Liveblog: Mikko Hypponen — If It’s Smart, It’s Vulnerable

War has become cyberwar, and every smart device is a potential attack vector. We need to think about security in a new way, says Mikko Hypponen.

Warning: Live-blogging. Prone to error, inaccuracy and howling crimes against grammar and syntax. This post will be updated over the next few days.


Watch Mikko Hypponen at NEXT22 on-demand

It’s hard to see the significance of a revolution when you’re living in the middle of it. That’s where we are. We’re living in an age when governments use hackers, they write malware, they use cyber warfare. We will forever be remembered as the first people who got online. Now, mankind will be online forever. We just happened to be born at the time when everything changed for the better — and for the worse. The internet is the best thing that has happened to us, and also the worst.

The internet took away geography. It doesn’t matter where you live – borders and distance go away. Finland hasn’t had a bank robbery in 12 years. Why? We have no real banks anymore. Bank robbers have moved online. They hack, use keyloggers, and steal cryptocurrency. They’ve digitalised. The old bank robbers were local criminals. Today – they could be anywhere in the world. Criminals who couldn’t reach us before can now get to us.

Another example: minorities. You could be a minority because of your skin colour, sexuality, or faith. Or even because of your hobby. And through the internet, you can find other people like you. It’s been a lifeline for many minorities. The places where we find people like us, the chats, forums and networks, also provide that for people with destructive thoughts. There are places online places where people are radicalised, who plan school attacks, or who starve themselves.

The Encryption Conundrum

We’re protected by strong encryption systems. It would take all the computers on the planet to crack one WhatsApp exchange — if they had several hundreds of million years. The sun will have gone out by then. And we forget that Meta can’t see the message, but it can see who went sent it to — and when.

But the downside of this encryption is that bad people could use it too — and do. We can’t uninvent the technology, but we could ban it. There’s regular discussion in Europe about doing this. But criminals break the law. So, if you make strong encryption illegal, only criminals will use it.

Today, elections are won or lost online, and intelligence agencies have moved operations onto the internet. Governments are creating cyber armies to fight their wars. We’re seeing this play out in Ukraine right now. But innovations don’t do away with old forms of war. So, cyberspace is additive to the places we fight. And there will be more.

The cyber battle for Ukraine

Russia has been attacking the power networks in Ukraine using malware. They haven’t yet succeeded, but they keep trying. The IT Army of Ukraine fights back — but volunteers have to watch their operational security, and give up any hope of ever visiting Russia.

Organised cybercrime groups in Russia have hundreds of employees, three offices and lawyers. They target the enemies of the state, so are tolerated by them. This is a business-centric operation. But volunteer hackers will try to target prominent targets, not for money, but for patriotism. The botnets they use are no longer infected Windows PCs, they’re infected smart home devices. When things become smart, they become vulnerable.

Mikko’s watch is 20 years old, and mechanical. It has no CPU, no storage, and no connectivity. It can’t be hacked. Many in the audience are wearing watches with code and chips and a connection. Can they be hacked? Of course.

If it’s smart, it’s vulnerable.


Mikko Hypponen is a global security expert. He has worked at F-Secure since 1991. Mikko has written about his research for the New York Times, Wired and Scientific America and appears frequently on international TV.