Cybersecurity is a process, not a project
2020-08-10 - In this podcast, Tobias engages Mikko Hypponen, a global security expert, perhaps best known for the Hypponen Law about IoT security. It states that whenever an appliance is described as being “smart”, it is vulnerable.
Mikko Hyppönen has spent all his life with computers. Now aged 50, he sold his first commercial program at just 16 years old. His domain is computer security. For practically every change that has happened in this space, Mikko has been there.
“I can tell you, I haven't had a boring day yet,” he says of the more than 30 years of his involvement in the computer security industry. And interesting does not quite go far enough to describe what a ride he has had.
Right off the bat, Tobias asks him to name the most exciting and memorable day he’s seen. The truth: he’s had so many over the years, ranking them is quite tasking. But he says the most exciting feeling (that he has experienced many times over) is the joy of stopping a botnet by taking down the server to operate and replicate itself.
“That’s the best feeling… The whole outbreak stops right there. The criminals will no longer make any money; no other persons or computers will get infected. And that's happened multiple times over my career. And it's always the best feeling because you really feel like you've just saved the world. And that's just great.”
Tobi engages Miko about the involvement of law enforcement in the cybersecurity space and the different forms that cybercrime has taken over the years.
“I've worked with law enforcement on all continents. I've done a lot of consulting for Europol and Interpol, and today every country has the laws needed (to address cybercrimes).”
The industry has changed a great deal. For governments, that has meant shifting their spying networks to cyberspace. The U.S. has done well for itself in this game.
And which spies are doing the best job?
“If you look at where the cutting edge capabilities of offensive use of cyber power is it's in (the) USA. The United States has spent more money, they've had bigger budgets, they've been doing it longer than anyone else.”
Israel comes in at a close second. But then again, Israel works closely with the U.S. in this space.
But Mikko is quick to point out that the country with the biggest cyber weapons arsenal cannot deter others from launching attacks. Unlike nuclear weapons whose most important function is as a deterrent of war, cyber capabilities are more abstract, and no country can say with certainty the cyber capabilities of another. This creates what Mikko calls the fog of the cyberwar.
“Just like fog of war prevents you from seeing what's really happening, in cyberwar it's even worse because we don't have any idea of the capabilities of different countries.”
Tobi also engages Mikko on the Snowden/PRISM leaks and how that has changed the world.
“I guess many people were expecting that you know, the PRISM leaks would change the world so that users would start to steer away from U.S.-based services. And that's not at all what's been happening during the years since PRISM. If anything, we are more reliant on U.S. services today.”
He explains the unexpected changes that have happened following the PRISM leaks, including a shift to HTTPS sites.
For businesses, the biggest shift in cyberspace has been the emergence of ransomware. Mikko explains how cybercrime gangs operate, including how they manage their reputation with support desks, trying to be “honest criminals.”
He explains the cyberattacks that have been in the headlines in recent years, including the Twitter hack of July 2020. And yes, he thinks the criminals who carried out that attack are idiots. They didn’t quite think it through in a manner that could have maximized their profits.
“But the criminals in the Twitter hack were not financial criminals; they were teenage kids or youngsters who were much more interested in Bitcoin or short usernames than options or financial instruments. And maybe it was good that they were.”
What’s Mikko’s advice to CTOs?
“The very first thing a company should do when they start seriously thinking about their security is to just sit down and think through who are they worried about, really? Like who would really attack them? Because the answer to these questions is not universal. It's not the same answer for every organization.”
He goes into detail about how exactly companies can do this including advising them to having a CISO (Chief Security Officer) in charge of cybersecurity.
“You have to have someone in charge… Security is not a product. It's a process. So you need a process leader. You need someone with expertise in this area and who has the responsibility within the organization to make sure that the crucial things are taken care of today.”
In business organizations, cybersecurity is now a board-level topic, yet Mikko says it isn’t getting the recognition it needs.
“Cybersecurity becomes a board-level topic only when a company gets hacked themselves, or when something really big and visible happens.” he says, “That's not really good enough because if you look at the most likely risks to happen to an organization today, cyber risk is one of the biggest risks we face.”
But most companies recover from cyber attacks. So, why then care about these hacks?
“Well, I'll tell you why: the companies will recover, their stock value gets a beating but even then it typically recovers. The ones who don't recover are the employees: CEOs get fired, CTOs get fired, CIOs get fired, CSOs get fired. That's why you should care!”