Mikko Hyppönen: Expect Cybercriminals to Leverage AI and Machine Learning in the Next Two Years

On Tuesday evening, on the eve of Black Hat, Mikko’s research launched the English version of a book started more than ten years ago. Hyppönen, a stalwart of the infosec community and chief technology officer of Finnish cybersecurity company WithSecure, has a reputation for being something of a futurist.

With that in mind, “If it’s smart, it’s vulnerable” is meant to be an accessible guide to today’s and tomorrow’s security that “your grandma could read and love,” Hyppönen said. He spoke to SC Media about the book and his latest future predictions.

If the title of the book is correct and everything smart is vulnerable, is the priority to find ways to mitigate the risk of devices? Or is it to use dumber devices?

It’s a revolution that will happen whether we like it or not, whether we agree or not. In the very near future, we won’t have any other types of devices to buy. And I’m actually even more concerned about dumb devices than smart devices.

The difference is that you understand that your Smart TV is on the Internet because you are watching Netflix from the TV. You understand that your smartwatch is on the internet because you get the weather report on the smartwatch. You understand that your security cameras are on the Internet because that’s how you look at the camera. For me, dumb devices are the types of devices where there will never be an app, or there will never be services that we will use on the internet. But everyday devices that you don’t need an app for will go live anyway. Your cooking mixer will collect consumer data and know where and how people use it.

If you have a Smart TV, you can put it on a separate network from your computer. And people say they don’t care about the mixer, they’ll just put it on a separate network too. But no you can’t. The mixer will not use your Wi-Fi. It will be online using 5G or LTE or one of the new technologies we are developing right now.

Click here for more coverage from the Black Hat conference in Las Vegas.

I also talk about the need to regulate security and IoT devices. And I’m not a fan of regulation. I think regulation fails more often than it succeeds, especially safety regulation. Our anti-cookie law, for example, has made no practical difference; people just click OK to go to every website because they still want you to accept cookies. However, if you look at security or appliances, we already regulate; we regulate electrical safety, so your washing machine won’t catch fire or give you an electric shock and if your house is set on fire by a faulty washing machine, the manufacturer is responsible for the damage. However, if your smart washing machine leaves your WiFi password open, resulting in all laptops in your home being locked down by ransomware, they are not responsible for that. And maybe that’s what we should be regulating about IoT devices.

So, how do you imagine the future of space?

The processing power of a typical iPhone today is equal to that of a Cray 2. Thus, a room-sized computer, which required a separate power generator or power station to run it – everyone has it in their pocket and it runs on battery power. The price of computers has fallen, while processing power has skyrocketed. The same with storage, the same with bandwidth. We will all have access to unlimited processing power, unlimited bandwidth, unlimited storage, and it will be virtually free.

A good illustration of what this will look like would be something like everyone would have access to the largest possible AWS instance you could imagine with unlimited processing, unlimited storage, unlimited bandwidth and the price would be cents per month. This is the direction in which we are heading. And I think that’s a really liberating thought. For companies, for companies, for creators, for builders, for coders, this changes mentalities. What would you do if there were no restrictions? This is the future we are heading towards. I see great things in the future of the Internet.

What does unlimited processing power and storage mean for security?

Well, we will have more and more things to secure. There will be more data to secure, and of course the bad guys will find a way to use unlimited processing power for the wickedness too. One of the things I’ve seen in my decades in cybersecurity is that attackers aren’t always that early. So, for example, machine learning and AI: every botnet is run by humans. Which is odd, because it would be quite easy to automate the maintenance of a typical botnet or typical malware campaign to an average TensorFlow framework or a simple Python script.

So machine learning has been around for years. AI systems have been available for years, but criminal gangs have yet to start using them. Why? Because there was no need for it; they’re doing well with the current level of systems they have, and even if they really wanted to move to using more automation and more machine learning using frameworks, there’s a huge lacks machine learning skills, which means people who have these skills don’t have to go to the dark side. Why would you break the law if you don’t have to? If you make a good living legally with the skills you have, why would you break the law?

But as we know, barriers fall. There are more and more artificial intelligence experts, and the systems of using machine learning frameworks are getting easier. We are not very far from becoming a reality [for cybercriminals]. It will happen in a year or two.