During the recent RSA Conference 2022 in San Francisco, California, Infosecurity had the pleasure of catching up with two cybersecurity industry stalwarts from WithSecure. Over a delicious hotel breakfast, the renowned Mikko Hypponen, the company’s chief research officer, and Cale Black, senior security consultant at WithSecure, answered our questions on a range of pertinent topics in the industry.
We began by discussing Hypponen’s position as an advisory board member at Europol and trends he is observing in the law enforcement space. He reflected that when he first began working in the industry, cybercrime wasn’t even a criminal offense in many jurisdictions, meaning threat actors could simply “reroute” their attacks through those countries. “Thankfully, those days are over – it is a crime everywhere, and there are no safe havens,” he observed. Now, the biggest barrier to law enforcement’s ability to bring cyber-criminals to justice is the vast amount of cooperation required, both between nations and organizations. “When you have a criminal in one country, victims in seven countries and the server used to commit the crime in another country, it’s a slow, painful process,” commented Hypponen, adding: “The fact remains that most online criminals are never caught and brought to justice.”
He noted that private companies that hold cyber-threat intelligence data are increasingly willing to share relevant insights with law enforcement, which they see as a moral duty. However, he would like law enforcement to provide more details about how this data is used practically to track down and arrest cyber-criminals. “I understand why they can’t share as openly as we would wish, but it can be frustrating at times,” said Hypponen.
Protecting Personal Data
The conversation moved on to the biggest privacy challenges Hypponen and Black are seeing. Both agreed the growing collection and value of personal data is a major issue. Black highlighted the advertising industry’s collection of vast quantities of personal data and the difficulties they face in protecting it. “The data is a money-maker but also a liability,” he outlined.
Hypponen concurred, noting that personal information is an increasingly valuable target for threat actors. This is particularly pertinent for healthcare data. Previously, cyber-criminals focused on direct financial gains, such as targeting banks and payment systems. “It is changing, and we are seeing more attacks where people have their medical information stolen, and then they’re getting blackmailed,” he explained.
Therefore, organizations holding such information must take steps to protect it in the event of hacks, such as encrypting and decoupling identifiable information. “That’s a huge challenge – I don’t think people understood what a huge challenge it is.”
Nevertheless, it is impossible to 100% protect individuals’ identities in respect of such data, according to Black, an expert in offensive security. “If I got access to a large set of data, the very first thing I’d try to do is look out and correlate that with something else inside of the data. Because a lot of time, even though it doesn’t have a name, phone number, the data will give you enough information to map things out,” he explained.
Open Platform Legislation
Hypponen has been a vocal critic of proposed legislation in the US and EU to open up digital platform data. This includes terms in the proposed EU’s Digital Markets Act, forcing tech giants like Meta and Apple to allow users of their devices to access third-party app stores. He believes this could have significant cybersecurity implications. This is because these platforms are closed environments, meaning they can’t be programmed. This has prevented malware from taking hold of them.
“The biggest practical cybersecurity success story of the past 15 years is current smartphone systems. The fact that there are no malware problems on your iPhone speaks for itself,” explained Hypponen. “It’s a very restrictive model but a safe one.”
While he understands the desire to increase competition in this marketplace, the current proposals will likely come at too high a price. “From a security point of view, the choice is easy – the Apple model is more secure,” he stated.
Emerging Threat Landscape
Regarding the most significant cyber-threat trends, Black sees the use of machine learning (ML) technology to conduct attacks as a major problem on the horizon. This can allow them to bypass defenses far more quickly and efficiently. “As ML becomes cheaper and gets taught in schools, I think we’re going to start seeing it used more often in specific contexts and also in planning and staging attacks,” he said.
Hypponen added that he expects ransomware gangs to start automating the malware campaigns they run, which are currently all conducted manually. “It’s going to happen soon, and the change will be really visible,” he warned.
The two experts also agreed that, more generally, the growing complexity of software will create increasing cybersecurity headaches going forward. “Complexity is the biggest enemy of security; the more code you have, the more bugs you have, the more vulnerabilities you have,” outlined Hypponen. “We should be reducing complexity, which means every new version of applications should be simpler, with fewer features and protocols. Yet it’s not happening; it’s exactly the opposite.”
Black concurred, citing his work in offensive security. “It used to be a lot of attacking protocols and exploits, but now it is often thinking about how people are building systems in the modern-day and how those complex systems interact with each other.”
IoT Security
We concluded the conversation on one of Hypponen’s biggest subjects – IoT security. He highlighted the famous Hyppönen Law: whenever an appliance is described as being ‘smart,’ it is vulnerable. As it stands, there is a fundamental market failure in this area, whereby the cheapest products are the most successful. These will typically have poor cybersecurity measures incorporated.
However, Hypponen does not believe the solution to this market failure is government regulation, such as the UK’s Product Security and Telecommunications Infrastructure (PSTI) Bill. “The idea that government tells appliance makers how to secure their devices is a bad one,” he argued, adding: “Regulation almost always fails.”
Instead, Hypponen would like to see countries move in the direction of voluntary certification, “a voluntary stamp of approval if you implement certain basic requirements for IoT security.” He believes the existence of these certifications will ensure consumers think about security and begin making it part of their purchasing decisions.
He also wants manufacturers to be liable for security incidents emanating from flaws in their devices, in a similar way that washing machine manufacturers are liable if there is a dangerous electrical issue in their products. “If you regulate anything, regulate that,” he stated.
As we concluded our pancake-dominated breakfast, Hypponen highlighted his upcoming new book that will explore the topic of IoT security in more detail: If It’s Smart, It’s Vulnerable. This will be released in September 2022.