Doomsday scenarios to keep you up at night: Mikko Hypponen talks cyberthreats

They call him Mr. Malware.

Finnish cyber security legend Mikko Hypponen was a major presence at the Black Hat conference in Las Vegas last week. The ponytailed Hypponen regaled 3,000 people in a massive conference hall at the Mandalay Bay on the evolution of malware, emerging cyber threats, and details on who the hackers are spreading maliciously devastating viruses around the globe.

Hyponnen is a researcher at security play F-Secure and lives in Helsinki. Friendly, approachable, and possessing one of the biggest mental repositories of malware on the planet, Hypponen sat down with VentureBeat and laid out his vision of possible nightmare scenarios, what Internet users really need to fear, and why the cyber threat from terrorists is, right now, nearly non-existent.

VentureBeat: You’re one of the best known Internet security experts on the planet. The Mick Jagger of cyber. How does this make you feel? 

Mikko Hypponen: Well, frankly, I’m visible and well known just because I’ve been in this business longer than most. That’s the main reason. I’ve been doing it forever. I’ve been working for the same company (F-Secure) since 1991. But, of course, if you spend so much time in one field, you get to learn a lot. I’ve seen this industry change from a very small cottage industry of startups to the multibillion industry that it is today. But that’s not the biggest change. The biggest change is the enemy. Back then, in the early 1990s, it was so simple. Kids and teenagers writing viruses for fun. They weren’t gaining anything from it. They were doing it because they could. Imagine how large the shift has been from that! First to criminal hackers, who have become this billion-dollar criminal industry. And now, over the last 10 years, it’s shifted into governmental activity, which we were sort of forecasting half-jokingly, like 15 years ago. You know, hey, governments would get involved and hack places and write viruses — ha ha. And that’s exactly what’s happening right now. It’s been a wild ride.

VentureBeat: When will we see cyberthreats actually progress into a global catastrophe where people die and entire nations go dark because grids have been destroyed and water supplies corrupted? 

Hypponen: The biggest hits will not be coming from criminal attackers. The criminal hackers aren’t interested in causing massive chaos because they make no money out of chaos. They like to lay low, keep their attacks profitable but invisible. Or as invisible as possible. So we don’t expect any major catastrophes from those. So who else do we have? We have hacktivists, and they do some pretty high-profile and destructive attacks against their targets. But they’re not targeting everybody. They pick their targets fairly carefully. Some organization makes them mad, and they’ll target them. But that’s unlikely to cause major chaos like you describe. So we’re left with the last group, which is governmental activity. But that won’t happen on its own. It would have to be part of some larger, real-world crisis. The Internet is a reflection of the real world. Like, today, any large phenomenon or crisis has a reflection on the Internet. We’re seeing that now in Ukraine. We saw it in Estonia in 2007. And in Georgia in 2009. This is the way it’s going to be from now on. When people speak about cyber warfare and cyber attacks, it’s part of war. I don’t expect to see cyber war on its own. It’s going to be part of a real-world crisis. Just like any other military domain. You rarely see air war, or space war, or sea war. Cyber is the new domain. If the U.S. ends up in a crisis or fight with an enemy that is capable enough in cyber, then we might see the real shit. And the closest thing I can imagine right now is Russia. They definitely have the capability. China, too. But they’re not very interested in using that capability against the United States for anything but espionage. They’re your No. 1 trading partner. You are not the No. 1 trading partner with Russia.

VentureBeat: How big of a cyberthreat is Russia?

Hypponen: Russia is probably No. 2 in the world, right behind you guys in terms of capability. It’s always been very well equipped with technology skills, lots of great minds, lots of great mathematicians, lots of great programmers. So that really shouldn’t be a surprise. In fact, it’s surprising how few globally successful software companies come out of Russia, considering how good they are in computers. Name a Russian program that you know by name? It’s a game. (I answer with Tetris). So you know one. And Kaspersky, a security company. And smaller vendors. It’s almost surprising how invisible Russia is in the software space.

VentureBeat: Eugene Kaspersky is reportedly a KGB trained cryptographer. American intelligence believe Kaspersky and the Russian security services are working together. 

Hypponen: I know Eugene Kaspersky personally. I’ve known him more than 15 years. My advice is don’t go drinking with Eugene, ’cause you’ll lose. He used to work for the Russian government. I have no information of them having concrete links to the Russian government today outside of any large Russian company having links to the Russian government. You can say exactly the same thing about any of the American companies here. Do they have links to the U.S. government? Of course they do.

VentureBeat: What gets you out of bed in the morning, and what keeps you up at night in terms of cyber’s potential to wreak devastation?

Hypponen: What gets me out of bed? I couldn’t imagine a more rewarding job to work in. I mean, I get to do what I love and geek out as much as I want. It’s always different. I haven’t had a boring day in 23 years. And, in this line of business, you actually get to help people. Which is remarkable. People come to us with problems they have no hope in hell to solve by themselves. Like, “My machine is infected with a low-level boot kit. Help me.” They would never be able to figure it out by themselves, because it’s become such a narrow field of expertise, and we’re able to help them get their files back, their operations rolling. It feels good. The best illustration of this is that during Christmas time we get Christmas cards from people and companies we’ve helped over the years. Which feels great. And the guys who wrote the malware? I don’t think they’re getting Christmas cards.

VentureBeat: Mikko, give me a hardcore cyber nightmare scenario. 

Hypponen: I’m not falling for that one. We actually do what we call nightmare scenarios. Typically, at conferences like this, or maybe specific antivirus conferences where we sit around drinking beer and come up with the worst scenarios. But the worst-case scenarios are typically so bad that we don’t really want to talk about them in public because that would just be giving ideas to the other side. There’s tons of things that could go horribly wrong. The obvious examples are in ICS vectoring controls. They’ve been a major cause of worry since Stuxnet. But Stuxnet really brought it home. The goddamn elevators in this building are being controlled by a box of this size (holds out his hands to mimic a shoe box) and runs 32-bit Linux, which is programmable. The basic idea of how they’ve always been protected is they don’t need protection, because they are not connected to anyone. And now, over the last decade, a surprisingly large amount of these networks that control these boxes have actually been connected to public networks. And they have no protections whatsoever. That worries me.

The thing that keeps us awake, not just figuratively, but concretely, is we are seeing elevators dropping and factories exploding all the time. The thing that prevents that is there are very few attackers who would be interested in doing that. Like, who actually is interested in causing destruction? It’s mostly in the realm of terrorists. And terrorists, despite all the hype, aren’t very good in cyber. And I base this on my research three years ago on a talk I did at the RSA conference, where I spent a few months investigating real-world terror groups and their online capabilities, skills, and how many hackers they have and went through their tools. And what I learned three years ago was the way these terror groups would use the Internet is like any other organization. They use it for communication, for recruitment; they use it for advertising and propaganda, if you will. And they have their own encryption tools and very slick propaganda. But it has nothing to do with their offensive capability, like blowing up factories or doing terror attacks on the Internet. I was able to find only a handful of terrorists who were hackers and were part of these groups, but just a handful. It was a such a small problem that my conclusion was we don’t have to be worried about this. Yet. But clearly, it’s not getting better. It’s getting worse. It’s really going to have to take a while before we have to worry about cyberterrorism.