of DigiCert to discuss the company’s commitment to preserving trust on the internet.
2018 was a busy year for DigiCert, can you tell us about the Distrust timeline that you completed in October please?
When DigiCert completed the acquisition of the Symantec Website Security & PKI business in November 2017, we only had one month to take over all Symantec certificate validation and issuance of TLS/SSL certificates. After we completed the transition of the operational processes of Symantec, we were facing another deadline which involved replacing a portion of existing Symantec-issued certificates by March 2018. We then had another deadline where we had to replace the remaining Symantec certificates by October 2018. As Symantec was by far the largest issuer of certificates, including for financial transactions and banking, internet continuity was at stake. The process required us to re-validate all organisations, contacting all affected customers, issuing and sending them new certificates and then getting them to replace the more than 5 million certificates that were going to be distrusted.
DigiCert successfully completed the project on time and without interruption to the internet.
What impact will it have on internet security?
The impact will be long-lasting. Firstly, the internet remains strong and did not break last year. Secondly, we have invested heavily in our technology and systems and have a big focus on improving industry standards to advance security. We are also using our best in class technology to deliver products through our TLS/SSL platforms. Mostly, it has created in us a commitment to never allow this issue to occur again, threatening trust on the internet.
You have recently announced the acquisition of QuoVadis, why has DigiCert made that move?
DigiCert believes that while technology is global, business is local. Europe, in particular, has localised needs and a strong focus on privacy and data protection. This acquisition strengthens DigiCert’s already healthy position as the leading provider of certificates for the European market (including for nearly all European banks), and adds to our Dublin and London offices with new ones in the Netherlands, Germany, Switzerland and other locations.
The QuoVadis acquisition helps us offer customers EU Qualified Trusted services and products, which include heightened identity requirements. With the September 2019 deadline for organisations to comply with the EU Payment Services Directive (PSD2), banks and other financial institutions will need these certificates and we will be able to provide them. DigiCert is the only global CA that operates as an EU TSP.
What is DigiCert aiming to achieve through its collaboration with Microsoft and Utimaco?
As the development of quantum computers continues to advance, DigiCert is working together with other industry leaders to develop solutions that implement quantum-resistant cryptography. Quantum computers are expected to be available within 10-15 years with the compute power to break today’s modern cryptographic algorithms (RSA and ECC) used to protect data online. DigiCert is working together with Microsoft and ISARA, which have submitted quantum-resistant algorithms to the U.S. National Institute of Standards in Technology (NIST) for approval, to be able to implement these in hybrid digital certificates alongside traditional algorithms like RSA and ECC.
We are working with Utimaco and Gemalto to protect the post-quantum cryptographic digital keys used for authentication in Hardware Security Modules (HSMs). By doing so, companies will be prepared now with sufficient algorithm strength, and will avoid the headache and cost of having to do so last-minute or in an emergency situation when a quantum computer does successfully break current encryption algorithms. This is especially important for companies with long-lasting applications and devices, such as financial services and banking, as well as manufacturers and users of IoT devices. We encourage companies to contact us for certificates to start testing in their environments now.
What are the main challenges currently facing the cybersecurity industry?
Many challenges exist, primarily among them is the scale required to protect communications, systems and devices in the IoT age, as well as the need to protect and assert vetted identities online to prevent fraudulent activity. DigiCert focuses on these areas across multiple industries, with a core strength of being able to validate identities and provide TLS/SSL and other digital certificates and related solutions at a massive global scale. Threats are becoming more sophisticated and we need to stay ahead of those, especially in a world where every aspect of our lives is online.
DigiCert CEO, John Merrill
What makes DigiCert unique from its competitors?
DigiCert is the global leader for TLS/SSL and PKI solutions for websites and the IoT as we are the first choice for companies who are serious about security and looking for authentication, encryption and data/system integrity. Over the past year we’ve invested heavily in our technology, people and processes to modernise and scale our offerings in a way unmatched by competitors and not seen in our industry to date. With that and our global teams and operations, we are able to offer world-leading, modern technology combined with localised customer support and focus from our regional teams. This ensures that we lead in areas of industry standards and solutions for our customers to simplify their important work, from deploying and managing TLS/SSL and other digital certificates and PKI infrastructure, to developing many of tomorrow’s solutions through our R&D initiative, DigiCert Labs. Some of the areas we are researching include strengthening the security of blockchain and sovereign identities, machine learning and strengthening IoT security.
What does the future roadmap for DigiCert look like?
We will continue to develop new solutions that address the key challenges of companies across identity vetting, authentication, encryption and data integrity. This includes driving automation in digital certificate management and deployment of solutions, and partnering with leading companies to strengthen our offerings. We are also addressing emerging markets to improve how we protect critical data on the internet and how we ensure people know who they are interacting with (high-assurance such as EV certificates on the web, or in the case of the IoT, device authentication).