Endpoint/Device Security, Security Program Controls/Technologies, Black Hat

Mikko Hyppönen: Expect cybercriminals to leverage AI, machine learning in next couple of years

WithSecure chief research officer Mikko Hyppönen seen here speaking to reporters from the company’s Helsinki headquarters. (Joe Uchill/Staff)

Tuesday evening, on the eve of Black Hat, Mikko reserach launched the English language version of a book first started more than a decade ago. Hyppönen, a mainstay in the infosec community and chief technology officer at Finnish cybersecurity firm WithSecure, has a reputation as a futurist of sorts. 

With that in mind, "If it's smart, it's vulnerable" is meant to be an approachable guide to security today and tomorrow that “your grandma could read and like,” said Hyppönen. He spoke to SC Media about the book and his latest future predictions.

If the title of the book is correct, and everything smart is vulnerable – is the priority to find ways of mitigating the risk of the devices? Or is it to use dumber devices? 

It's a revolution that will happen whether we like it or not, whether we agree or not. In the very near future, there are going to be no other kinds of devices for us to purchase. And I'm actually even more worried about dumb devices than smart devices. 

The difference is that you understand your Smart TV is on the internet because you're watching Netflix from the TV. You understand that your smartwatch is on the internet because you get the weather report on the smartwatch. You understand that your security cameras are on the internet because that's how you watch the camera. To me, dumb devices are the kinds of devices where there will never be an app, or there will never be any services that we will use over the internet. But everyday devices you don't need an app for will be going online anyway. Your kitchen mixer will collect consumer data, and know where and how people are using it. 

If you have a Smart TV, you can put it on a separate network away from your computer. And people say they don’t care about the mixer, they’ll just put it on a separate network too. But no you can’t. The mixer is not going to be using your Wi Fi. It's going to be online using 5G or LTE or any of the new technologies we're developing at the moment.

Click here for more coverage from the Black Hat Conference in Las Vegas.

I also speak about the need to regulate security and IoT devices. And I'm not a fan of regulation. I think regulation more often fails than succeeds, especially security regulation. Our no cookie law, for example, has made no practical difference ; people just click OK to access every single website because they always want you to accept the cookies. Nevertheless, if you look at security or for home appliances, we already regulate; we regulate electrical safety, so your washing machine is not going to catch fire or give you an electric shock and if your house is burned down by a faulty washing machine then the manufacturer is responsible for the damage. However, if your smart washing machine leaves your WiFi password open, which then results in every laptop in your home getting locked by ransomware, they are not responsible for that. And maybe that's what we should regulate about IoT devices.

So, what are you imagining the future of the space will look like? 

The processing power of a typical iPhone nowadays is equal to a Cray 2. So a room size computer, which required a separate power generator or power plant to run it – everybody has that in their pocket and it runs on a battery. The price of computers has plummeted, while the processing power has escalated to sky high ranges. The same thing with storage, the same thing with bandwidth. We all will have access to unlimited computing unlimited processing power, unlimited bandwidth, unlimited storage, and it's going to be practically free. 

A good illustration of what it will look like would be something like everybody would have access to the largest possible AWS instance you could imagine with unlimited processing, unlimited storage, unlimited bandwidth, and the price would be cents a month. That's the direction where we're headed. And I think this is a really liberating thought. For companies, for enterprises, for creators, for builders, for coders – it changes the mindset. What would you build if there would be no restrictions? That's the future where we're headed. I see great things in the future of the Internet.

What does unlimited processing power and storage mean for security?

Well, we will have more and more things to secure. There will be more data to secure, and the bad people will of course find a way to use unlimited processing power for for badness as well.  One of the things I’ve seen in my decades in cybersecurity is that attackers aren't always such early adopters. So for example, machine learning and AI: every single botnet is being run by humans. Which is weird, because it would be fairly easy to automate the maintenance of a typical botnet or a typical malware campaign to an average TensorFlow framework or simple Python script.

So machine learning has been around for years. AI systems have been accessible for years, yet criminal gangs haven't started using them yet. Why? Because there's been no need; they've been doing fine with the current level of systems they have, and even if they really wanted to move into using more automation and more machine learning using frameworks, there's a huge lack of skills in machine learning, which means that people who have these skills don't have to go to the dark side. Why would you break the law if you don't have to? If you're making a great living legally with the skills you have, why would you break the law?

But as we know, the barriers are coming down. There's more and more AI experts, and system for using machine learning frameworks are becoming easier. We're not very far away from this becoming a reality [for cybercriminals]. It's going to happen in a year or two.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.