Mikko Hyppönen is the Chief Research Officer at F-Secure, where he’s spent the last two decades tracking, dissecting, and disabling malware, from viruses to trojans to worms to botnets. His long time in the field gives him a sense of history: last year he documented his search for the minds behind Brain, released in 1986 and considered the first MS-DOS based computer virus. Via email he discussed how malware has changed over the last twenty years, the future of smartphone viruses, and just whether antivirus companies are outmatched in a world of government-sponsored malware such as Stuxnet and Flame.
You've been working with F-Secure since 1991. Over that time, what's been the most profound change in the malware world?
The biggest change has been the change of the enemy. When I started, all the malware was written by kids and teenagers, for fun. Nowadays, we don't see anybody writing malware for fun. It's all done by criminals, activists and governments. And they all have a motive for doing it.
Obviously those new motivations drastically change the nature of malware — the 1988 Morris worm, for example, was created in an exploratory spirit and only accidentally caused serious problems. With no one writing malware for fun, and the enemy now being much more sophisticated, how has your job become more difficult?
"They are watching what we do."
Today we have a very concrete enemy. They have money, so they can afford to invest in bypassing us. They are watching what we do. They read our blogs and whitepapers. They most likely attend our conferences and trade fairs.
Malware has become an object of increased political attention, with admissions that Stuxnet and Flame are government-sponsored, offensive tools. That's led to complicated questions about the legality of state-funded cyber-attacks, as well as about relationships between governments and private anti-virus companies (who revealed the existence of Stuxnet and Flame). How do these revelations change the malware landscape?
We haven't seen real online warfare yet, of course, because we haven't seen wars between technically advanced nations lately. But any future crisis is likely to have a cyber component as well.
Many of the more devastating cyber attacks cannot be launched remotely, as the most critical networks are not connected to public network. Think along the lines of a Special Forces unit going deep into enemy territory with embedded geeks in the team, to dig up fiber optic cables to be able to reach the systems that were supposed to be unreachable.
The main point of any arms race is to let your adversaries know about your capabilities so that they don't even think about starting a fight. We're not yet at this stage in the cyber arms race. Almost all of the developments in this area are secret and classified.
However, it will eventually become as public as any other defense technology. Maybe we'll eventually see public cyber war exercises where a country will demonstrate their attack capabilities. Maybe we'll eventually see cyber disarmament programs.
Defending against military-strength malware is a real challenge for the computer security industry. Furthermore, the security industry is not global. It is highly focused in just a handful of countries. The rest of the countries rely on foreign security labs to provide their everyday digital security for them.
You've said that the inability to detect Flame was a failure for the antivirus industry, writing, "We were out of our league, in our own game." Others have agreed, saying that in an era of military-grade malware, the standard detection and prevention model no longer works: it's simply too difficult to recognize every threat. How do you think these threats will be fought in the future? What needs to take place?
We have some ideas on our next move. But we don't want to discuss those just yet.
There's a long-standing complaint that information security companies have an incentive to exaggerate the threat of "cybercrime" — the oft-quoted estimate that the global cost of cybercrime is $1 trillion a year, for example, seems to rely on dubious (perhaps wishful) accounting.
Although it is difficult to come up with a precise figure, I can estimate from the evidence available that online criminals are lining their pockets with hundreds of millions of dollars every year. Moreover, this figure does not include the losses suffered by businesses and the public as a result of cybercrime, which are much higher. Nevertheless, that's far, far away from $1 trillion.
Online criminals can be located anywhere in the world, physically far removed from the victims of their crimes. The money is obviously good and the risk of getting caught is low because our national police forces and legal systems often lack the resources and reach to cope with the international and technically complex nature of the crimes.
There is a constant flow of newcomers to the crime industry. It is also evident that criminal gangs are investing a great deal of time and money on developing ever more stealthy malware in pursuit of further profits. I believe strongly that as long as there are relatively minor penalties for the few perpetrators that are caught, the online crime business will still continue to grow in the future.
Do you think that suggests the need for governmental and law enforcement action, rather than strictly technical solutions? Obviously there are hotbeds of cyber-crime around the world, places where easy connectivity and a certain degree of lawlessness combine to make online crime a tempting proposition.
Lack of laws is not the problem — not any more. It's the enforcement that's the problem. This is further complicated by the fact that it's hard to see the big picture of these crimes. Initiatives for international law-enforcement co-operation were built to fight completely different kinds of crimes (like drug trafficking) and they have a hard time adjusting to these new types of crimes.
You were fairly early in warning people about the potential for smartphone malware. What do you think about the state of smartphone malware today?
It's been a bit sad to see that out of Linux distributions, it was Android — the most successful mobile Linux distribution - that has really introduced the malware problem to the Linux world.
We're already seeing companies taking on the threat of smartphone malware, though it seems like we're still in the opening stages of that story. Do you think smartphone malware will become a greater threat than computer-based malware, or is it a similar problem in a new medium?
"Attackers will follow the users."
Attackers will follow the users. If most of the targets will be using smartphones instead of traditional computers, that's where the attackers will go.
What's the most important thing that people outside your area of expertise don't know about it?
The antivirus industry is quite unique in the way direct competitors help each other. It's not publicly known, but antivirus companies co-operate all the time.
On the surface, antivirus vendors are direct competitors. And in fact, the competition is fierce on the sales and marketing side. But on the technical side, we're actually very friendly to each other. It seems that everyone knows everyone else. After all, there are only a few hundred antivirus analysts in the whole world.
You see, normal software companies do not have enemies; just competitors. If you're in the business of writing, for example, word processors you don't have enemies. In our business, it's different. Obviously we have competitors, but they are not our main problem. Our main problem is the virus writers, the bot authors, the spammers and the phishers. They hate us. They often attack us directly. And it's our job to try to keep them at bay and do what we can to protect our customers from them.
In this job, all the vendors are in the same boat. This is why we help each other. And this is why I believe we are not losing the war against online criminals.
Read more 5 Minutes on The Verge.
Image courtesy Mikko Hyppönen