Mikko Hyppönen carries his failures with him. Having worked in computer security for a quarter of a century, he says he’s racked up a long list of mistakes. And not the good kind of mistakes either.
“Many have been mistakes where there’s been no lessons learned, or ones I haven’t been able to recover from,” he says. In particular the 13-year-old he couldn’t save from a life of hacker crime.
Mikko is Chief Research Officer at Finnish cybersecurity firm F-Secure. He describes himself as a reverse engineer and computer security guy. He analyses online attacks and follows underground movements.
He unwittingly became a spokesperson, a term he’s still reluctant to use, for the fight against online crime when he helped send a fax to Reuters’ London desk back in 1994.
The first Windows virus had been discovered in Sweden. It was infecting Windows 3.1 systems and was the first reported virus that didn’t attack MS-DOS or spread on floppy disks. While examining the malware in F-Secure’s HQ, Mikko and the team realised something: this was news.
“We typed up a press release, and then we had it in our hands, thinking, ‘OK, what do you do with a press release?’ We had no idea, because we had never done one. So we figured out the fax number for Reuters in London and sent it. They ran the story and it was printed all over the world. Folks started ringing me,” says Mikko.
“It’s the kind of failure that bothers me for many years to come”
After answering those first phone calls, Mikko became F-Secure’s go-to media guy. When journalists would call for a comment, the phone would be passed to him. He handled the previous case after all.
It brought a level of prominence that Mikko hadn’t sought but has nevertheless proved adept at handling. Foreign Policy named him as one of their top 100 global thinkers in 2011, and his Ted Talk on cyber-crime in the same year is the web’s most-viewed computer security talk. Mikko didn’t get into online security to talk about it though.
He says that as a geek and a nerd who likes working with computers, any number of different options were open to him. He could be building database systems, writing operating systems or making games. Interesting, but not rewarding, options, he says.
“They are not as rewarding as being able to help people. Of course it’s a job. Of course it’s a business. We charge for this, but it still feels like you’re doing something noble. Because what you’re doing is helping people. People who’ve had their systems compromised or data stolen,” says Mikko.
It’s business, but it still feels noble, says Mikko
Maybe if he’d decided to pursue an “interesting” rather than “rewarding” career, one that didn’t bring him into contact with people in need, his mistakes and failures would matter less to him. Mikko doesn’t however have that luxury, and while successes may bring higher highs, his losses still cut.
He says that he regularly comes face-to-face with young teenage hackers, people on the “dark side”, who are involved in illegal activity online. He’s often contacted by worried parents of smart teenage boys desperate to see their children change. “It’s always a son; very few ladies or girls,” he says.
They might be involved in running botnets, a number of coordinated computers typically used to send spam emails, or carrying out denial-of-service attacks where access to an online network is suspended. Other times they might be hanging out with Anonymous. Mikko still makes the mistake of thinking these teenagers can be saved.
“I always jump to the conclusion that I know what their problem is, and I know how to fix it. I’ve failed multiple times in doing exactly that. I’ve explained to them how they have to change their path, how they are robbing themselves of their future,” says Mikko.
It all makes perfect sense to Mikko, but he finds himself unable to get through. They listen and understand – they just don’t take his advice.
After meeting Mikko, these boys “continue on their merry ways into mayhem”, ignoring that he’s told them they’re cutting themselves out of a legitimate career in tech. After a number of years, the boys typically graduate to financial crime: credit card theft and keylogging, selling software that can collect strangers’ PayPal and online banking logins. “It’s very easy to steal money if you know how to run botnets,” says Mikko.
He says that he sometimes meets these hackers years later and finds them still engaged in online crime. One particular case stands out.
“There was this really smart 13-year-old who I really tried to convert. Now he’s 19, and he’s going to go to jail soon. It bothers me on many different levels. But I suppose the biggest reason it bothers me is that I’ve failed,” says Mikko.
He takes it personally. “It’s the kind of failure that bothers me for many years to come. I think about how I could’ve changed that. I wish I could’ve changed that. But I was unable to,” he says.
Mikko on Web Summit Centre Stage in 2015
“There are no teenage boys anywhere in sight”
When Mikko first started working for F-Secure in 1991, he says that all the viruses he encountered were being written by teenage boys. The viruses were being written for fun, or to prove their author was capable of carrying out some kind of minor attack.
He thought computer security was to be a game played between antivirus companies and part-time hackers. The hackers would try to encrypt their viruses in more sophisticated ways; the antivirus companies would outsmart them.
“The mistake I made is that I completely underestimated the enemy. That’s not where we ended up at all,” says Mikko.
He looks at his work today, where he spends his time analysing attacks from organised crime syndicates, from nation states, from intelligence agencies and various militaries and realises the game has changed.
“There are no teenage boys anywhere in sight. I definitely did not sign up for this sh**,” he says.
“It can be a little bit schizophrenic”
In 2013, Mikko spoke out about his opposition to intelligence agency hacking when It emerged that the NSA paid security company RSA $10 million to include a flawed algorithm in their software. When the news broke, Mikko wrote the RSA an open letter outlining his opposition to the collaboration and his decision to pull out of a speaking engagement at an RSA conference as a result.
He now says that he might have been naive at not fully comprehending the reach of the NSA’s surveillance. While many of the revelations in Edward Snowden’s leaks were things that those in the security community had worried about for years, they weren’t sure that the NSA had the capabilities of carrying out such widespread mass surveillance.
“What actually changed, thanks to Snowden, is that now we know for a fact that’s actually what they’re doing. It’s not a fear. It’s not speculation. It’s actually happening for real,” says Mikko.
Throughout his career Mikko has advised several governments on cyber policy. He says that there’s a difference between working with law enforcement to try to catch criminals and working with intelligence agencies attempting to surveil the whole world. Even working with law enforcement brings complications however.
Many use malware to carry out investigations. In Finland, police have the right to infect the phones and computers of suspects with malicious software in order to collect information from these devices.
“It can be a little bit schizophrenic when we might be working on a case, trying to catch some hackers, when at the same time I know that law enforcement are working with malware themselves,” says Mikko.
He says that F-Secure have no interest in collaborating with these operations, quite the opposite. If the firm were to become aware of the kind of malware being used by Finnish police, they would have it blocked. It’s their job to block malware, regardless of where it comes from.
“You have the full right to expect us to block it, and we will block it the best we can. I’ve had these discussions with my law enforcement friends where I’ll say, ‘If you guys are going to use malware, go ahead, but don’t tell me about it. Because if I know about it, I will block it.’ It’s kind of weird but that’s the way it goes,” says Mikko.
F-Secure will do their best to block any malicious software directed at your devices – even if it comes from the cops
The security expert gets kicked off Twitter
It was fairly weird in 2009 when security expert Mikko Hyppönen found himself banned from Twitter for posting a link to a phishing site. In an effort to alert his followers to a particular scam, Mikko posted a broken URL, telling people to not click through. A year or so later, Twitter implemented a new filter that automatically detected when somebody posted a malicious link. Mikko was caught.
This was one mistake he would make all over again, he says.
“It was really strange because I had a very good working relationship with the security people who at Twitter, and then suddenly I was kicked off. It took ages to get me reinstated, even though I had all these guys I could call. They had no process in place at the time,” he says.
The link to a phishing site was a warning. It’s something that Mikko is reluctant to overuse. He’s aware of the balancing act required of a security company that wants to get the masses talking about online safety. The temptation to preach of doomsday cyber-scenarios needs to be avoided.
“It’s almost too easy to scare people, and I don’t like scaring people. We have to always keep in mind that computers, and especially the internet, have provided us with much more good than bad. They bring so much more connectivity; so much more entertainment – the balance is clearly on the side of the good things. I always try to emphasise that,” says Mikko.
He nevertheless regrets not being able to sell this message of positivity to the teenage hackers he’s met. The ones who got away.