After a password-sniffing attack at his university network, Tatu Ylönen designed the first version of the Secure Shell (SSH) protocol. 25 years later, more than 95% of the servers used to power the internet have SSH installed. The internet as we know is largely managed using SSH.
But how did this all happen? How did the protocol become a cornerstone of a safe internet, and what does a European Commissioner or a lego brick have to do with it?
A hacking incident was the mother of invention
“How can I use the internet safely? What can I do not to be afraid?” Tatu Ylönen, the founder of the cybersafety company SSH.COM, witnessed a hacking incident in the Finnish university network, and that made him wonder. It was 1995, and the internet was becoming more and more crucial part of every organization’s operations, but there still was not a way to use it securely.
“I was a university researcher at the time, and I didn’t know anything about cryptography. But I read a book about it, had some conversations with friends and in three months, I came up with a program called SSH.”
Ylönen published SSH as open source in the summer of 1995 to fill a significant void in cryptography. With SSH, it was possible to operate network services securely over an unsecured network by building a channel over it. That was a long-awaited solution not only to password sniffing but some other major cybersecurity issues as well, but not everyone was happy about it. “I was quite nervous. I knew I was stepping on the toes of some important people. What if they wanted to put me aside one way or another?”
At the time, there was a large debate about cryptography overall. The US was heavily lobbying for restraining encryption in Europe for cyberwarfare reasons. “I didn’t think that one party having all the information and an ability to wipe out systems was a good idea – sooner or later the system would have been abused. In other words, I had major political motivations for publishing SSH as freeware.”
“Luckily, it took only two weeks and the protocol had gained such popularity, there was no sense in wiping me out anymore” Ylönen laughs. “I started getting around 150 emails a day. Even huge organizations, such as the University of California, were asking for my help to implement SSH.”
The protocol became surprisingly widespread for a reason: it was easy to use and did not need a centralized infrastructure to work. Funnily enough, it also didn’t need passwords. Still, there were a lot of organizations that were approaching Ylönen commercial applications in mind. Consequently, Ylönen founded SSH Communications Security Corp 31st of December in 1995.
"First came the protocol, then the company. The rest is history.”
“It took off virally, absolutely virally”, says Sam Curry, the Chief Security Officer for Cyber Reason, a cybersecurity pioneer, and a board member of SSH.COM. “SSH filled a crucial niche at a time when no one else had anything. The ability for people with hard jobs to create trusted links on demand easily and without having to go to anybody else for approval… No wonder the company has almost an unfair authority when discussing the protocol.”
SSH.COM had some large-scale customers since the very beginning, from universities to corporations. Regardless of the success, the first years of the company were challenging, to put it mildly. “I made some bad contracts at the time”, Ylönen says. “I had a lot to learn.”
In the third year the CEO resigned, presuming that the company would be filing for bankruptcy in three months. “I had all my savings in the company and hadn’t been paying myself in three years, even though I was working all the time. When the CEO resigned, I was about to give up.”
Instead, Ylönen decided to roll up his sleeves and occupy the CEO position. “I started calling for potential customers, and we got companies such as Sun Microsystems, Nokia and Ericsson. We grew 350 percent that year.”
For commercial applications of SSH, the company had developed Tectia. It enabled secure high-speed file transfer and remote access, and quickly became the established market leader for enterprise SSH that it still is today, after 25 years of its first implementations.
Tectia formed a major part of SSH’s business and attracted new customers, enabling SSH.COM to grow together with its customers. Due to Tectia’s success, the company decided to open an office in the US, since most of its customers were based in Silicon Valley. Ylönen was traveling between the two countries nonstop.
“In order to make the US office profitable, we had to use every possible means to gain new customers. One time I took a 10 people team to a giant tech fair. 100 companies had a stand there – we certainly were not big enough to be one of them. We split into teams and started chatting with the marketing and tech managers of those companies. And that is how we got a lot of important clients, even though we didn’t even have our own stand there.”
For the first five years, SSH.COM approximately doubled in size every year. It was the time of the tech bubble. Suvi Lampila, a long-term employee and current Senior Technical Services Engineer of SSH.COM, started her career with the company when the times were crazy.
“When I started in 2001, we had to arrange training for new employees every two weeks. People had to gain new skills continuously, and occupy different roles. That was my fortune – I started with an intranet project as a non-technical novice but soon became a web master. As well as many others like me, I really got to go off the deep end with SSH.COM.”
When the tech bubble burst, SSH.COM had to focus its operations. Yet, it had built a firm foundation for the future. Even so, the company and Ylönen himself had become a trusted authority in cybersecurity. “When the European Union was making decisions on encryption, European Commissioner Erkki Liikanen dropped by our office just two hours before the release of the decision. We discussed the importance of cryptography, and what it would mean to Europe not to be able to use encryption. Thankfully, the decision was fair – I guess Liikanen had done his homework.”
Towards the end of 1995, the SSH user base was 20,000 users in fifty countries. By 2000, there were approximately 2,000,000 users of the protocol, SSH.COM being the most trusted SSH partner.