Cyber Crime Unicorns, Hypponen's Law and More with Mikko Hypponen
Joining the podcast this week is Mikko Hypponen, Chief Research Officer at WithSecure. He breaks down the rise and fall of cybercrime unicorns, the effectiveness of unicorn hunting season and bounties, the impact of nations fighting back in today’s cyber war, Ukraine’s preparedness for Russian cyber war, cryptocurrency's future, and how he came up with Hypponen’s Law.
And be sure to keep an eye out for his upcoming book from Wiley later this summer, “If It’s Smart, It’s Vulnerable”!
Cyber Crime Unicorns, Hypponen's Law and More with Mikko Hypponen
[00:55] Introducing Our Guest, Mikko Hypponen
Rachael: We're having a great time in RSA. It's great to be back in person with everyone and we get to have this week's podcast in person with our guest, Mikko Hypponen.
You're at RSA this week, Mikko. What are you going to be talking about? Because in doing research on you, you've been talking about a lot of really, really interesting topics. There's Russia. There's cyber criminal unicorn gangs and all of the above. What are the topics for you this week?
Mikko Hypponen: Yes. Well, considering that I do live in Helsinki, which is three hours away from Russia. It's hard to ignore Russia. It's hard to ignore the war in Europe. I'll tell you, I really could have used a holiday between a global pandemic and war in Europe, but we didn't get one. But for the last three months, pretty much the only research I've been doing has been about Ukraine and attacks from Russia against Ukraine, Russia against the rest of the world, Russia from Belarus against Ukraine. And then of course the retaliation from Ukraine itself and from the rest of the world, who's standing with Ukraine and launching their attacks against Russia.
Eric: Most of the rest of the world.
Mikko: Yes, that's right. But I always try to also emphasize the fact that cyber is important in Ukraine war, but it's not the most important thing. The real tragedies and the real deaths are happening in the real world.
Rachael: So I have a question since you're so close to it, why aren't we seeing more from the cyber war perspective from Russia? I think all of us expected electrical grids to go down, just massive outages and we're not really seeing that. Why is that?
Why We’re Not Seeing More From the Russia-Ukraine Cyber War According to Mikko Hypponen
Mikko: We have seen some things and the rest of the things we haven't seen, not because Russia wouldn't have tried, they have tried. The real explanation from my perspective is that Ukraine has been defending itself and this by the way, applies both to real-world attacks, right as online attacks. Ukraine has been defending it surprisingly well on both sides.
Especially in the online world, I would claim that Ukraine is the best country in Europe to defend its networks against governmental attacks from Russia. The reason why is really simple, they've been doing it for eight years. So they've been doing it over and over again.
And especially during this conflict, they've been highly efficient in pinpointing and deflecting the attacks and they're not doing it alone. This is the first time ever where we really see Western companies participating in active war and participating in defending against governmental attacks from foreign nations.
Eric: Mikko, are they better than the Baltic states?
Mikko: Oh yes. Better than the Baltic states. I work closely with Estonia, Latvia, and Lithuania in multiple companies, enterprises, and governments. They're good. Especially Estonia is really impressive. They are the highest technician that I really know of because they started from scratch. They have no legacy systems and their leaders, including their presidents have been very tech-savvy all throughout their history. But when you compare it to Ukraine ever since 2015, they've been bombarded over and over again with Russian attacks. And they've been slowly but surely learning how to handle them better than anyone else.
Ukraine Being a Test Kitchen
Rachael: I was just going to make a comment about Nicole Perlroth's book, Eric, where she basically talked about Ukraine being a test kitchen for Russian cyber activities. So it seems like they're very well-positioned to know how to thwart this enemy. I'd be interested if they had other perspectives for other nations as well.
Mikko Hypponen: Yes. And it's interesting to note that the most high-profile attacks that we've seen in Ukraine, including the NotPetya, including the Prykarpattyaoblenergo attacks, which were the attacks which got electricity twice in Ukraine. We've seen similar attacks now over the last three months, which have not succeeded.
So for example, they've deployed a number of wipers, some of which did do damage, but most of them did not. They were detected and neutralized in time and they have tried cutting power. Russians have tried cutting power again in Ukraine and failed. So it's great examples on how the cyber part of this war has been waged so far.
When we look at the other attacks, it's especially interesting to see how many attacks Russia itself has suffered not from Ukraine. But from civilians from outside of Ukraine who just want to participate and support Ukraine with their attacks. And the fog of the cyber war makes it a little bit hard to see which of the attacks are real and which of them are fake.
But clearly there's been tons of activity in data leaks, which will mostly make it easier to sanction Russia better. When we have access to their biggest regulators' email history and the Bank of Russia's email history and documents, we can easily see where they were moving their money in the first days of the war. And which means we can sanction them better.
The Logical Explanation of Mikko Hypponen Regarding Nakasone’s Claim
Eric: Yes. So Mikko, over the last week or, so we've seen some indications from general Nakasone from NSA and Cyber Command, talking about U.S. operations, offensive operations in the AOR. Are you seeing anything from that perspective?
Mikko: There's this great fog of cyber war, which makes it also more complicated to see who's doing what. In fact, the fact that there are so many civilians and movements like anonymous and dozens of similar organizations doing operations against Russia. That actually opens up opportunities for nation-states to participate. What I mean by that, they can deny or claim attacks that they did or did not do to be their own. The complications in the visibility in the cyber battlefield open up that kind of opportunities.
So in that light, why would Nakasone claim credit for offensive attacks against Russia? The only logical explanation would be that they want to define the borders or to define the thresholds that it's okay during conflict for governments to use power in cyber without the risk of escalating it into retaliation in the real world.
USA tries to fight escalation in this war at any cost. They clearly don't want to go either by themselves or NATO as all altogether to go against Russia, which would be a bad outcome for everybody. But they clearly want to participate and get as close as they can without escalating it further. And I think this talk about cyber attacks against Russia from NSA are part of defining the borders for that.
Eric: Yes. And I want to be very clear that the commentary I'm mentioning is coming from a Sky News report out of the UK where he said that they are conducting offensive operations in support of Ukraine.
[08:44] Why Cyber Is Valuable to Government According to Mikko Hypponen
Eric: I'm not saying he's attacking Russia. I don't think he's saying they're attacking Russia. But they're conducting a series of operations in response to Russia's invasion of Ukraine. So I don't know how we interpret that, but I just wanted to be clear on that distinction there.
Mikko Hypponen: I did see the word offensive used in the reporting repeatedly. So it does sound like NSA would be using offensive power against Russian targets. But of course it's left unambiguous on purpose, but this is the dance between the lines.
Eric: Or it could be Russian targets in Ukraine or something.
Mikko: Yes. It's unlikely we'll learn the details of this ever or maybe in 10 or 15 years. We'll see.
Eric: Attribution's so tough. It's hard.
Mikko: Well, the reason why cyber ones are so valuable to governments and to militaries is indeed the fact that they are effective. They're affordable and they are deniable. You can do false flag operations, you can frame your attacks to look like it's someone else, or you can simply keep denying. We all know who wrote Stuxnet 15 years ago, 14 years ago yet I still can't prove it. And that's the perfect example of the deniability of cyber weapons.
Eric: Well, and that takes me into a comment from I think it was one of your TED Talks a while back. But you said something to the effect of a person is more likely to be impacted by crime online than in the real world at this point in our development of society. Could you articulate or amplify that a little bit?
TED Talks with Mikko Hypponen
Mikko: Yes. It's quite remarkable that the internet revolution has changed the world in so many ways. It's the best thing which has happened during our lifetime and the worst thing which has happened during our lifetime. While I was writing my book, I checked the stats for bank robberies in Finland, my home country of Finland with 5 million people. In 1992, we had 144 bank robberies in a year.
So twice a week, a bank was robbed with guns somewhere in Finland. Someone goes into a bank and steals cash. Well, the last time we had a bank robbery was 12 years ago. They don't happen anymore because we don't have banks or the banks we have don't have cash. But what we do have is online bank robberies with credit card skimming or online banking Trojans, or hacking into cryptocurrency wallets.
So everything has gone digital. And the fact is that if you become a victim of a crime nowadays, it is more likely that it's something happening online than here in the real world. Although the crime reporting doesn't actually support this. We do call the cops when our bicycle is stolen, but we don't call the cops when our password is stolen.
Rachael: That's a good point. Why is that?
Eric: Or our crypto wallet or whatever.
Mikko Hypponen: If your bicycle is stolen or someone burglars your summer cottage, you actually have to call the cops because you need a cop report to file for the insurance. Then when you get hit by an online crime, you know that they're not going to find anyone. Or even if they find someone, he's in a far away country, different legislation, small crime, nothing's going to happen.
An Interesting Point of View of Mikko Hypponen on Why We Need to Call the Cops for Cyber Crimes
Mikko: Now, this actually is a problem because law enforcement agencies around the world are defining their next year's resourcing and budgets based on crime stats. And cyber crime doesn't seem to be a very big crime or a very big problem because people are not reporting it.
I always tell people to call the cops. I always tell enterprises, companies, public sector, as well as home users, when they become victims, you should file a police report if for nothing else, for the statistics.
Rachael: Wow. I didn't even think about that, Eric. That causes me pause.
Eric: And why?
Rachael: Well, because it's so true. When you think about everything in government, you're very close to government. Police departments, everything is budget based on this is where we're seeing the highest trends in crime upticks. So let's put all the resources here to address that. So if we are just assuming that all of these cyber crimes were dealt with at the federal level-ish. My mom's credit card gets hacked about every other month. And so she's constantly having to chase that. But she's not calling the cops.
Eric: But the risk.
Eric: Right. The risk to the crime is covered by the bank in the States at least. I think it's $50 maximum penalty on a credit card, as long as you report it to the bank. So they build that risk in. I would argue that society is still paying the cost. It's just in a different way. I would also argue that we recognize cyber crime is growing and it is being resourced. I don't think we're doing it effectively.
Cyber Crime Unicorns
Eric: We're spending trillions of dollars on cybersecurity at this point. It's just not effective. So Mikko, I'm in full agreement with you. People don't report it, but the average individual and I'll speak to the States for a minute.
Mikko: I believe the biggest failure we have right here is the fact that we are not catching online criminals better. We're not prosecuting them better. We're not putting them behind the bars better. It's not just that we would be able to defend ourselves better or recover from losses or fix hacked systems.
What we really should be doing is emphasizing the part of law enforcement to find the criminals, do the international corporation, get them prosecuted, get them into jail. Not only to prove that crime pays, but also to show potential newcomers into the field that you will be caught for online crimes as well.
That's where we are failing the hardest.
Rachael: They don't. There's zero prosecution. How many of the largest? We've named a few names, but nobody's gone to jail. Have they?
Mikko: Right. Well, there's been some. Actually, there was a little period of time from last October to February this year where I was really hopeful of this changing. I came up with this term cyber crime unicorn five years ago to define the wealthiest online cyber crime gangs today. Examples of cyber crime unicorns would be gangs like REvil or Conti or Koening or LockBit. Some of the largest online crime gangs, which are wealthy partially because they make so much money. Partially because they've held their wealth in Bitcoin, which has increased a hundredfold in five years.
Cyber Crime Unicorn Hunting Season
Mikko Hypponen: Now, last summer with the JSB and Colonial pipeline attacks and all these other big ransomware cases, the attitudes really started to change. And that was highlighted by the $10 million bounty offered by the U.S. State Department for catching ransomware gangs. That really started what I started calling the cyber crime unicorn hunting season.
So for a couple of months, for half a year or so, we started seeing more arrests than ever before in countries that typically did not arrest cyber criminals as well as we wished they would. This includes Russia, Belarus, Czech Republic, Romania, Georgia, and Ukraine. It looked really good until February 24th, when the war started. Then suddenly Russian law enforcement lost all interest in catching Russian online criminals. Most of which are now cooperating with Russian government to support their homeland. So we had a good start, but it's not going to return anytime soon.
Rachael: I'm always looking for a silver lining, Mikko. And so I do would hope in the future, if we start to see some of these positive movements forward. If money is what talks in catching these criminals. I think to your point, that's the only way we're going to turn the tide. This is truly big business. They have HR departments in these companies. They're like mega-corporations.
Mikko: They have lawyers, they have business analysts, they have their own data centers. They have their own offices, they pay monthly salaries. So these biggest gangs have really become organized crime gangs. Just in the same way as we think about traditional real-world organized crime gangs and they are powerful and they are wealthy and this is a real problem.
Why Money Reward Programs Work According to Mikko Hypponen
Rachael: Yes. It's very much the evolution, that’s where we're going.
Eric: So what do we do?
Mikko: Well, the thing about these money rewards, I think the U.S. State Department's rewards for justice program, which was created to hunt terrorists, which is the same program they now use to hunt Russian cyber criminals. The power of these programs is not just offering money for information leading to arrest of criminals. It's the fact that these kinds of rewards start eating these crime gangs from within. Think about it.
Think about the scenario that you're a member of a crime gang like this, you have your friend and you are in a crime gang and you read the news. The U.S. State Department is offering $10 million for arrest or for information leading to our arrest. Meaning that if I would rat my friends, all my friends would go to jail, but I wouldn't. I would get immunity. And I would get $10 million. Then you realize that holy hell, all my friends have read the news as well, that I should move before they move. This is exactly what makes these programs work? And this is why we got so much luck and so much success in the cyber crime unicorn hunting season, which sadly now seems to be over at least for a while.
Rachael: That's disappointing. You mentioned LockBit. LockBit's been in the news a lot lately, especially this week with RSA going on and the discussion with Mandient.
Mikko: Oh yes. I saw that on LockBit's store site. And I don't believe it's real. I think it's quite obvious they're trolling Mandient.
An Online Zero Hit Story From Mikko Hypponen
Mikko: For the record, I don't believe that Google or Mandient has been hacked by anyone, but they have powerful enemies, of course. I've been targeted by similar trolling by online crime gangs in the past as well. It just comes with the territory and it is painful and nasty, but it happens. We had an episode long time ago where a news website was hacked and posted fake news about me and Brian Kreps running an online credit card crime syndicate. And that news hit the wires and was distributed in completely unrelated news sites, some of which probably still carry the news today. So when you work in this industry, it comes with some baggage.
Rachael: That's what I've heard. We've had a CISO come here to the company before, and he has no online presence. Because he had that happen to him and he absolutely refused to put his photo online. He would never talk to media. He was just like, "Go away."
Mikko: My favorite example is that I've been working many times with an investigator who works for Microsoft who's an ex-law enforcement officer. When you Google for his name, you get zero hits. That is impossible to do, but he has.
Eric: How do you hide yourself?
Mikko: I don't know, but he has that. And it's spooky because nobody gets zero hits, but he does.
Eric: So Mikko, you have a new book coming out. 0
[20:25] If It's Smart, It's Vulnerable, Written by Mikko Hypponen
Mikko: Well, ever since 2011, I've been working on a book project and it's been going nowhere. Because I've been clocking 140 flights a year for the last 10 years, which is not healthy or good for the environment, but I've been doing it anyways. I've been compensating my CO2 load for the planet though for the record. But nevertheless, now that the pandemic started, then I had no excuses not to finish the book. So I did. I'm really glad I was able to finally get it done. And it's coming out from Wiley in August.
I'll actually be releasing it in Black Hat this year. And that should be good. The book is titled, If It's Smart, It's Vulnerable. It's a collection of my thoughts on how did we end up where we are today and where are we going to go next? I go through the digital revolution around us and why it is the best thing and the worst thing which has happened during our time.
Rachael: So where are we going next? Can you give us any spoilers?
Mikko: Yes, sure. That's actually really easy. The easiest question is where we're going to go in the future because that's obvious. The near future is hard to tell. Far future is obvious. Look at how computers have evolved over the last decades. They've been getting faster and faster, more memory, more processing power, more bandwidth, and cheaper and cheaper. We're all carrying super computers in our pockets right now. So let's continue that development. Where does it take us? It takes us into a world where computing is limitless. Everybody has access to computers with unlimited power, unlimited storage, unlimited bandwidth, and they're free. That's the direction.
What Mikko Hypponen See Happening in the Future
Mikko: Now don't take me literally. It's not going to be literally unlimited. It's not literally free, but very powerful and very cheap, which is a really empowering thought. Because for those of us who are developers and who build things, imagine that you are given the most powerful AWS instance with no restrictions and you're paying one cent a month. What would you build? There would be no restrictions. And that's a really exciting thought and that's the world where we're headed to. So it's going to be good.
Rachael: Wow. I know you have thoughts on quantum, everyone's talking about quantum coming up. Are we worried about quantum at all in this future.
Mikko: I'm not worried about quantum at all.
Eric: Is it June 3rd or not?
Mikko: It's one of those things, which is always around the corner. And I do know that we are living right now in the age where there's faster developments in quantum systems than ever before. But you could say exactly the same things about AI. The first time I read about quantum computing and AI systems was in the 1980s. So 40 years ago, and we're still waiting for the big revolution. It's not going to happen anytime soon.
Current encryption systems can be broken by quantum computers, but it's not going to happen today or next year, or the year after that. And we are building quantum-safe algorithms already. I'm confident that they will be deployed widely before we actually need any concrete quantum-proof algorithms. And by the way, we already have. People are already using quantum-proof algorithms. Maybe the best non-example is Bitcoin.
Mikko: Bitcoin is quantum-proof. If you use a new address for every transaction, it can't be broken with any quantum mechanism that we know of. So once again, Satoshi Nakamoto, the great genius of our time.
Rachael: Ah, it's fascinating about the cryptocurrency.
Eric: But do you have to go back and re-encrypt everything with a quantum-safe algorithm? I can't see the U.S. government doing that. And I can't see the average citizen doing that. I can't even see a lot of commercial organizations going back and saying, "Okay, we're going to re-encrypt everything we had that was created or stored or accessed by this application that you paid us to use, or that you're using through us."
Mikko: Well, in theory, you do. In practice, you don't. I'm assuming quantum computers aren't going to break any of the algorithms we use today any time soon. So if it happens in 20 years or 30 years or 40 years, we've been using quantum-proof algorithms already for decades by that time. And yes, data is readable and accessible forever, but most data isn't important or confidential anymore. I recently found an old backup of our email server from 1993 and I restored it and I was looking at the data and I realized that none of this information is secret anymore.
Discussions about products and how do we price them and selling them to the customers in 1993. Those were really big secrets at the time. But now it's just historical fact. We could basically publish those emails online and there would be no secret left in them.
[25:39] Digital Currency
Mikko: So most data isn't that important after 20 years or so. There's some exceptions like medical data. But most data isn't. So I don't think we have to go back and re-encrypt information just because of quantum computing except in most extreme situations.
Rachael: So I have a question too. Getting to Eric is on cryptocurrency though. This whole idea of banks are vulnerable. As banks go all digital, is cryptocurrency truly our future? Look at mainstream monetary value. Is this something that we should be looking at the next 20 years of, "Hey, start diversifying now." Because when we look at if computing is going to accelerate at such as speed, which we know it is. Then quantum computing is coming at whatever point in time. It seems like there's a natural movement forward that we need to have more secure currency than what we have today.
Mikko: Right. Well, we have two types of currency on the planet. We have currency based on nothing or currencies based on math. Then Dollars and Euros are based on nothing. Or if they're based on something, they're based on politics. That's the only thing they're based on.
With that said, I'm confident that in 30, 40 years we'll still be using Dollars and Euros to buy our coffee. However, when computers transact with other computers, why would they be using Dollars or Euros? And that's going to grow exponentially. Just simple example of computer system needs storage, and it buys it from another computer, which is providing cloud storage services through APIs. Why would those transact in human currency? Obviously, they will be using digital currency.
Mikko Hypponen’s Guide in Distinguishing Major Innovations
Mikko: So there is a revolution going on, but I don't think it's going to change the way we pay, the way humans pay for everyday things. It might happen one day, but that's going to be a much longer discussion. But programmable money is a good idea and it will change the world and blockchain is one of those innovations. It's such an obvious innovation once it was invented.
If you explained blockchain to someone, it's just a list of transactions, which is forever unchangeable and forever public, that's it. Sounds like a pretty obvious thing and yes, it's pretty obvious now, but it wasn't obvious until it was invented. And that's how you can tell that it's a major innovation. Once you invent it, it's obvious.
Rachael: I do have this theory though, that everybody has that idea, that million-dollar idea. It's just making the time to have the head space. To think about it, write it down and then flesh it out. But it's so many great ideas. I imagine you've got a lot of great ideas.
Mikko: Well, yes. And a lot of bad ideas as well. Funny thing is that I've been in the industry so long there's tons of things which are so obvious in hindsight, but which weren't so easy choices to make back then. So for example, around 1995, when Netscape the brand new browser introduced SSL, we had encryption on the web and to do encryption, you needed certificates. And we were considering that might be a good business. We're a Finnish company, we're pretty trustworthy.
Seeing the Opportunity and Passing on It
Mikko: The least corrupted country in the world. Maybe we could make a business selling certificates and we reviewed the idea and considered it and then we decided against it. "No, no. We're not going to do that." And we didn't. Two years later, a company from South Africa called Thawte started selling certificates from Africa, which is not the most obvious place to do this. The guy, Mark Shuttleworth sold his company to Verisign for $2 billion five years later and used the money to start Ubuntu, which you might know.
I was wondering, maybe that's what we should have done. But then again, no regrets. We didn't miss that opportunity. We saw the opportunity and actively decided not to pursue that opportunity. So no bad feelings.
Eric: Rachel, which is worse? Not seeing the opportunity or seeing it and passing on it.
Rachael: I think seeing it and passing on it is the way to go because then you trust your instincts too. Your instincts are right. But it wasn't the thing for you at that time.
Mikko: Yes. I agree.
Rachael: Okay. So what are you most excited about? After being in this industry 30 years, a lot of cynicism creeps in over time in everything you've seen. But in your lifetime while you're still on this planet, what is the one thing that you are most excited about before you pass on to whatever the other realm is?
Mikko: When I was a small boy, whenever adults would ask me, "Mikko, what are you going to do when you grow up?" I would always tell them that I'm going to be a doctor.
Cybersecurity Industry Is a Business
Mikko: Mikko, why do you want to be a doctor? Because I want to help people. Then a little bit later, I realized that if I see blood, I don't feel well and you can't become a doctor if you can't look at blood. So I didn't. But I did become a virus doctor or something like that. There's something in my everyday work, which still has part of what I had in mind as a kid. I want to use my expertise, my experience, my skills to help people. And not just me personally, but that's what we do in cybersecurity industry. People come to us asking for help, help us, help me. We are under attack. Can you help me? And it feels good when we can help them. And of course this is a business.
Cybersecurity industry is a business and it's making a profit out of it but it's a little bit more than that. It's also the fact that people who could be working in any field in IT choose to work in security because they know they can make a difference and they know they can help other people. And that's what I'm excited about.
Rachael: That's what I love about the security community. It's really tight and it's hard and it's not for everyone. No matter how hard it is and you're fighting this endless adversary, that's seemingly unconquerable. But when you do have those wins, it's immensely satisfying and you see that translate to your community, to society as a whole.
Rachael: Mikko, Thank you so much for joining us today. Well everyone, until next time, be sure to smash that subscription button as always. Get a fresh email with a fresh new episode right to your inbox.
About Our Guest
Listen and subscribe on your favorite platform