By Dr. Paul Vixie
The company is now 16 months old, and we've finally got enough people to manage our growth rather than just coping with our growth. As of today, we have a company blogging platform, and all indications are that we'll have a lot to say. Here, in this inaugural article, I will try to set the stage.
On July 1 2013, I changed my day job from Internet Systems Consortium (ISC), a non-profit company I'd founded 18 years earlier, to Farsight Security (FSI), a company I'd founded six months earlier. This was a friendly separation – ISC was ready to go its own way, away from me; and I was ready to go my own way, away from it. FSI was a “management buyout” of some ISC assets related to Internet security, those being the Security Information Exchange (SIE), and the Passive DNS Database (DNSDB). I've always loved the digital security field, and that’s why, as ISC's founder and CEO, I got us into the Internet security business back in 2007. However, Internet security is a capital-intensive business, and when I hit some growth limits, I knew it was time to find some external investors and move the SIE and DNSDB businesses outside the non-profit company they were born in.
Was this management buy-out a ripoff? Many people have told me that they've heard others say so. It looks bad whenever something the community had a large hand in helping to get started, becomes the property of shareholders. In fact, the Internal Revenue Service (IRS) takes a dim view of non-profit assets being rented, sold, or otherwise transferred to one of that non-profit's controlling parties (such as a founder, board member, or chief executive, of which I was all three.) Normally in the United States you're innocent until proven guilty, but in the case where non-profit assets are sold to the non-profit's founder, that’s reversed. The IRS presumes wrongdoing unless you can pass some number of hard tests. We passed those tests – there was no wrongdoing here. Principally, we overpaid for the asset. My own outside auditors, both before the MBO and at the end of FSI's first tax year, say that FSI paid ISC more than twice the present value of the SIE and DNSDB assets, including the intellectual property, right to negotiate with ISC staff dedicated to the Security business unit, existing contracts, and capital plant.
FSI's investors weren't happy about my willingness to pay more than the book value of the asset, but they went along, and the results have been happy so far. Had I left ISC to pursue Internet security work, I believe that SIE and DNSDB would have imploded behind me. At FSI, we began with five people on July 1 2013 and we have more than 20 now – all funded by revenue growth, we're not spending investment capital on payroll at the moment. We've added products like the Newly Observed Domain (NOD) service, we've more than tripled the volume of data we carry in SIE, we've normalized our data center operations and added redundancy and monitoring – none of which would have been possible had these technologies and I remained in a non-profit company.
The obvious question is, why does it matter to the community whether SIE continues to grow, or whether the commercial company who owns and operates SIE continues to build shareholder value? And why does the community care whether ISC was well paid for these assets – if these assets can now be used competitively against other commercial members of the Internet security community? To those questions, I have a 500,000 word answer, which I’m going to try to distill down to a couple of paragraphs.
First, ISC has a mission (open source software, operations, and protocol development in support of Internet infrastructure), and the Internet security assets they sold to FSI were pretty far out from that – a form of mission creep, made possible only because ISC’s founder had a personal interest in working in this area. ISC's actual mission is extremely important to the community, and the money they got from selling their Internet security assets to FSI is being used to further that actual mission. ISC was dependent on its founder's name, reputation, and rolodex to keep their Internet security assets viable, and their founder was on his way out of ISC no matter whether he bought these assets or not.
Second, the Internet security community has benefited from the existence of SIE, since it contains the largest telemetry network in the industry. We have more sensors sending more data to more channels than any of the in-house networks I know of – today we see peaks of 650Mbit/sec on our DNS channel alone, and we're going to have to shift our infrastructure from GigE to 10GigE before we can launch the next major campaign for adding new sensor operators. All of our raw data, as well as all of our filtered and value-added and reprocessed data, is available to any trusted and vetted Internet security company or researcher. Usually there's a commercial contract governing this availability, but we also have a large and growing collection of unfunded academic or personal researchers, who often pay nothing for their access to our services.
And here's the capstone: ISC also charged commercial entities and gave away service to unfunded researchers. We've refined and extended that model, but we know that our sensor operators are counting on us to make their data available to (a) anyone who can do good with it, (b) as long as we're sure the researcher isn't a criminal or spammer, (c) at non-discriminatory rates for commercial use even use by our direct competitors, and (d) at give-away prices to do-gooders who aren't paid for whatever work they do that requires our services. At FSI, we are doing the same kind of good for the world and for the Internet security industry as ISC did, but we're doing more of it, and better, because we have access to capital and are entirely focused on this business and because our success requires radical growth.
Let me sing this in a different key. What FSI does (that ISC also did) is hard work. There's a lot of open source software to gather and share and carry and process telemetry; there are three data centers with many GBits/sec of connectivity and many kilowatts of power; there's a lot of equipment with the associated pain of high availability, depreciation, and upgrades; there's a business and legal team to make sure we have contracts and payments that limit everybody's liability and keep the bills paid; the list goes on. If some non-profit company could build a network like SIE and all the value-added services that ride on top of SIE, that company would have been ISC, and it was. I think that the ISC Security team did this as well as any non-profit company could do it, and I’m here to tell you, it wasn't sustainable – not just that it couldn't grow in that form, it couldn’t even go on living in that form.
It's my view that society enables teams of investors and employees to band together under a single umbrella called a "corporation" in exchange for the value that corporation will bring to society, either by focusing investment on relevant products and services, or by employing people, or by giving investors something to invest in, or by ensuring continuity of products and services valued by customers. I am a capitalist and I have made money starting companies and I expect to make money from starting FSI. But I am not a rapacious or crony capitalist – I made money by creating wealth through new ideas and new ways of doing things and better ways of doing things. It's not enough to simply capture revenue, we have to be exothermic, generating more energy than we consume. Every one of my companies, whether commercial or non-profit, has done exactly that. FSI is doing exactly that.
So, in March of 2014 I was inducted into the Internet Hall of Fame, largely due to my work on DNS, Internet infrastructure, and Internet security. My acceptance speech was short and jet-lagged but it's online and easily found. One of the things I would have said if my body clock had been on Hong Kong time rather than California time is, I live by the backpacker's credo: "leave it cleaner than you found it." That's difficult in the case of the world, since the Internet has created almost as much new risk as it has created new value – we are all less safe from criminals and from surveillance now that all of our personal information is Connected, than we were before the Internet when a criminal and a victim had to be physically co-located in order for most personal crimes to take place. As one of the people who did my small bit to make the Internet exist and grow, that risk-to-benefit result is on my account, it's a burden that I feel personally every day. I knew in 2012 that I had to leave ISC to pursue Internet security as a singular passion, and that my next company would be focused on making the world safer, even while creating wealth for its customers and its shareholders. I chose to try to buy the ISC Security assets as a way to both make them sustainable, keep the team and customers together, and get a hot start on my next venture.
I've now seen several new security companies incorporated, funded, and then made viable based only on the data they bought from SIE. Those companies are making the world safer just by investing in the Internet security field and offering new products and services. That was the intended result of FSI, and I am prideful whenever I see it happening. It's far easier to get the data that a security analytics company needs to reach first revenue by buying that data from us, than by setting up a competing network. And what's more, a large number of proprietary competing telemetry networks ultimately end up helping the bad guys way more than they help our customers or our shareholders. A bad guy would much rather have his actions observed by one company than by an entire industry. So, there are several methods to the apparent madness of making FSI's telemetry data available, on commercial terms, to FSI's competitors. We'll be happy to compete on the basis of what we can do with all that data, and we won't be trying to compete on the basis of us having better access to more data. Because we're here to solve a problem and create wealth, not just to capture revenue.
One final topic for today's inaugural blog post: where did the name Farsight Security come from? I read it in a book by Dave Duncan, whose "Man of His Word" and "Handful of Men" series rank very high on my all-time list, somewhere below Zelazny's original Amber series but in the same order of magnitude. The word "Farsight" is not in the dictionary, but the word "Farsighted" is. As near as I can tell, when Duncan was inventing the magic for the "Man of His Word" series, he needed a name for the power of knowing what was going on without being able to directly observe it, and he happened on this word. FSI's powers are not quite magical (yet), but we and our customers know more about what's going on, in real time (via SIE) and through database lookups (in DNSDB), all over the Internet, than anybody else whose methods I've been able to study. (So, the NSA might have better data than we do, but they're not talking.) Farsight is turning out to be an even better name for this company than I expected.
Dr. Paul Vixie, CEO Farsight Security, Inc.