“The Internet is the best and worst thing that ever happened to us in history”. With that phrase begins his 2022 book Mikko Hypönnen hacker, security expert and one of the eminent figures in the world of hacking who has his own thesis: “If it’s smart, it’s vulnerable.” Telephones, computers, TVs and even washing machines are now vectors of attack. And his whole life has been dedicated to proving this, but above all to thinking about how to build digital antibodies.
Born in Finland in 1969 (“I am the age of the Internet,” he often says, because ARPANET was created in that year), he became known in the world of cybersecurity for having made significant contributions to improving systems. Since the 1990s, he has held advisory roles in the United States Government and is an authoritative voice in Europe and Asia on issues of hacking, cybercrime and cybersecurity. He even made a mini-documentary in which he recounted his journey to find the creators of the first computer virus in history, in Pakistan: Brain which spread throughout the world on floppy disks in 1986.
In August of this year, he attended Black Hat USA, one of the world’s largest cybersecurity and hacking conferences, in Las Vegas. Sitting in a hallway at the Mandalay Bay Convention Center, waiting to sign books, Hypönnen has the enthusiasm of a teenager who starts taking apart computers to see how they work: he hands over “punch cards” signed as a gift. “They work well as bookmarks,” he says, referring to these punched cards that were used in the prehistory of programming.
Hyppönen took part in a talk at the beginning of August Mob Museum Las Vegas, a museum that reviews the history of the mafia families in the United States – and which should be a must-see for anyone who is near old Vegas, by the way, in the Freemont Street area. A perfect excuse to talk about the Cybercriminal groups of the 21st century who, unlike the classic families that populated Las Vegas, New York and other iconic US cities, commit their crimes online. There he spoke with Alissa Knight a “recovered” hacker who used to steal assets from banks and now works protecting systems and advising companies.
Clarion attended the talk and spoke one-on-one with Mikko, who is now head of research at F-Secure: What stage is the Internet at today, how artificial intelligence is changing the threat landscape, but can also help build antibodies against the malware and cyber attacks.
The transformations of AI
─What would you say is the most remarkable thing about this era of AI that we are living in? What makes it different from other technological revolutions?
─This is the first technological revolution where technology is not destroying what are known as jobs. “blue collar”that is, traditional working-class jobs, as happened with the industrial revolution: AI does not take away our need for plumbers or bricklayers. We need plumbers, painters, carpenters! AI cannot do that. But programmers, lawyers, accountants? They are starting to lose jobs, and we have never seen this before: “white collar” jobs, office workers, being in danger. And to make matters worse, the creative industry, such as the arts, is also being affected.
─In April I said that during this year we would have a Top 40 of hits written by generative AI: composed, arranged and sung by an AI. A few weeks ago, in the German charts, number 27 was a song made entirely by AI. So it is happening faster than I thought.
─You grew up on the Internet where research and sharing discoveries was the constant. AI, in some way, does the work for us (summarizes texts, extracts main ideas). How does this affect the new generations?
─I don’t think it makes them any dumber, I think it will make them more efficient. It will give them tools to assist them in their research. When I was 20, if you wanted to use a computer, you had to be a programmer. There was no other way to use a computer. So it was very difficult for me to see how everyone would end up using a computer, because clearly not everyone can be a programmer. Today everyone uses a computer and has one in their pocket and they are not programmers. We just changed the way we use these devices like the telephone.
─And how do you imagine AI will impact this?
─It will do exactly the same: today you don’t have to be an expert in doing research or understanding how to build the most basic of science, now you can use an assistant. Artificial intelligence isn’t going to take your job, but someone who uses it better than you will.
─Just as the Internet has changed our daily lives, how do you imagine generative artificial intelligence will affect our daily lives in the future?
─We’re going to use a kind of Siri on steroids [el asistente de Apple]I imagine a service that is permanently accessible, perhaps we will have something similar to an earpiece that will allow us to ask for help at any time, or something similar. These tools are really very useful and we are already approaching this level of capabilities.
“You can’t ‘un-invent’ something”
─There is a categorical idea in your book regarding technology: once there is a technological advance, there is no turning back. Today, artificial intelligence is everywhere: how is it changing the threat landscape?
─“You can’t un-invent something”I often say. Every new creation, like the Internet, has its benefits and its dangers. Information, if it has to travel from point A to point B, no matter how many obstacles it encounters, will find a way to do so. Therefore, it is not yet clear whether artificial intelligence will bring us more problems than advantages: it is an invention that advances, and very quickly. But definitely We’re going to need defensive AI, if we are to have any chance of combating cybercrime.
─Is there excessive enthusiasm around AI?
─It is interesting to see how there is a cycle of enthusiasm [hype] around artificial intelligence, for better and for worse. If you look at the valuation of AI-linked companies, they inflated a lot during this time, almost the same thing that happened with the dotcom boom 20 years ago. But we are also starting to see how it can be used for bad things. For example, with deepfakes, we have already seen very realistic uses for targeting politicians or scamming consumers.
─So the risk of AI has a basis.
─Look, there are tons of reports about attacks that aren’t happening yet. Let me tell you. There’s a type of attack where a cybercriminal “steals” the face of a CEO or a CFO and takes advantage of it to scam the company’s financial sector. Is it possible to do this? Of course, deepfakes allow this to happen. And yet, we have not seen evidence that this is actually happening.
─But there are reports from cybersecurity companies about this.
─Yes, there are reports, but they are not very reliableThe closest we saw, that we can confirm, are cases of cloned executive voices on the answering machine, and even those are not in real time. We have the technology to make fake voices in real time, even videos, but what I want to tell you is that attackers are not using this on a large scale. Even with the cases of voice message scams, I only have two examples of that: not two hundred, two thousand, two.
─These aren’t real-world threats, then?
─The problem is that the enthusiasm around technology must be added the exaggerations about these problems. The whole point is that this entire threat landscape is being framed as something bigger than it actually is, at least at present. Now: this is definitely going to become a problem. The benefits for attackers are huge and the barrier to using them is getting lower and lower. But the problem isn’t as big as you might think, based on reports and the security companies down there (points to the Black Hat branded cubicles). These companies are telling you it’s going to be a problem, and they’re right. But it is not now.
─And how do you think they will be combated when they are, in fact, a problem?
─We have time to react, to build solutions to counteract these problems and the best solution to fighting the problems of artificial intelligence is artificial intelligence. Artificial intelligence defenses.
─You talked about WormGPT, a kind of ChatGPT for writing malware, AI-assisted social engineering, and other types of threats. What do you think will be the biggest threat and the biggest advantage that cybersecurity can take from AI?
─The biggest concrete threat is going to be the AI-assisted malware. Malware attacks where the virus can make a metamorphosis to avoid detection with generative techniques, and where an entire malware campaign can be orchestrated and executed by automation, that is a real threat. It will change the way it works, communicates, spreads, sends information. And all of that is going to be a perfect example of a type of malware that we will only be able to combat with, precisely, defensive AI: to combat these problems that AI is going to generate, we are going to need, precisely, AI.
The interview took place at the Mandalay Bay Convention Center in Las Vegas. That same day, Hyppönen gave a talk at the Mob Museum, which accredited Clarín so it could participate. The photos are courtesy of the museum.