Article

Mikko Hyppönen: a veteran’s take on the future of cybersecurity

March 2023

Key Points

  • Mikko Hyppönen’s book If It’s Smart, It’s Vulnerable draws on over 30 years in the data security business
  • He believes company leaders still underappreciate the value of the data they’re responsible for
  • Advances in artificial intelligence are posing new challenges to the cybersecurity industry

Author Mikko Hyppönen photographed by Miikka Pirinen

Mikko Hyppönen is as renowned for his cybersecurity expertise as he’s admired for decoding the subject for non-experts. He’s also something of an archivist: he’s kept every email he’s received since 1994. All 6.8 million of them.

This meticulous cataloguing was only possible because he’s spent his entire career at one firm, the Finnish data protection and privacy specialist F-Secure.

“I’ve been in this field longer than almost anyone else who’s still active,” he says, adding that he felt a “duty to write” a book drawing on the material at his fingertips.

If It’s Smart, It’s Vulnerable gets its title from a comment Hyppönen made about internet-connected devices during a talk, which subsequently became known as Hypponen’s Law. And those vulnerabilities are multiplying.

“Smart TVs and smart fridges are just the beginning,” he explains. “Eventually, everything we hook up to the electricity grid, we’ll hook up to the internet grid as well.” His mantra is that if you own a connected device, then you’re at risk from hackers, who might live half a world away.

Hyppönen dates his interest in computing to his childhood. His mother worked for Finland’s state computing centre and would bring home punch cards and punch tape, which operators used to store data in an era before disk drives became common. As a boy, he spent hours playing with them. “It’s in the blood,” he says.

The book covers Hyppönen’s subsequent efforts to frustrate, mitigate or at least better understand those who put their computing skills to malicious use. His stories range from helping patients of a psychotherapy centre that failed to safeguard digital copies of their confidential notes, to tracking down the creators of one of the world’s first computer viruses in Pakistan.

If It’s Smart… serves as a wake-up call to those responsible for keeping our information safe. “Perhaps the best metaphor for data is uranium,” Hyppönen writes. “Highly valuable and dangerous – its radiation is lethal maybe forever.”

He urges global business leaders to pay heed, saying they’ve repeatedly failed to act against cybercrime until it’s too late.

Hyppönen spends much of his time meeting company executives and board members, urging them to recognise the risk. A technique he commonly uses is to first ask how much the data they control is worth. This typically draws a blank.

Then he cites examples of firms that suffered costly attacks, such as North Korea’s hack of Sony Pictures or the Global Payments breach, which compromised more than a million credit and debit cards handled by the transactions processor.

“I tell them the companies survived, but the executives didn’t. And that’s what makes them care,” he says.

“No company is safe until it puts effort and investment into being safe. So that’s why I always recommend they do tabletop exercises and penetration tests, in which you hire a professional attacker to break into your network.”

As his book recounts, that can sometimes involve F-Secure’s staff physically entering a client’s building, bluffing their way past guards and gaining access to a supposedly secure computer server room.

“You want the good guys to break in before the bad guys do it for real,” Hyppönen comments.

Over the past year, Hyppönen’s also spent increasing amounts of his time helping to protect Ukrainian companies and other organisations against Russian cyberattacks. He avoids divulging specific details about the "tools and services” his company provides but says, “we’re trying to do our part and assist in any way we can.”

Russian cyberattacks against Ukraine predate the current war. For example, they’re blamed for taking a Ukrainian electricity substation offline in the winter of 2015, causing widespread power cuts. Hyppönen says Russia tried a similar tactic last year but failed.

Even so, it’s not possible to prevent every attack. At the start of the war, he says, women and children fleeing to safety in Romania got stuck at the border.

“The Russians had wiped the computers used by the Ukrainian border control systems,” he recalls. “The end result was people queuing in freezing rain for 24 or 48 hours.”

Governments of all colours stockpile cyberweapons capable of causing such disruption or worse. The cost of developing or acquiring can be high, and the temptation to use them can be strong.

“No one really knows who has what, and that can be problematic. And just like real-world weapons, they rust,” Hyppönen explains, referencing the fact that hacks can become obsolete if a software update fixes a vulnerability or a product changes so fundamentally that the flaw is no longer an issue.

“The lifecycle of a cyberweapon might be 12 to 36 months. And you can’t even parade them. So you get no deterrence value, and all that effort and investment you’ve put into building it just goes down the drain.”

The other development occupying Hyppönen’s thoughts since writing his book is a leap in artificial intelligence.

F-Secure developed AI software two decades ago to help it cope with the growing volume of malware. “We would need an army of 100,000 researchers to do what the program does for us,” he reflects, adding that other cybersecurity companies have become equally dependent on the technology.

But what’s caught him off guard has been the advances in AI’s ability to deal with language-related tasks and the mass adoption of the ChatGPT chatbot, in particular.  

“Bad people can use large language models to rewrite existing malware to make undetectable versions,” he explains.

“I wasn’t expecting ChatGPT to be so good at understanding existing computing programs, finding bugs from programs written by human beings, being able to find security vulnerabilities – all that happened much faster than I thought.”

Cybercriminals don’t have it all one way, however. Hyppönen notes that security firms can also use the tech to analyse and thwart AI-augmented attacks. “It’s going to be a cat and mouse game,” he says.

But looking further forward, he has concerns about where the wider use of AI will ultimately lead.

“These things are becoming black boxes, we don't really fully understand how they work,” he says.

“It’s quite obvious that eventually, we will have the computing capability to simulate a human brain. Then, of course, because computers get faster, it will be 1,000 times faster, then a billion times faster. When that happens, we humans become the second most intelligent being on this planet.

“It sounds like a basic evolutionary mistake to introduce a superior intelligence into your own biosphere. What happens after that is anybody’s guess. It’s probably going to be very good or very bad.”

That existential threat likely lies decades or hundreds of years in the future, he qualifies. And for now, there are still plenty of lower-level cyber-battles for Hyppönen and his colleagues to wage.

 

Risk factors      

The views expressed should not be considered as advice or a recommendation to buy, sell or hold a particular investment. They reflect opinion and should not be taken as statements of fact nor should any reliance be placed on them when making investment decisions.

This communication was produced and approved in March 2023 and has not been updated subsequently. It represents views held at the time of writing and may not reflect current thinking.

This communication contains information on investments which does not constitute independent research. Accordingly, it is not subject to the protections afforded to independent research, but is classified as advertising under Art 68 of the Financial Services Act (‘FinSA’) and Baillie Gifford and its staff may have dealt in the investments concerned.

All information is sourced from Baillie Gifford & Co and is current unless otherwise stated.

The images used in this communication are for illustrative purposes only.

 

Important information

Baillie Gifford & Co and Baillie Gifford & Co Limited are authorised and regulated by the Financial Conduct Authority (FCA). Baillie Gifford & Co Limited is an Authorised Corporate Director of OEICs.

Baillie Gifford Overseas Limited provides investment management and advisory services to non-UK Professional/Institutional clients only. Baillie Gifford Overseas Limited is wholly owned by Baillie Gifford & Co. Baillie Gifford & Co and Baillie Gifford Overseas Limited are authorised and regulated by the FCA in the UK.

Persons resident or domiciled outside the UK should consult with their professional advisers as to whether they require any governmental or other consents in order to enable them to invest, and with their tax advisers for advice relevant to their own particular circumstances.

Financial intermediaries

This communication is suitable for use of financial intermediaries. Financial intermediaries are solely responsible for any further distribution and Baillie Gifford takes no responsibility for the reliance on this document by any other person who did not receive this document directly from Baillie Gifford.

Europe

Baillie Gifford Investment Management (Europe) Limited provides investment management and advisory services to European (excluding UK) clients. It was incorporated in Ireland in May 2018. Baillie Gifford Investment Management (Europe) Limited is authorised by the Central Bank of Ireland as an AIFM under the AIFM Regulations and as a UCITS management company under the UCITS Regulation. Baillie Gifford Investment Management (Europe) Limited is also authorised in accordance with Regulation 7 of the AIFM Regulations, to provide management of portfolios of investments, including Individual Portfolio Management (‘IPM’) and Non-Core Services. Baillie Gifford Investment Management (Europe) Limited has been appointed as UCITS management company to the following UCITS umbrella company; Baillie Gifford Worldwide Funds plc. Through passporting it has established Baillie Gifford Investment Management (Europe) Limited (Frankfurt Branch) to market its investment management and advisory services and distribute Baillie Gifford Worldwide Funds plc in Germany. Similarly, it has established Baillie Gifford Investment Management (Europe) Limited (Amsterdam Branch) to market its investment management and advisory services and distribute Baillie Gifford Worldwide Funds plc in The Netherlands. Baillie Gifford Investment Management (Europe) Limited also has a representative office in Zurich, Switzerland pursuant to Art. 58 of the Federal Act on Financial Institutions ('FinIA'). The representative office is authorised by the Swiss Financial Market Supervisory Authority (FINMA). The representative office does not constitute a branch and therefore does not have authority to commit Baillie Gifford Investment Management (Europe) Limited. Baillie Gifford Investment Management (Europe) Limited is a wholly owned subsidiary of Baillie Gifford Overseas Limited, which is wholly owned by Baillie Gifford & Co. Baillie Gifford Overseas Limited and Baillie Gifford & Co are authorised and regulated in the UK by the Financial Conduct Authority.

China

Baillie Gifford Investment Management (Shanghai) Limited
柏基投资管理(上海)有限公司(‘BGIMS’) is wholly owned by Baillie Gifford Overseas Limited and may provide investment research to the Baillie Gifford Group pursuant to applicable laws. BGIMS is incorporated in Shanghai in the People’s Republic of China (‘PRC’) as a wholly foreign-owned limited liability company with a unified social credit code of 91310000MA1FL6KQ30. BGIMS is a registered Private Fund Manager with the Asset Management Association of China (‘AMAC’) and manages private security investment fund in the PRC, with a registration code of P1071226.

Baillie Gifford Overseas Investment Fund Management (Shanghai) Limited
柏基海外投资基金管理(上海)有限公司(‘BGQS’) is a wholly owned subsidiary of BGIMS incorporated in Shanghai as a limited liability company with its unified social credit code of 91310000MA1FL7JFXQ. BGQS is a registered Private Fund Manager with AMAC with a registration code of P1071708. BGQS has been approved by Shanghai Municipal Financial Regulatory Bureau for the Qualified Domestic Limited Partners (QDLP) Pilot Program, under which it may raise funds from PRC investors for making overseas investments.

Hong Kong

Baillie Gifford Asia (Hong Kong) Limited 柏基亞洲(香港)有限公司 is wholly owned by Baillie Gifford Overseas Limited and holds a Type 1 and a Type 2 license from the Securities & Futures Commission of Hong Kong to market and distribute Baillie Gifford’s range of collective investment schemes to professional investors in Hong Kong. Baillie Gifford Asia (Hong Kong) Limited 柏基亞洲(香港)有限公司 can be contacted at Suites 2713–2715, Two International Finance Centre, 8 Finance Street, Central, Hong Kong. Telephone +852 3756 5700.

South Korea

Baillie Gifford Overseas Limited is licensed with the Financial Services Commission in South Korea as a cross border Discretionary Investment Manager and Non-discretionary Investment Adviser.

Japan

Mitsubishi UFJ Baillie Gifford Asset Management Limited (‘MUBGAM’) is a joint venture company between Mitsubishi UFJ Trust & Banking Corporation and Baillie Gifford Overseas Limited. MUBGAM is authorised and regulated by the Financial Conduct Authority.

Australia

Baillie Gifford Overseas Limited (ARBN 118 567 178) is registered as a foreign company under the Corporations Act 2001 (Cth) and holds Foreign Australian Financial Services Licence No 528911. This material is provided to you on the basis that you are a ‘wholesale client’ within the meaning of section 761G of the Corporations Act 2001 (Cth) (‘Corporations Act’). Please advise Baillie Gifford Overseas Limited immediately if you are not a wholesale client. In no circumstances may this material be made available to a ‘retail client’ within the meaning of section 761G of the Corporations Act.

This material contains general information only. It does not take into account any person’s objectives, financial situation or needs.

South Africa

Baillie Gifford Overseas Limited is registered as a Foreign Financial Services Provider with the Financial Sector Conduct Authority in South Africa.

North America

Baillie Gifford International LLC is wholly owned by Baillie Gifford Overseas Limited; it was formed in Delaware in 2005 and is registered with the SEC. It is the legal entity through which Baillie Gifford Overseas Limited provides client service and marketing functions in North America. Baillie Gifford Overseas Limited is registered with the SEC in the United States of America. 

The Manager is not resident in Canada, its head office and principal place of business is in Edinburgh, Scotland. Baillie Gifford Overseas Limited is regulated in Canada as a portfolio manager and exempt market dealer with the Ontario Securities Commission ('OSC'). Its portfolio manager licence is currently passported into Alberta, Quebec, Saskatchewan, Manitoba and Newfoundland & Labrador whereas the exempt market dealer licence is passported across all Canadian provinces and territories. Baillie Gifford International LLC is regulated by the OSC as an exempt market and its licence is passported across all Canadian provinces and territories. Baillie Gifford Investment Management (Europe) Limited (‘BGE’) relies on the International Investment Fund Manager Exemption in the provinces of Ontario and Quebec. 

Israel

Baillie Gifford Overseas is not licensed under Israel’s Regulation of Investment Advising, Investment Marketing and Portfolio Management Law, 5755–1995 (the Advice Law) and does not carry insurance pursuant to the Advice Law. This material is only intended for those categories of Israeli residents who are qualified clients listed on the First Addendum to the Advice Law.


Ref: 37506 10019299

About the authors