The Hacker Mind Podcast: The Fog of Cyber War

Robert Vamosi
July 6, 2022
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

There’s an online war in Ukraine, one that you haven’t heard much about because that country is holding its own with an army of infosec volunteers worldwide.

Mikko Hypponen joins The Hacker Mind to discuss cybercrime unicorns, the fog of cyber war that surrounds the Ukrainian war with its much larger neighbor, and of course Mikko’s new book, If it’s Smart, it’s Vulnerable. 

Vamosi: For most of my career I have speculated when and where there would be an escalation of physical war into the virtual world. A cyberwar. And there’s been a fair amount of hyperbole, such as Richard Clark’s famous “digital pearl harbor” statement, that there would be one clear moment when this would happen.  Contrasting that is, perhaps, a more nuanced statement from Howard Schmidt, President Obama’s first cybersecurity czar, who said “We see people talking about the digital Pearl Harbor from the worms and Trojans and viruses.  But in all probability, there's more likelihood of what we call the 'backhoe attack' that would have more impact on a region than Code Red, or anything we've seen so far.”

What Schmidt was referring to was an incident when a common backhoe severed a strategic Sprint communications line in the United States. That event did more damage than any computer virus or worm at the time. I think event leaves open yet another possibility, that perhaps we’ve had many little digital pearl harbors already, such as the massive denial of service attack against Estonia, but we didn’t realize it at the time. 

Centre for Defence: In 2007, a struggle over a divisive Soviet statutes set the standard for a new form of Russian interference in the affairs of foreign states. plans to move the bronze soldier in turn, led to write out the first cyber attack ever attempted on an entire nation state. But the full story of the bronze soldier affair is only becoming clearer now. 13 years later, you researchers connected the dots to reveal how these events formed part of a new style of coordinated interference in which misinformation and manipulation were used by Russia to stoke division. It should have been a wake up call for the rest of the world. But most of us failed. To listen.


Welcome to the HAcker Mind, an original podcast from FroAllSecure. It’s about challenging our expectations about the people who hack for a living.

I’m Robert Vamosi and in this episode I’m celebrating 2 years of podcasting, so in my 50th episode, I’m going big. I’m talking about cybercrime unicorns, talking the fog of cyberwar among nation states, and about a new book that I think will be on the shelves of every information security professional later this summer. 


Vamosi: The slogan of the RSA Conference is “Where the World Talks Security,” and, in general. It’s an opportunity for someone like me who is States-bound most of the time, to in fact engage with people from around the world. Like in 2008, when I presented with Chris Boyd from the UK, on the rise of teenage hackers. RSAC also attracts some of the top researchers in infosec. You know, the handful of people who, if you say their name, people know them. I’m talking about someone in particular who has done TEDtalks as well as RSAC, Black Hat and numerous other conferences. 

Hypponen: My name is Miko Hypponen, and I am the Chief Research Officer for wit secure and I do live in Helsinki, Finland.

Vamosi: That last part might seem a bit extraneous, unnecessarily. It’s not. When I last saw Mikko in person we were both presenting at Nordic IT in Stockholm Sweden and in teh cab ride over to that conference, Mikko told me about a Finnish prank back in 1961. At that time the Swedes had re-discovered and began to salvage the Vasa warship. This was a massive warship that was on its maiden voyage in 1628. When it was time to lift the boat from the bottom of the water, Swedish divers also found a statue of a 20th-century Finnish Olympian runner. That statue, it seems, had been placed on the ship as a prank by some students from the  Helsinki University of Technology the night before. This speaks to both the playful rivalry between Sweden and Finland and also the understanded Finnish humor, which will become apparent, along with Mikko’s deep pride for Helsinki.

Hypponen: I don't know if it's important, but Helsinki is a beautiful, beautiful city and a beautiful country. And we are living in a country which has a very long neighbor and right now I think that's relevant to our world as well.

Vamosi: His neighbor to the east, Russia, has come up before.  15 years ago, when I still at CNET, I met up with Mikko. at DEF CON when it was held at Alexis Park, just off the Las Vegas strip. Mikko pulled me aside into the parking lot under a blazing Nevada sun in August. Mikko had read some of my reporting on Netsky, which Skynet backwards, a virus also known as Sasser, was a typical virus-of-the-day back in 2005. It’s really a cute story. Sven Jaschan, then 19, was found guilty of creating the Netsky virus.  Jaschan lived in the village of Waffensen, Germany, and he lived with his dad, a computer repair person in town. Jaschan said he created the virus in order for people to bring their infect machines to his dad’s repair shop -- only it got out of hand. Thing is, I never really bought the official story, although I reported it at CNET.  But I had suggested that Jaschan might not have been the sole creator. There was ample evidence that someone else--someone with greater skill-- had contributed at least some of the code, perhaps Jaschan mutated it, perhaps. But something didn’t feel right about that either. Mikko, reading this on CNET, pulled me aside at DEFCON and warned me.  He suggested I back off and leave the speculation about the Russian Business Network, a group at the time responsible for many online attacks, to Europol. “They’re equipped to handle that,” he said. And I remember Mikko adding quite clearly “Hey, I live not too far from those guys. You don't want anything to do with them.”  

Hypponen: Yeah, I still live not too far away from those guys. Although the old Russian Business Network probably is long gone and replaced with much bigger players.

Vamosi: That said, ten years ago we’d hear about new attack every other day. That’s not the case now. Does that mean we are losing ground in online security today? Mikko would disagree.

Hypponen:  We've never been in a better shape regarding cybersecurity, cyber security, cyber security is doing great. And I know it doesn't look like that. But the problem we have is that we only see the failures. I mean, it's not news when something doesn't happen. It is news when something happens. So if a company doesn't get hacked, no one knows if a company gets hacked, it's headline news. So this creates this illusion that everything is going to help cyber security's just full of failures and companies are getting hacked left and right. The fact of the matter is that cybersecurity systems have never been better security of our workstations or servers or cloud instances or mobile devices has never been better. If you compare the level of security we have today and 10 years ago it really is like night and day and we should embrace it, understand that and try to spread the upside of this industry that we are getting better and we are securing our systems better. It's just not very obvious, but it's true.

Vamosi: So this is an example of what’s news and what’s not. There’s that old truism in journalism. Dog bites man, not news.  But man bites dog, that’s news. The fact that we’re securing more of the networks today, that we’re beating the bad actors, that’s not necessarily news. It’s only when we fail that we get the big headlines.

Hypponen: When an IT team at a large company heroically works through the night to patch every single server against the new vulnerability which has been found and they finish by 7am. Just in time to prevent someone who's scanning their network to find vulnerable machines at 8am. No one's good enough. No one will pay attention, nothing happened. And rarely is anyone thanked for preventing a disaster which didn't happen. I can guarantee to you that the Washington Post or New York Times will not have a headline tomorrow saying that. The second largest company in the USA was not hacked yesterday. That's not news. So we only see the failures in my book, I used the term security Tetris because in Tetris, you're trying to make a whole line or actually four whole lines. That's Tetris when you make four whole lines at the same time. And when you succeed with what you're trying to do, the line disappears. So your successes disappear and your failures pile up. That's what we're doing in security.


Vamosi: So let's talk about these bigger players in computer crime. These are not groups of individual hackers sitting around the table late at night as it was in teh early days of malware writing. Today these are fairly large criminal enterprises and they don’t just attack desktops now, they attack mobile devices. I remember meeting Mikko in 2006. The RSA Conference was held in San Jose, Ca, that year and it was there that Mikko first showed me his collection of mobile phone viruses on his tiny Nokia. Those early mobile viruses weren't monetized; they were still proof of concepts. But by then desktop viruses were starting to be monetized.

Hypponen: Alright, original sea change for monetizing malware was 2003. That's when we started seeing the cooperation between spammers and malware writers. So botnet owners would take over large amount of computers and sell them to spammers who would use those home computers to send spam emails. Then we've seen all these big waves after that banking Trojans, credit card keyloggers botnet building have clearly for the last eight years now, Ransom ransomware in various different incarnate incarnations has been the big moneymaker. 

Vamosi:Ransomware is profitable today. Criminal organizations that launch these attacks, like Conti and REvil, are making millions of dollars by analyzing the organizations they go after and finding the right ransom for each one.  

Hypponen:  And over there, five years ago, I started thinking that these guys are making so much money that eventually we'll have to start to call them unicorns and it was sort of like a joke initially, like cybercrime unicorns, like really, but it's not funny anyway, they'd really do exist nowadays. We have really wealthy, really quickly growing completely criminal organizations and we should be calling them uniform.

Vamosi: Cybercrime Unicorns is catchy, and appropriate, however, the concept of organizations of criminals online existed before. We had individuals who were wealthy, perhaps you’ve seen the images of early 2000s Russian criminals with the bling bling, the gold teeth, and the fancy sports cars on Facebook. Individuals, who, whether they're in Russia or Brazil, or wherever in the world, were incredibly wealthy from their enterprise, and therefore targets of the FBI and Europol. What has changed to make it less of the individual and more of an enterprise. Instead we have these faceless ransomware groups. 

Hypponen: I think the big shift has been around ransomware groups going after the biggest possible talks. Initially ransomware was targeting home users to encrypt your holiday pictures, pay us 200 bucks to get your pictures back. That was the premise of the original ransomware ransomware. Today, it's much more likely that the group spent an extended amount of time and maybe even buys access to gain access to a corporate network and might be there for weeks for lateral movement, because they know that they can be asking for a million dollars or $10 million for ransomware. So it pays off. And if you're building that kind of operation, it has to be run professionally. 

Vamosi: Years ago, someone at Symantec told me that more and more malware was written by 9-5 criminal hackers, working monday to friday. So this trend actually started in the early 2000s. But in order to make money, you have to spend some money; there has to be some investment.. 

Hypponen:  And that's why we now see these groups which run their own data centers or their own IT support have their own HR department, hire lawyers and hire business analysts. It's kind of clever to hire business analysts for a ransomware again, because if you want to really know how much money you should be asking, steal the financial records of the victim company and give them to your own analyst who will be able to tell you that we should be asking them exactly this amount of money. This is what they can pay us tomorrow.

Vamosi: So before it was all about stealth, you didn't want to be identified as the one writing the malware, you didn't want to be called out and whatnot. It sounds like there's a lot more overhead with these unicorns. Because they have to employ people they have payroll, as you mentioned, they've got a whole operation that are, for the most part, ignored by the country they are in. In many cases it’s as long you don’t criminally hack a player at home, we don’t care. You can criminal hack the United States, you can criminally hack Europe. And so these organizations have grown.

Hypponen:  even better, they need a good brand. These ports are doing branding, they have logos, they have names. I mean, this is why you know they are evil by name. This is why you know Conte by name, I mean they need a reputation, a scary reputation that people are very worried about. You can imagine that you realize that. Oh my God, we've been hacked. Oh my god, it's ransomware oh my god, it's our evil. I know these guys. I've read about these guys. This is serious stuff. And that's the kind of reputation they want. A reputation that they're scary, but fair, if you pay the ransom, you will get your files. So they do branding. And that's why they have websites. That's why they have logos. And that's also part of the professional operations.

Vamosi: We’ve seen organizations purposefully brand themselves as scary before. Terrorist groups like al Queada, and ISIS. They branded themselves as scary. And the way the United States and others brought those scary organizations to justice was to offer rewards for the information. And it wasn’t just a few thousand; it was on the level of millions of dollars. So back in 2005, Microsoft offered, you know, $25,000 to have somebody turn in a malware writer back. And speaking of Netsky, which I mentioned a moment ago, the kid associated with it, his friends turned him in and they collectively shared the $25,000 bounty.  This is just on a larger level.

Hypponen: It's not the same amount of reward the Reward for Justice program is offering for terrorists so US government is taking cyber criminals know as seriously as a threat as they take terrorism.

Vamosi: So the bounty on Russian and Chinese and North Korean criminal hackers is now in the millions. And while these identified individuals remain at large, the minute they leave their home countries, someone somewhere stands a decent chance of collecting a large reward for turning them in. This sends a strong message. 

Hypponen: We had a bright moment in malware history, starting from October 2021. I call this the Cybercrime unicorn hunting seasons after summer of 2021 JBS continental pipeline causal pipeline, all these big cases, attitude to start exchanging, especially in US government, especially in State Department, especially in the Rewards for Justice program, and they started issuing these $10 million rewards for hacking groups, especially ransomware groups, and I love the money rewards for for information leading to arrest of cyber criminals. And that really started the biggest row of arrests against cybercrime gangs in countries where we typically don't see arrests happening including Russia, including Belarus, including Kazakhstan, Czech Republic, Poland, Ukraine, as well. 

Vamosi: This was when members of REvil were arrested in Russia. In Russia. This was a positive change. And one that perhaps we all thought might continue. 

Hypponen:  And all of that pretty much ground to halt when Ukraine was invaded in February. So we had this slight window when everything started looking really good, but you know, these groups were getting paranoid and these group members were seeing that there's a bounty on their head, and then they realize that if they rat their friends, their friend will go to jail, but they won't. They will get immunity for prosecution and they will get $10 million. And it becomes like a game theory that Oh, hold on, hold on. Oh, my friends know this as well. So the first one to rat everyone else gets, you know, gets the walk away, and everyone else will go to jail. I should drop my friends before they wreck me. And that's exactly the kind of mind games we should be playing alongside the criminals.


Vamosi:  Throughout our conversation, Mikko kept returning to the subject of Ukraine, and why not?  At the time of podcast, the country is holding its own against Russia. In contrast, the physical toll on the Ukrainian population has been staggering, with thousands of civilians killed in attacks on apartment buildings and shopping malls. This clearly rises to the level of International War Crimes. Not so much in the news, however, are the thousands of Ukraine information security professionals who are fighting daily to keep their country safe, and keep critical services up and running. Here's the BBC.

BBC:  Well as Ukrainian military battles Russian troops on the ground there's another battle taking place. It's in the digital realm. Ukraine's cyber security authority says the cyber conflict with Russia is unprecedented, describing it as the world's first hybrid war. Russia has been actively using disinformation to wage an information war against Ukraine but now Ukraine is fighting back with the digital Minister Mikhail Obrador leading the front by using social media to rally international support against Russia. So that's the last key we can speak to Ukraine's Deputy Minister of digital transformation. Alex banya. Good to see you Alex, thank you for taking the time. Tell us how you are fighting this war in the digital realm.

Prime Minister: Oh, thank you for this opportunity. So yeah, there we think that digital is an important part of this war as we are fighting on the ground. Digital technologies are the main tool for achieving our goals. Now, this is a sort of, and Russia was attacking  our infrastructure not just recently two weeks ago, starting from two weeks ago. They were attacking us for eight years. And I will say that we kind of became immune to them. So we were successful at defending our digital infrastructure. At this point, we created an army, which consists of 300,000 people who volunteer to join this effort in order to first of all, fight with the propaganda, fight with disinformation and reach out to Russian people and say, what exactly is happening in Ukraine? What's the real situation also to disrupt the digital infrastructure of Russia? Because we think that they have to feel what we feel all these years and, and they are being kept in some sort of a bubble in Russia, but now with all the sanctions with all our efforts, I think they have come to the start to realize that this also concerns them. They also involves all the people in Russia

Hypponen: I don't want to over exaggerate the importance of cyber in Ukraine, because the fact is that the real tragedies and the real deaths are happening in the real world. Having said that, we're seeing more activity in nation state cyber than ever before. Ukraine is seeing three times the activity they saw a year ago. So there's tons of things Russians are trying to do, trying and failing. It's interesting to see the Russia is failing, just like they're failing with the real world attacks. Everybody's surprised how poorly they've waged a war in the real world. They're failing online as well. And they're failing in both for the same reason Ukraine is pretty damn good in defending themselves. They're defending themselves in the real world. And they're defending themselves in the online world as well. I would claim that Ukraine is the best country in Europe and defending themselves against Russian cyber attacks. They're very good because they've been doing it for eight years.

Vamosi: Ukraine has been an experimental online play ground for Russia for years. Perhaps the most famous of these experimental attacks was NotPetya, a ransomware attack that coincided with a tax filing software used by every Ukrainian. Here’s the thing, international businesses with interests in Ukraine all had to use that same software, so not only were computers within Ukraine infected, but computers around the world were infected as well. That was a public attack, infecting shipping lines and  transit systems in other countries. But there were smaller attacks in the years preceding that.  For example, there were a very target attack upon the Ukrainian electrical grid in the dead of winter.

Hypponen:  global era, which was the electricity grid. Yeah, absolutely. And, you know, when you look at other countries, not just Europe, the whole world basically. If I'm looking at it from the European point of view, because I've worked with European governments and European militaries as well, everyone else is like playing war games and tabletop exercises and theoretical scenarios what what Russia could do. I know I mean to finish reserves myself, this is what we do when I go back to military refreshers. That's not what the Ukrainians do. They defend against real attacks every day, day in day out Russia is throwing their stuff at them and they find it and they neutralize it. And Ukraine has a hard time defending their infrastructure. It's a big country. 44 million people a week a lot of I mean, it's not a very rich country. So they have a lot of legacy systems, old hardware and old software, which makes it hard to defend, but they're defending blazingly well. Of course they have a lot of help from the outside now, and it's quite interesting how we've never before seen anything like this. We are seeing Western technology companies actively participating in defending a nation in a war against foreign cyber attacks. 

Vamosi: This is interesting. You have large companies with offices in both Ukraine and in Russian having to take sides, with even pulling out of Russia entirely. 

Hypponen: Last week, I met the director for Microsoft digital crime and units Europe, and I asked her well firstly, thanks. Thanks for your work. Thank you for standing with Ukraine. Great, but why? Why are you doing this? And the answer she had was very simple. She told me that they have customers and clients in Ukraine Ukrainian ministries and enterprises. So they're defending their clients. That's the answer. And obviously, that's not the whole story. Like, sure that's true. But again, Microsoft has tons of customers in Russia as well. And they choose to do this for Ukraine. So they not giving out the full justification for it. But I'm glad they are there, just like Google is there as well, and many of the big technology companies that we know.

Vamosi: And, given there’s a land war going on between the two nations, are the online attacks coordinated with the government’s interest? Or are these patriotic online criminals? Or perhaps a little both?

Hypponen: There's plenty of activity from Russian cyber criminals and just Russian civilians who want to use their skills to defend the homeland and revenge, these unjustified sanctions from the west somehow, so there's plenty of activity I'll be speaking about the fog of the cyber war because there's so many attacks coming from different players. It's hard to build a full picture but it also opens up opportunities. 

Vamosi:  Yes, the fog of war is a pretty convenient term. I mean, in theory if you wanted to crminally hack into Russia, now might just be the opportunity. 

Hypponen: For example, Western governments and intelligence agencies and militaries, who otherwise wouldn't dare to target Russian targets might now have a chance. They can do pretty much anything they want against Russia. If they get caught, they could just claim it's the Animus or whoever because there's so many attacks going on against Russia anyway. Right.

Vamosi: It’s also interesting to think that Russia might be focusing all of its efforts on Ukraine and not necessarily going after allies of Ukraine. That’s not true. There are attacks against Western Allies as well.

Hypponen: So far, with the attacks we've seen elsewhere. For example, in Europe, for example, in Finland, we've seen attacks but they've clearly been horrible. My estimate is that they're civilians, like activists or Russian crime gangs. For example, in Finland, we've seen the largest banks and the Ministry of Defense getting attacked. So attacks, like denial of service attacks, are nothing too serious, and they don't have the full blocks of Russian governmental activity. So I do believe the Russian government, military is targeting Ukraine and focusing on your brain right now. But I wouldn't be surprised if there would be no retaliation of any kind and cyber from Russia, after Finland and Sweden applied for NATO there has been nothing so far, but you would think they would do something and they haven't done anything yet. I think they will.


Vamosi: Okay, so criminal hackers are contributing online, whether authorized or not, so there's definitely a political element behind this online element of the Ukraine-Russian war..

Hypponen:  Yes, there is. Yes, there is. And politicians do realize the importance of this. And that's also been fascinating to watch. You and I remember the time when politicians were ignoring things and they didn't get it. They didn't understand what's so important about it. Today, they all understand very well how important it is to control the internet and use the internet wisely. The Internet is where elections are won and lost. The internet is how you control your people. How you see the changes in people's opinions. So they do want to defend the internet as well. And this is an example of that happening from the political point of view.

Vamosi: Yeah, so like in the past, when Estonia was attacked, there was a level of cooperation. They even opened an international office in association with NATO.

In 2007, Estonia suffered cyber attacks, the government media and banks were targeted. A year later the cyber defense Center of Excellence in collaboration with NATO was opened in Tallinn in northern Estonia. Eight nations contribute to it: Germany, Spain, Estonia Italy, Lithuania, Latvia, Slovakia and Hungary, which joined recently. Here researchers are working to optimize the protection of computer servers. cyber defense strategy and research are at the heart of this cooperation between Alliance member states.

Vamosi: But, over the years, there wasn’t much activity reported out of the Center of Excellence. It wasn't activity quite on this level that we see today with the US’s Cybersecurity  and Infrastructure Security Agency and other nations joining to help Ukraine..

Hypponen: Not on this level. It was so new back then. 15 years ago. So this is it's a different ballgame. But you mentioned CISA I'm really happy to see the kind of leadership season that has been showing worldwide. It's really important that the USA has been clearly giving the kind of guidance around critical infrastructure which has really been given everywhere. And we also have to give credit to US intelligence for calling the Ukraine crisis correctly, way before anyone else did. US and UK intelligence were telling the world already in December, when it's going to happen. We just didn't believe they were right.

Vamosi: Another thing  that’s been different is that in the lead up to the 2022 Ukraine war, President Biden ordered the intelligence community to share a lot of intel in part to prepare the world, and in part to unmask some of the stuff going on out of sight. Like online attacks. This is where public private partnerships, like CISA, become incredibly important to the stability of operations..

Hypponen:  CISA has become much more high profile and clearly tackling exactly the right problems? The challenge all countries have is that infrastructure and critical infrastructure is no longer in the hands of the government. It's private companies and you need public private partnerships. You need private companies to take their responsibility for defending the nation. And that's at a completely different level in different countries. And it still requires a lot of work to be done. But I think we're going in the right direction.

Vamosi: As a non US resident, Mikko can provide some perspective on this. I’m in the States, so I see and hear the American perspective. I do admit we had four years where we had a president that didn't understand or even care about cybercrime and he didn't care about any threats from Russia. And now we have President Biden, two years in. So I have to wonder if Mikko sees it as night and day. If he’d agree that the United States presence in cyberspace is really important, or is the US just another major player in a long series of major players?

Hypponen: The United States is the leader in many respects in cybersecurity, in cyber things to begin with, of course, all the big players, all the operating systems, clouds and search engines are coming from US based companies. So they 're seen as a leader in this field, almost regrettably, often. You know, we like to think the web was invented in Europe yet most of the websites I visit are from the USA, which is weird, but that's just the way it is. But I'm seeing a lot of things happening in the USA regarding defense of critical infrastructure happening over the last two years, three years, which I like. And that's, that's the kind of devil opens we hope will continue in the future as well. I guess it's going to depend on who the next president is.


Vamosi:  Fun fact,  Mikko has more or less worked at one company for the last 30 years ago. I say more or less because that company has changed names several times. At the time of this recording at RSAC in mid June of 2022, the company was still known as With Secure. It had not yet spun out its former name,  F-Secure, as a separate company. That occurred on July 1, 2022.

Hypponen: So I joined a company in 1991 called Data Fellows, which then later renamed itself in 1999. To execute. We actually had a product called F secure and we renamed the company to one of our products. This year, in March, March 2022, we renamed F-Secure to With Secure so everybody right now is working at With Secure and we're gonna spin out or do a demerger in July or actually at the end of June for a new company which is going to be called F-Secure. So in effect, execute splitting into With Secure and F-Secure and With Secure is going to be the consumer side and the enterprise side. F-Secure, which has the better known brand, is going to be the consumer brand, providing our VPN mobile VPN solutions, endpoint protection for home users. And then With secure provides consulting and enterprise software for companies and governments and enterprises. I'll be on the With Secure side myself.

Vamosi: Certainly enterprise is the more interesting site to be on. In reality, Mikko is Chief Research OFficer with With Secure and a research advisor with F-Secure now that they are legally distinct publicly traded companies. I would have thought that would be an obvious choice.

Hypponen: Oh It Wasn't that obvious to me. I did ponder it through but I do think it's the right side. I just started my 31st year with the company which has now renamed itself and split a couple of times. It is still the same company I joined. I haven't had a boring day.

Vamosi:  Given this proud history with the company, I can only imagine Mikko still has his data fellows pass.

Hypponen: I made sure I have some old bad somewhere about I am a weird secure guy nowadays. I'm already familiar with it with the name myself.

Vamosi: And, after many years of giving talks, giving TEDtalks, it’s interesting that Mikko hadn’t yet written a book. There’s one coming out this year. I asked him what took him so long? 

Hypponen: Oh, that's easy. It's a pandemic. I've been trying to write a book forever while having fun. 140 flights a year. It's hard writing on planes and lone Jews and holders weren't going anywhere. But then I had no excuses when the pandemic hits and I'm actually happy about that. I worked eight months on a deadline every Friday and now it's ready. Coming out in August from Wiley. The title of the book is that if it's smart, it's vulnerable. Which is the one in law which I coined a couple of years ago. 

Vamosi: The Hypponen Law states that whenever an appliance is described as being "smart", it is vulnerable.  This sounds like it might only apply to IoT devices, but it’s more than that. Which the book covers. 

Hypponen: Yeah, the book isn't just about IoT. IoT is, of course, covered there. But then I'm also talking about the big trends, trends that we've gone through over the last 30 years like what brought us where we are today. How is this big digital revolution around us changing us as a species and what's going to happen next? Where are we headed? And I speak a lot about the death of privacy, speak a lot about cyber war and nation states. I had some time to put in a little bit about Ukraine as well. The deadline of the book was the end of February, the Ukraine War started on 24th. So I had six days to get some of that in as well. I'm happy I had a chance to do that as well. So it's been great to actually work with professionals who know how to actually build a book out of my work that I've been doing for 30 years.

Vamosi: The book will be out in the United States in August, in time for a launch at Black Hat USA in Las Vegas.

Hypponen: t's really good to have it come out and I actually it's already been published in Finnish in Finland, but it's now coming out internationally and maybe even other languages as well.

Vamosi: Anything else we should know about the book?

Hypponen: to talk about the price of the book? And I don't know actually, no, I don't have an answer for that. I hope it's really expensive.  

Vamosi: Mikko wouldn’t let it alone. We digressed on the cover -- the cover - of the forthcoming book.

Hypponen: Well, you see in front of you, it's the it's a picture of me with the like a Wouldn't this be a matrix effect or something like something like we were working with Wiley, the publisher for something that would work on islands like this that's that's the project that the big project for me for for this year. I'm happy it's coming out.


Vamosi: Now that his book is turned in and is starting to get published around the world, what has Mikko been doing with his time?

Hypponen: Well, for the last three months, I've done nothing except Ukraine's. Every week I'm sitting in meetings with people in Libya or cave or wherever and we're doing our part to support them. I was giving a talk to Ukrainian members of the IT army last month. And I finished my talk by telling them because I wanted to give them hope. The little hope I could get, but never that was to show support. And I told them that you know, this war will be over. One day this war will be over and when the war is over. We like the West. We want to support you. We want to work with you. We want to do business with you guys. We want to rebuild with you. Ukraine will be rebuilt, Ukraine will rise and Russia will not. Russia will become a third world country. That's what's going on.

Vamosi:  Whoa. Reducing a former superpower country once an active threat to the United States and other Western countries to a third world status? That’s fairly bold.

Hypponen: That's my opinion, but I don't see any other outcome. They will be sanctioned and they will be para disconnected from the rest of the world. It's the biggest country on the planet and it's going to be a third world country.

Vamosi: So the security cooperation around Ukraine is something that might be built upon. As noted, we have CISA in the United States. We've got different entities around the world, but they all seem to be coming together around Ukraine. I wonder whether there will be a continuation of that after the war has ended? That we continue to see this sort of protectorate force in the world?

Hypponen: Well, we can hope we can help. I think we tend to come together in extraordinary situations and during normal times. We tend to our own businesses and we work with our own entities in our own societies. We can hope but I wouldn't be holding my breath.

Vamosi: I’d  really like to thank my friend, Mikko Hypponen for taking the time during the RSA conference to talk about the online war in Ukraine and his book, If it’s Smart, It’s Vulnerable. The book is available for pre-order now and will be sold in the US starting at Black HAt USA in August. Given his many talks, I can only imagine this book will be a must have for all infosec practitioners. And the work Mikko continues to do, meeting with European governments, strengthening our defenses online, is yet another critical role he plays within the community.  If you hadn’t heard of Mikko before this podcast, I’d recommend going back and watching his talks over the years. They’re funny, they’re insightful, and they are based on hands on, first person experiences.

I have so many stories about hackers who are making a positive difference in the world. I don't want you to miss out. Let's keep this conversation going. DM me @RobertVamosi on Twitter, or join me on Discord you can find the deets at the

For the Hacker mind, I remain the original smart but vulnerable Robert Vamosi

Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem