Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the episode Joe Carson, and it's a pleasure to be here with you, and we're always looking to really bring interesting, fun topics with amazing guests. And throughout the years of the episode, we've had some awesome guests and this is one that I've been waiting for a long time because I always enjoy the conversation, I always enjoy the intellect, and I always enjoy some of his ideas. So welcome to the show, Mikko. Mikko, if you can give the audience a little bit, most people know who you are, but just give us a bit of a background about yourself, some fun facts, and can I hear some of your insights.
Mikko Hypponen:
Well, first of all, thank you for having me. It's a pleasure to be here. So for the listeners, my name is Mikko. I'm an old school hacker, programmer, rivers engineer. Nowadays, a public speaker and writer. I've been working in the industry forever, started programming as a teenager. I sold my first commercial programs when I was 17 years old. Rivers engineered my first malware when I was 21. And those of you watching the video, some of you know that I always carry one of the 5.25 inch floppy disks in my pocket just to remind myself of where I'm coming from like I do right now. And that actually the floppy I have in my pocket right now is actually infected with an early virus.
Joseph Carson:
Did you hope to get a custom suit for that to fit?
Mikko Hypponen:
Fun fact, I actually asked my tailor to make my pockets big enough to fit a 5.25 inch floppy disk. So yes, the answer is yes, that's true. But nowadays, I'm a cybersecurity expert and when youngsters or students ask me that, "Hey, Mikko, how do you become an expert?" My answer is always the same. "You pick a field, then you work in the field forever and eventually everybody will believe that you must be an expert because you've been doing it forever."
And that's what I've been doing. I've worked through the largest malware outbreaks in history. I remember fighting the early food sector virus episodes as these were spreading around the world like the Stoned and the Michelangelos and Forms all the way to first email worms, to first web worms. I remember when Y2K was the huge issue 23 years ago and then the internet revolution as it changed everything.
For the last couple of years I've been spending a lot of time looking at the intersection of cybersecurity and artificial intelligence. I write about this a lot. I had Wiley published my last book international. It's been translated to multiple languages. So I do a lot of educating both in conferences but also a lot of private briefings for boards and leadership teams of companies of all sizes.
Joseph Carson:
Fantastic, absolutely. And then just for the audience, your book is awesome. I really enjoyed it. We both are sitting with our copies, and it really provides a good background and I enjoy some of your references, some of the older school types of viruses and malware.
Mikko Hypponen:
You're getting old, that's why.
Joseph Carson:
I know. I know because when I start knowing, my career started back in the... Not as early as yours, mine a little bit after. For me it was '93 was where I still got in the industry. But then for me, I wasn't dedicated security. I was a system administrator, an operator who basically connected computers and did the whole Windows 3.1 to '95 migration, all of those fun times. But when you're telling, the stories always reminds me of also where I came, and I think I do have your autograph on the punch card, not even the floppy disk but the punch cards. I
Mikko Hypponen:
I actually always carry punch cards with me as well. So this is how I often how youngsters how we used to store information on paper before any of the configurations.
Joseph Carson:
Configuration. That was the configuration file. That's what it was.
Mikko Hypponen:
One thing about Windows 3, I just posted on X couple of days ago when I found a piece of early source code I wrote 30 years ago, and this was really fun project. I had no recollection of what it was until I looked at the documentation. But you remember before Windows we had MS-DOS. And in MS-DOS we had these TSR programs. Remember what TSRs are? Terminate-and-stay-resident.
Joseph Carson:
Say it again.
Mikko Hypponen:
Terminate-and-stay-resident. The programs you...
Joseph Carson:
That's not on the top of mind. So I remember DoubleSpace and I remember...
Mikko Hypponen:
That's TSR. That's a TSR. So anything you load that runs in the background in MS-DOS, that's a TSR. Then when Windows started to become a thing, you would first boot up MS-DOS and then from MSDOS you would start up Windows. And TSRs like DoubleSpace had hard time working underneath Windows.
What we did, because we had an MS-DOS and undivulged product that at the time, I created this hack where a TSR would detect that Windows is booting and it would change operation and became, it would survive Windows booting up and then continue running inside Windows as a VxD, that's a virtual device driver for Windows 3.1 or 3.11. A massive hack, but it worked. And the end result was that when you booted up your system it would scan floppies automatically when you use them to detect ... viruses. And if you boot it into Windows, it would still do the same thing. It would be able to prevent you from getting infected as you were using floppies. Really like low level programming, as said before...
Joseph Carson:
That's impressive.
Mikko Hypponen:
But I'm glad I had the experience, and I'm really glad I don't have to do it anymore.
Joseph Carson:
Yeah, anyone who, I always admire anyone who's getting into the driver side of development because that is... It's a very focused and dedicated area because I worked a lot in the virtualization side and had to deal with a lot of those filter drivers that had the different altitudes of where they load and where you were allowed to load.
Mikko Hypponen:
And I think we've already lost like 50% of the listeners.
Joseph Carson:
No, I think they love history lessons, that's for sure. So let's again, one of the big things I wanted to ask you about is for this year, in the past year, a lot's been happening. We always see the trends, the ups and downs and technology evolving, defenses evolving, the attacks and threats evolving. What's some of the most notable things that you've seen throughout this year that probably sparked your thoughts and that was interesting, that was unique potentially. What's some of those big events that you've really highlighted for you?
Mikko Hypponen:
October 2023, we didn't celebrate, but we did have the 10th anniversary of Bitcoin-enabled ransomware. The very first Bitcoin-enabled ransomware, which we found two families in October 2013, CryptoLocker and CryptoWall. And they were the very first ones which merged the world of blockchain, cryptocurrencies and ransomware. And that changed everything.
And if you look at the last 10 years, ransomware has been the big success story for the online criminals. When you look at the so-called cyber crime unicorns or the big five ransomware gangs, the amount of money they're making is massive and we saw examples of that multiple times during 2023.
I think the biggest case or the biggest headlines at least where the attack by the ALPHV gang against MGM Grand or MGM Resorts, so that includes many of the Las Vegas hotels the hackers stay at when they are in therefore BlackCat and DEFCON. I was staying in MGM Grand just last August for BlackCat, so I think they gained access to my stay data.
And that's a great example on how the world has changed. I've actually used this in my talks. I start the talk by playing the trailer of the movie Ocean's Eleven. So you have George Clooney, Brad Pitt, Matt Damon, this ragtag gang of gentlemen criminals who have this gang which breaks into the vault of Bellagio and steals tens of millions in cash. And then I point out to the audience that hey, just recently we had exactly the same casinos, MGM Grand, Bellagio being targeted by criminals trying to steal tens of millions of dollars except they were nowhere near the casinos. This is completely virtual. This is the difference between good old days and where we are today. Same targets, well of course one of them was a movie, but you get the point. The crime has changed. We've gone from local crime which happened on location into global crime, which is completely virtual. And the MGM Resorts hit is just one example.
And there's another lesson to be learned from there. As we learned later, Caesar's Palace, the biggest competitor to MGM Grand and Bellagio in Las Vegas was hit by the same gang just a couple of weeks earlier and no one even noticed because apparently they paid the ransom, which was 15 million US dollars immediately. Sounds like they were ready. They had a Bitcoin wallet waiting just in case something like this happened. And when it happened, they paid it immediately and recovered without anyone noticing. We only know because of the SEC filings in the leaks.
Joseph Carson:
The filings and the disclosure requirements that they have to have as part of being a traded company in public, that you have to have that insight for your investors.
Mikko Hypponen:
And so it is probably the biggest case of 2023 from the size of the headlines, but far from the only one. We had big cases in Europe like the Royal Mail incident, which was one of the many, many MOVEit cases, and that's a great example on how the tools you use to manage your organization are one of the major ways in, either the remote access solutions, the RDP or VPN solutions you keep running, or then enterprise level tools like MOVEit, which continued to be one of the major ways these initial access brokers find ways into the targets which they then sell to groups like Clop, Lockbot and ALPHV, which do the actual ransomware deployment once they have access to the internal networks.
Joseph Carson:
Absolutely, and one of the things that've seeing is that to your point from if you're using that reference for motions 11 is really important because you get into is that that's a group of people working together all with their own unique, very specialized skills. And when we look at the criminal gangs, they are built of the same, even though they're not in the same location, sometimes they don't even know each other. They're basically having their set of skills that they basically apply to that supply chain of criminal production line, whether it's they're stealing credentials and then selling it, whether it's creating a piece of malware or a creates a variant of ransomware and then making it available to another, and then ultimately you get basically the one who puts all those pieces together and then weaponizes it and uses it, and that really kind of makes it difficult, because you have those people that specialized and they're really good at what they do. Sometimes for organizations, it's very difficult to defend against those types of techniques.
Mikko Hypponen:
Yeah. And this is why I talk about them as cybercrime unicorns to make a reference to unicorn companies, like if LockBit would be a technology startup. Look at their financial, look at how much money they're making, look at how big their revenue is, look at how professional their operation is. If it would be a technology startup, it would be a unicorn. So these guys are serious and the thing that always blows people minds when I point it out is that these gangs do branding. They have names and logos and sites and the branding reminds me of real world organized crime gangs, especially gangs like motorcycle gangs, like Bandidos or Hells Angels. They do branding as well. They have very recognizable brands and logos and they need a recognized brand because they need a scary brand that everybody respects. You know that you don't fool around with Hells Angels. They're serious stuff. Same thing with Clop, LockBot or Ransom X, or Black Basta. Imagine coming to the office Monday morning to realize that hey, we've been hit by ransomware. Oh my God. And then, oh my God, it's Clop. Oh my God, it's ALPHV, because you know if you work...
Joseph Carson:
You have an association and then-
Mikko Hypponen:
You know it's going to be bad.
Joseph Carson:
And then they also have... They want to also have the reputation of if one you pay, you recover. They also want to make that association that if it's basically just random, you don't really know who you're dealing with. Then there's always that question is will the decryption key that you get work? Will the utility work? Will it do performances...
Mikko Hypponen:
They need everybody to know that they are criminals, but they are honest criminals.
Joseph Carson:
Yes, and that's the big thing. And I think this year, one of the things I've noticed is that this year it's been interesting as well to your point is like the Caesar's that we didn't know about it. I think this year I've started seeing exfiltration types of extortion starting to exceed the crypting type of ransomware because again, the criminals, they don't want to get the public visibility as well sometimes. They want to stay stealthy. And organizations, if their business is not being disrupted, they're more likely to work with the criminals in some of the payment side if it's just about the extortion of data. So there is some techniques that I have seen kind of starting to evolve this year, but of course the ones that we hear about, the big ones, are always the encryption-based ones where the businesses come to a complete stop.
Mikko Hypponen:
And very big part of them are very, very public. One thing I always say to companies that I talk about is that to go to these sites, go and visit LockBit website or Clop or any of these gangs and just scroll around. Just scroll at the amount of the victims, because very quickly you will realize that the list is a never-ending list of companies of all sizes from all business areas of all types, big and small. Nothing prevents you from getting hit. If these companies got hit, you can get hit as well. I've never met a company which would assume beforehand that we're probably going to be the next victim of these gangs. Everybody assumes it's not going to be them, but it really is eye-opening when they realize that the list never ends. There's hundreds and hundreds and hundreds of them.
Joseph Carson:
And organizations of all sizes. And it's not like they just grafted the ones with money. They go after any business that's connected. If you have an internet connection, you are an opportunistic target. I've seen organizations from the hundreds of millions and the billions of size right down to mid-size companies right down to the SMB, small businesses with a handful of people, all organizations of all sizes. If you are doing business online and you're using this technology that's connected, you have to realize that you are a potential victim and you just have to make sure that you are conscious of that. And when you're conscious sometimes it will make you be more motivated to take steps to try to reduce the risk.
Mikko Hypponen:
I agree. I've used the term that it's like shooting a shotgun against the internet. It's hitting random targets.
Joseph Carson:
Absolutely. It's a really good term and I think one of the things, I think it was your term that you mentioned recently where it was if it's smart, it's hackable, I think.
Mikko Hypponen:
Is if it's programmable, it's hackable. If it's smart, it's vulnerable. If it's programmable, it's hackable.
Joseph Carson:
Exactly, exactly. It's a good clarification there. So what other things have you seen this year? Have the techniques changed? Are they doing some... We have seen social engineering on the uptick, because of course that's the techniques that's trying to abuse humans to get around things like 2FA and MFA. So there has been social engineering and phishing techniques. What techniques... Are they changing significantly? Or are they just going through the same steps?
Mikko Hypponen:
Mostly the same, but of course we've seen some variation. Late last year we started seeing some of these MFA exhaustion attacks or fatigue attacks, trying to get people to approve multifactor authentication simply by overflow flooding them or having pretexting attacks where they portray themselves to be the tech support team and say that there's a problem with our two-factor authentication. "I'll turn it off, just give me the last code, I'll turn it off." And people fall for these. So when security gets better, the attackers figure ways around it. This has always been the game and it'll continue to be the game, which is trying to throw more and more hurdles against the attackers, but I don't see this game going away anytime soon.
One case we should talk about, which is unusual and abnormal is a case right here in Finland, which is where I am, which is the Vastaamo incident.
Joseph Carson:
Absolutely.
Mikko Hypponen:
Because that's such a highly unusual case.
Joseph Carson:
And it's a sad one as well because it's one of those situations where it's the type of data which has a long-lasting impact on the victims.
Mikko Hypponen:
Very true.
Joseph Carson:
And it's something that people who's been through trauma, people who's been through disasters, and when you go to have conversations with those, that's really helping you, those are all meant to be private conversations and private notes that should never get out.
Mikko Hypponen:
So for those of the people who don't know the case, this is a hack of a private psychotherapy center in Finland with 31,980 patient records getting exposed, and those patient records had full list of the sessions with therapists and their patients. And this is the kind of health data that stays explosive for a hundred years, because this is people discussing the most private things about their bosses, their spouses, and their children. And all of this needs to be kept secret as long as anyone mentioned is alive, and that means a hundred years. I don't really think we've really as a society or even us technologists have realized what a challenge it is to keep data, like medical data like this accessible, encrypted, secured and backed up for a god damn hundred years. It's a huge challenge. And here we have the prime example of what can happen when we fail.
Now one of the things which makes the Vastaamo, that's the name of the company, the Vastaamo case unusual, is that the company actually went bankrupt. They actually folded pretty much immediately after all of this became public. And that's rare. We only have a handful of cases. I've been keeping tabs on this. I think I have like 50 documented bankruptcies from all over the world over my career for 30 years, which is remarkably small number. This is what I always tell companies when I do briefings to leadership teams. I tell them that even if you get hacked real bad, your company will be fine. You will recover, even your stock valuation will recover.
Joseph Carson:
Even within two weeks, typically. Typically, on average it's usually up... It recovers within two weeks, and sometimes even better than it was before the breach.
Mikko Hypponen:
True, true. However, what I also tell the leadership team is that your company will survive, but you will not. The company will recover, but the CISO will get fired. The CIO will get fired, the CTO will get fired, the CFO might get fired, the CEO might get fired. This is how I motivate them to listen to me. That your company will be fine, but you won't be fine. However...
Joseph Carson:
Even moving into when you're talking about that is now is even the liability when we look at the SolarWinds case, and the SEC now doing the criminal case filing, this is where it's not just about you losing your job, but you could be personally liable from a financial impact, especially if you're a public traded company.
Mikko Hypponen:
Yeah, yeah. And of course, as you mentioned that we also have the first documented case during this year where a ransomware gang did an SEC filing on behalf of their victims just to show the potential new victims that if you get hit by us, you should take us seriously. If you're not reporting as you should be reporting, we will report you.
Joseph Carson:
On your behalf.
Mikko Hypponen:
On your behalf. So yeah, it's like a triple extortion. First you get extorted for encrypting your data, then for leaking your data, and then for failing to report to SEC or the local authority, whatever it might be.
Joseph Carson:
Absolutely. So we continue with the Vastaamo, the records and stuff. One of the things, the significant things this year is the person who was behind that eventually was caught. It was in Spain, I think it was.
Mikko Hypponen:
In France, actually.
Joseph Carson:
In France.
Mikko Hypponen:
Although he has been living in multiple different countries in and outside of Europe, but he's a Finnish guy. Well-known figure in this area has been tried, I believe twice before, for different hacking purposes, was a member of the Lizard Squad, which you might remember six years ago. He hasn't been found guilty yet, so still ongoing.
Joseph Carson:
Ongoing criminal case.
Mikko Hypponen:
But he seems very likely to be the right guy. I was part of the investigation early on. I had some leaks myself linking him to the case. And now that the police investigation has become public, which is by the way 2,200 pages of police reports. I've now read through 1700 pages, I still have 500 pages to read. There's tons of things linking him to the case. For example, one of the virtual servers that actually had a copy of the stolen SQL database off the psychotherapy center was sitting on a server, which was paid by the personal credit card of the acknowledged hacker and multiple other things linking him to the case. So I hope he gets sentenced and goes to jail.
Joseph Carson:
And unfortunately these situations are sometimes very rare, because a lot of the criminal activities, you mentioned that it's cross border, they're in other countries. And in a lot of cases they're in countries where there's no extradition treaties or even that those countries don't have laws that even consider these as crimes.
Mikko Hypponen:
But in this case, he wouldn't have been caught unless he wouldn't have made a programming mistake, actually getting the syntax of the tar command wrong as he was writing a cron job script for his line server. So what he was actually doing during the early stages of the blackmailing case was that he tried to blackmail the psychotherapy center to pay him around 400,000 euros in exchange of the patient database. When that didn't work out, he was then starting to publish patient records on a Tor site. So he set up a Tor website running on Tor server where he would initially manually publish a hundred patient records a day. After a couple of days, he got tired of doing it manually. So he did a cron job which would run every night at 3:00 AM, pick hundred random text files, one text file per victim and put them on the Tor site.
The mistake he made was that when you set the working directory in the tar command, the commands you do on the command line after the change directory command are done in different folder than before it. So he simply got the syntax wrong, which is really easy to do with tar. He test drove the script he wrote, which worked fine because he happened to be running it from the folder where the files were, but then when he put it as a cron job, it runs as root, which means tar was now taking files from the root's home directory for...
Joseph Carson:
To get the full path.
Mikko Hypponen:
That's right. And the end result was that he published on his Tor site listing of files in the root user's home directory, including his SSH keys, his command line history, his tools, and this is how police got lucky and actually found the guy. If he wouldn't have done that mistake, we probably would be still searching.
Joseph Carson:
Yeah, that's one of the things is that usually it is those tiny little details of mistakes that ultimately results in finding the attackers and if they're continuing to do it, there's only the few that decide to completely change their techniques and don't repeat. But yeah, it's good to hear at least some of those cases do come to conclusion at some point because that one, it is devastating, and I could think about how the victims of that will continue.
Mikko Hypponen:
Thankfully, this is rare. I only know of three other cases anywhere in the world where patient data would've been used to blackmail patients themselves because as...
Joseph Carson:
Which I think was the other one was in Australia, which was the...
Mikko Hypponen:
Medibank.
Joseph Carson:
Medibank, yeah, that was the other one where they targeted. Because Medibank wouldn't pay up, they target the victims, which then you get into those situations as well. In other areas as well, how much of the supply chain is also being impacted this year? Is that something that you're continually seeing? Are attackers looking to, let's say, accelerate the ability to target victims by targeting suppliers where allows them access to more organizations? Is that still being a trend and something of a technique?
Mikko Hypponen:
I think from cyber criminal's perspective, supply chain attacks continue to be opportunistic. If they have a way of using something like that to get in, they know they can access a huge amount of victims at the same time. That's basically, you could say MOVEit was a supply chain attack because that tool was used in enterprise clients around the world, and there was no way for them to know it was vulnerable. But when you look at more specific supply chain attacks, especially planted attacks where they first gain access to the supplier to booby trap the tools being used by others, those are then more likely to be governmental.
Joseph Carson:
Intelligence gathering.
Mikko Hypponen:
Exactly. That's very clever way of getting access to the place where you need to be getting access to, and you can figure out what kind of tools you would like to booby trap, which would then presumably be used by the kind of targets you're interested in. And that continues to be really, really problematic. How do you make sure that the things you are running inside your organization are really audited properly? Especially if you are faced with a nation state as someone who wants to attack against you. It's very, very tough.
Joseph Carson:
You're just hoping that the motives are never acted upon, because only that's the result.
Mikko Hypponen:
From my point of view, there really is no way of completely preventing this. So the best shot you have is to have enough capability to detect when you get hit, so have enough anomaly detection, have the capability of realizing that something weird is happening in your networks and be able to raise an alarm. So if you can't stop it, then the next best thing is to realize you have been hacked so you can respond immediately.
Joseph Carson:
Yeah, I think the big area is also having that balance between being able to detect and then respond effectively. Not all responses are equal, and sometimes they're not all trained and simulated. So the last thing you might be doing is in an active scenario, so sometimes make how you respond and what your recovery strategy is as well.
One thing is the big trend this year has been around artificial intelligence and AI and the big buzzword and the trends, and we've seen this hype. Throughout the industry, we always see these massive terms and trends. We've had zero trust, we've had quantum and blockchain and many other cryptocurrencies, and now the latest trend is around AI. Is it something... Are criminals using it to their advantage? Is it something that we're seeing use more in attacks? And what's your thought around AI and the industry today?
Mikko Hypponen:
You're absolutely right. There's tons of hype around AI, but I think the hype is warranted. This is not an empty bubble. There might be a bubble brewing in AI. We might see a bubble burst, but it's going to be similar to what happened with the dotcom boom in 1999 and 2000. Sure, we had a huge amount of oversized expectations and the bubble bursted, but if you look at the promises people were being given in the end of 1999 about how internet is going to change the world, all of that became true. All shopping did go online. Movies did go online. We really do buy dog food online today, which is what was promised. It just took 20 years. So AI is really changing the world. I do believe the AI revolution is a bigger revolution than the internet revolution, and that's saying something.
Joseph Carson:
Because it changed our lives a lot.
Mikko Hypponen:
It did. It did. And I think AI will change world more.
Joseph Carson:
Probably more in how we work, like the workforce. I think that's probably... You're absolutely right. We don't think about just as our society, I think it changes employment, the way employment happens in the future. So you're absolutely... I think you're spot on there.
Mikko Hypponen:
And industrial revolutions have typically changed the way we work more for the working class and less for the white collar people. This one is exactly the other way around. AI won't change the work our plumbers do at all. It's going to take away your job and my job, and that's going to be a different story altogether. But it is quite remarkable how quickly this is moving, especially since we've been waiting for this revolution for decades.
Joseph Carson:
Since the sixties, I think it was. Even because then it was mostly focused around simulations and educational training models. But this is something that's been worked on for a long time, and now I think it's one of those things that all the things have just come at the right time. It probably wouldn't have been successful without having the connectivity that we have today, the processing power that we have today, the data that's being collected, all of those things. I think it's one of those times it's just timing is right. But I think to your point, it will probably be more over the 10 to 20 year time that we'll start seeing what we're talking about today become much more reality. I think it's going to come immediately.
Mikko Hypponen:
Yeah. I think one of the key issue really was that all human knowledge now is data. Just 15, 20 years ago, big part of human knowledge was on paper. You can't teach machines with paper. But now obviously all the new information we generate is data, but we've even gone back and digitized all the old information, which means you can just use it, feed it to machines, and with the computing capability we have today, you can just have them read it all, read all the books, read every finished book and pick up the language. It's the same thing with every other language. Learn to program in any languages simply by reading all the books, and it's finally doable after all these AI winters and springs and false starts. No, it really is happening, and it's hard to keep up even if you try to.
And let me give a recommendation to people listening. We've all played around with large language models and image generators. Some of you have tried music generators, and there's one which is really blowing my mind right now. It's called Suno, that's S-U-N-O.AI, which is a music generator, you're right. Give me gangster rap with big bass and a lot of boom and large echo, and then make me some lyrics and rap it and it can rap, or do heavy metal, or do pop singing in any language. It sings in your language or it raps in your language and it's surprisingly good.
Joseph Carson:
That is impressive.
Mikko Hypponen:
It is. Try it. You will be amazed. In fact...
Joseph Carson:
Actually, I'll be making some songs later.
Mikko Hypponen:
You should make a song and you should include it in this episode in the end so people have an idea about what it sounds like.
Joseph Carson:
I'm going to take the transcript.
Mikko Hypponen:
You should.
Joseph Carson:
You know what? Both of us will be doing a duet.
Mikko Hypponen:
Oh, boy. I already regret bringing this up, but I think it's a great example on how fast this is moving, because I was looking at music generators three months ago, and in just three months they've changed so much. The thing that Suno creates songs that I wouldn't be surprised to hear from the radio. They're perfectly fine.
Joseph Carson:
So a question on this, one of the things as I always get is as I remember at the Talent Digital Summit this year, one of the things that was they get up and announce is that this images was done with AI and this choreography, the music, everything was AI. And I'm going, I always felt that at the end, some developer sitting there who wrote the algorithm that was used to create it, what does accountability come here? Can you just say, "It was the AI's fault. It wasn't mine." And then the developer's going, "Well, I wrote the algorithm. It's the AI's fault, it's not mine." Where does accountability come in this area? Are we just trying to disassociate decision making away from humans? Where does this come? What's your thoughts on that?
Mikko Hypponen:
Yeah, this is a very tough question. And European Union is trying to answer some of these tough questions with the AI Act, and that's a really hard thing to do. AI Act is trying to solve tons of different problems related to AI in general, including copyright, trademark, safety, security, and the responsibility question. From my point of view, when we make real world decision or decisions based on machine learning, who really is responsible? Clearly it can't be the algorithm. It has to be a human. So then the question becomes is it the programmer inside the organization? Is it the programming team? Is it the R&D unit? Is it the CEO? Is it the leadership team? Or is it the board of the company? Where do we put the responsibility?
Joseph Carson:
Where does it fall under?
Mikko Hypponen:
And most companies have no idea. They've never even thought about this. We write code for self-driving cars. If the car kills someone, is it the responsibility of the programmer or the chairman of the board? Great question. I don't have an answer for it, but it's a great question.
Joseph Carson:
Yeah, I think it's something that eventually, one instance to happen, there will be those discussions will publicly really choose some of the direction. Also, just finally, one of the things I want to get is that for the future moving forward, where do you see, let's say in 2024 and beyond, where do you see the direction of this going? What do you think is going to be the outcome? Are we going to see this battle of AIs happening? Is that something that's...
Mikko Hypponen:
Yes, absolutely. Yes. It sounds like science fiction. That's exactly what we're going to see. We will see good AI versus bad AI. Now, from my point of view, if you look at things, these different gen AI algorithms will be causing problems with as regards to cybersecurity, some of them are pretty obvious. Deepfakes, sure, will be used in scams. We already see that in small scale, not in huge scale, but they already exist. I have examples of deep fakes being used to scam people. Then we will see more, not deepfakes, but let's say deep scams, let's say romance scams or BEC scams done in massive parallel capabilities fooling 10,000 victims at the same time across all language barriers. This seems to be starting already.
Joseph Carson:
Yeah, I think in India was the big one recently where it was the trouble scam. That was the one I think. Was it Darknet Dairies was covering the episode there, which was really interesting about how big that was, about getting, and it was kind of accelerating in India.
Mikko Hypponen:
Yep. And for example, romance scam, which is a huge, probably one of the biggest problems for consumers is auctions scams, Airbnb scams, and investment scams, and romance scams. One romance scammer right now, fools maybe three or four victims at the same time. Typically, in languages he can understand at least to some level with automation one scammer can scam 10,000 victims at the same time in all languages and it's going to be perfect. So this is the problem.
Joseph Carson:
Scaling, this is the scaling. It scales the crime to astronomical, to unthinkable possibilities. And that's a scary thought.
Mikko Hypponen:
It is. I've actually discussed this with people at Open AI about how they could limit this. It's a hard problem. We don't have an easy solution for that either. But if we look at the other things which will be happening with Gen AI beyond deepfakes and deep scams, then we will have malware written by our large language models. We so far have three examples. AI will be able to find vulnerabilities, which is great when you're trying to find zero days in your own code. It's awful when someone else is trying to find zero days in your code.
And then we will see complete automation of malware campaigns. So right now, defenders like we with Secure, we've automated everything. We are very fast in finding and reacting to do attacks. The attackers are still working manually. They are reacting at human speed to the things our defense systems do at machine speed. And that will change. And we know it hasn't changed yet, because they are still slow, but that's going to change anytime. It could have changed already. It simply hasn't.
And then when that happens, then we really will see which one will be faster, good AI or bad AI. We will have, I don't know, a ransomware campaign run completely hands-free, which will automatically set up new CNC servers, register new domains, rewrite the emails, recompile the binaries.
Joseph Carson:
Do it in real time. That's the worry for me is that if all of a sudden the malware is basically, it's modifying itself in real time to evade detection and to get around the techniques...
Mikko Hypponen:
I hate the way you think.
Joseph Carson:
And then when you think about it gets into the collective, the Borg scenario where it's all working together, and basically it really gets to the point where we really need to make sure that we keep ahead, are always advancing. So no time to be complacent I would say.
Mikko Hypponen:
There is still job security in cybersecurity.
Joseph Carson:
Yeah. What we do, and the techniques will evolve and change, we won't keep doing the same thing. And that's always been the case. If I think about my career over the years, every five years I have to modify and change and adapt, and that's something that I think we're going to continue having to do anyway.
Mikko Hypponen:
And that's great. After 32 years in the industry, I haven't had a boring day yet.
Joseph Carson:
That's great day. That's always great to hear because for me, absolutely, it's always been exciting. And as I approach similar years in the industry, that means that I'm hopeful that I will continue enjoying what I do, so as you do yourself. Mikko, it's been amazing having you on. I always enjoy talking to you. Hopefully we'll get to catch up again in person. I'm pretty sure it won't be long because we're such close neighbors.
Mikko Hypponen:
That's right. That's right.
Joseph Carson:
But it's been awesome. Any final words of wisdom or thoughts for the audience before we finish up today?
Mikko Hypponen:
Well, one thing I always like to do is thank people for their work. Those of you who work in cybersecurity, people don't see your work because when cybersecurity works, nothing happens. So thank you for your work. Thank you for working, making the world a safer place. Thank you.
Joseph Carson:
Absolutely. So very wise words and I couldn't read it. Absolutely. When things don't happen, we know that things are... Security is working, and that's always a great thing to hear. Mikko, it's been amazing having you on. I'll definitely make sure that the audience gets, make sure we put a link to the book in the show notes and have a safe and great holidays, and enjoy your break. Make sure you have a great time. So thank you. All the best. And for everyone, this is the 401 Access Tonight podcast. Tune in every two weeks, and you'll get the latest updates and trends, and from amazing guests such as Mikko.