Safetydetective interview with pEp co-founder Leon Schumacher

Leon Schumacher, co-founder and CEO of Pretty Easy Privacy, was kind enough to sit for an interview with Safety Detective’s Aviva Zacks so she could ask him how he sees hackers both as a threat and as a solution.

Safety Detective: How did you get into cybersecurity?

Leon Schumacher: I was a Group CIO for a couple of Fortune 100 companies in the 2000s, and, as Chief Information Officer, I was responsible for cybersecurity as well. When I left the corporate world, I found cybersecurity to be an area that had a lot of opportunities, which is why I focused my entrepreneurial efforts there.

SD: Tell me about Pretty Easy Privacy.

LS: Pretty Easy Privacy (pEp) was founded in 2014. Initially, we started with IT security consulting. We did penetration tests and security around SAP, as well as security concepts for smart-metering and e-health cards in European countries. Out of all of these activities around security and privacy, pEp was born.

SD: What does pEp do?

LS: We want to take the complexity out of encryption. pEp tries to do for privacy and encryption what Skype did for VOIP. Skype took an existing, but complicated, technology and automated it so that a user could simply install it and then make a Skype call. pEp installs with 3 clicks in 10 seconds and encrypts opportunistically with all the correspondence that you have.

SD: What industries do you provide services for?

LS: Firstly, we protect consumers’ email with free tools. We have about 400,000 free users on Thunderbird, where they download the free PEP client, which comes with Enigmail, and then install it into Thunderbird.

Secondly, we sell e-mail protection to large corporates; banks, pharma companies and automotive companies who all need better email protection so that hackers can’t read or modify their emails. Hackers today modify account numbers on electronic invoices that come by email, causing the wrong accounts to get paid. They also can read the e-mails that get sent between different companies. pEp also protects company e-mail from phishing attacks with their own domain accounts (CEO fraud for example).

Lastly, you can take pEp software and use it to secure communication in the Internet of Things, or for securing SWIFT payments both within and between banks. SWIFT requires banks to protect payment messages end-to-end, from where they are generated until they reach the secure SWIFT network, and that’s another area where the pEp solution can be deployed and make encryption easy and opportunistic. No key or certificate management needed, but total automation.

SD: What does your company do to ensure that communication is protected from hackers?

LS: An individual or a company that wants to protect their email communication can download the free version or buy a license to the pEp software. pEp automatically recognizes who can encrypt and then starts encrypting automatically to the highest protection possible. Nobody else is able to read or modify these emails, so the attacker cannot change account numbers on invoices as mentioned already. Phishing is also eliminated because if somebody tried to fake an email from the company’s domain, even if the counterfeit email was perfect, it would not have the right keys and trust attached and would therefore automatically be flagged.

pEp has developed a way to provide “perfect forward secrecy” for email, which so far had only existed for chat. Perfect forward secrecy means that even if somebody gets a hold of the secret key, they cannot read previous communication. So perfect forward secrecy protects all your past communications and short living keys protect the future ones. That is only possible because the whole key management is fully automated, with keys changing every hour or every day. These two approaches combined reduce the attack window to the maximum and make it infinitely harder for hackers to mount an attack.

SD: What are the cyber threats people should be concerned about today?

LS: I think we still have a big challenge ahead because the threat landscape is getting worse by the day. Large, international companies are faced with lots of complexity, which makes it relatively easy on the attacker to penetrate, to steal data, and to listen to communications. CEO fraud, phishing, and spying on communications will continue to grow until e-mail can be secured decently. In addition to the mentioned cyber-crime, people also need to become concerned by the mass-surveillance in place today. We will continue to live in a world where defense is quite challenging, and now corporations are faced with legislation like GDPR that will punish them if the protection of the users’ data is not top notch.

SD: How do you see cybersecurity developing in the next five years?

LS: In my opinion, in the next five years, the risks will increase. I think that hackers will be able to attack more as they can leverage new technology easier than the defenders due to the legacy that they carry along, and so it will get worse before it gets better, unfortunately.

SD: How can pEp stay ahead of the game?

LS: We have hired ‘hackers’— the good guys who help us stay ahead of the curve. Most of the former GnuPG team has joined pEp, and we have very close associations with the famous hacker clubs here in Switzerland and the Free Software Foundation globally, both of which help us with the validation and development of pEp technology.

I think it is important that all the software that provides security and privacy today be open source because you can only prove that a software tool works if you publish the code. I think this requirement should be applied to anything that provides trust and security, from e-mail or file encryption down to e-voting tools.

pEp does that for all its software and even pays for external audits.

The ISOC is also sponsoring a project to make pEp a new internet standard via the IETF. Through collaborations like that and by being open-source, we make all possible efforts to ensure pEp keeps raising the bar for privacy.