Mikko Hyppönen: “Artificial intelligence is not going to take your job, but someone who uses it better than you will.”

One of the most well-known hackers in the world referred to the current state of system security, “AI-assisted malware,” and deepfakes.

“The best solution to fight the problems of artificial intelligence is artificial intelligence,” he says.

“Internet is both the best and the worst thing that has happened to us in history.” With this phrase begins his 2022 book, Mikko Hyppönen, hacker, security expert, and one of the leading figures in the world of hacking who has his own thesis: “If it’s smart, it’s vulnerable.” Today, phones, computers, TVs, and even washing machines are vectors of attack. His entire life has been dedicated to proving this, but above all, to thinking about how to build digital antibodies.

Born in Finland in 1969 (“I am the same age as the internet,” he often says, because ARPANET was created that year), he became known in the world of cybersecurity for having made significant contributions to improving systems. Since the 1990s, he has held advisory roles in the U.S. Government and is an authoritative voice in Europe and Asia on hacking, cybercrime, and cybersecurity. He even made a mini-documentary in which he told the story of how he tracked down the creators of the first computer virus in history, Brain, which spread around the world via floppy disks in 1986, in Pakistan.

In August of this year, he attended Black Hat USA, one of the most important cybersecurity and hacking conferences in the world, in Las Vegas. In a hallway at the Mandalay Bay Convention Center, sitting and waiting to sign books, Hyppönen has the enthusiasm of a teenager who is just starting to disassemble computers to see how they work: he hands out signed “punch cards” as gifts. “They work well as bookmarks,” he says about these punch cards used in the prehistory of programming.

Hyppönen participated in a talk at the Mob Museum in Las Vegas at the beginning of August, a museum that reviews the history of mafia families in the United States—and which should be a must-see for anyone near old Vegas, by the way, in the Freemont Street area. It was a perfect excuse to talk about 21st-century cybercriminal groups, which, unlike the classic families that populated Las Vegas, New York, and other iconic U.S. cities, commit their crimes online. There, he spoke with Alissa Knight, a “reformed” hacker who used to steal assets from banks and now protects systems and advises companies.

─ What would you say is the most notable thing about this era of AI we are living in? What makes it different from other technological revolutions?

This is the first technological revolution where technology is not destroying what is known as “blue-collar” jobs, that is, traditional working-class jobs, as happened during the industrial revolution: AI does not eliminate the need for plumbers or builders. We need plumbers, painters, carpenters! AI can’t do that. But programmers, lawyers, accountants? They are starting to lose jobs, and we’ve never seen this before: the jobs of “white-collar” workers, office workers, are in danger. And to make things worse, the creative industry, like the arts, is also being affected.

─ In what way?

─In April, I said that by this year we would have a Top 40 of hits written by generative AI: composed, arranged, and sung by AI. A few weeks ago, in the German charts, number 27 was a song made entirely with AI. So, it’s happening faster than I thought.

─ You grew up in an internet where research and sharing discoveries was the constant. AI, in a way, solves the work for us (summarizing texts, pulling out main ideas). How does this affect new generations?

─I don’t think it makes them dumber, I think it will make them more efficient. It will give them tools to assist them in their research. When I was 20, if you wanted to use a computer, you had to be a programmer. There was no other way to use a computer. So, it was very hard for me to see how everyone was going to end up using a computer because clearly not everyone can be a programmer. Today, everyone uses a computer and has one in their pocket, and they’re not programmers. We’ve just changed the way we use these devices like phones.

─ And how do you imagine AI will impact this?

─It’s going to do exactly the same: today, you don’t have to be an expert in doing research or understand how to build the basics of science, now you can use an assistant. Artificial intelligence is not going to take your job, but someone who uses it better than you will.

─ Just as the internet changed our daily lives, how do you imagine generative artificial intelligence in everyday life in the future?

─We’re going to use a kind of Siri on steroids [Apple’s assistant]. I imagine an always-accessible service; maybe we’ll have something like an earpiece that will allow us to ask for help at any moment, or something like that. These tools are really useful, and we’re already getting closer to this level of capability.

─ In your book, there is a categorical idea regarding technology: once there is a technological advance, it cannot be undone. Today, artificial intelligence is everywhere: how is the threat landscape changing?

─ “You can’t un-invent something,” I always say. Every new creation, like the internet, has its benefits and its dangers. Information, if it has to travel from point A to point B, no matter what obstacles it encounters, will find a way to do it. That’s why it’s still unclear whether artificial intelligence will bring us more problems than advantages: it’s an invention that keeps advancing, and very quickly. But we will definitely need defensive AI if we want any chance of combating cybercrime.

─ Is there an excessive enthusiasm surrounding AI?

─It’s interesting to see how there is a cycle of enthusiasm [hype] around artificial intelligence, for better or worse. If you look at the valuation of AI-related companies, it inflated a lot during this time, almost the same as what happened with the dot-com boom 20 years ago. But we also start to see how it is used for bad things. For example, with deepfakes, we’ve already seen very realistic uses aimed at politicians or to scam consumers.

─ So, the risk of AI has a basis.

─Let’s see, there are tons of reports about attacks that haven’t happened yet. Let me tell you. There’s a type of attack where a cybercriminal “steals” the face of a CEO or CFO and uses it to commit fraud against the company’s financial sector. Is it possible to do this? Of course, deepfakes allow this. And yet, we haven’t seen evidence that this is actually happening.

─But there are reports from cybersecurity companies about this.

─Yes, there are reports, but they’re not very reliable. The closest thing we’ve seen, which we can confirm, are cases of executives’ voices cloned on answering machines, and even those aren’t in real-time. We have the technology to make fake voices in real-time, even videos, but what I want to say is that attackers are not using this on a large scale. Even with voice message scams, I only have two examples of that: not two hundred, not two thousand, just two.

─So, they’re not real-world threats then?

─The problem is that the enthusiasm around the technology is being combined with exaggerations about these issues. The whole point is that the threat landscape is being painted as something much bigger than it actually is, at least right now. Now, this will definitely become a problem. The benefits for attackers are huge, and the barrier to using them is getting lower. But the problem is not as big as it may seem based on reports and the companies in security down there (he points to the cubicles at Black Hat). These companies are telling you that it’s going to be a problem, and they’re right. But it’s not one now.

─And how do you think it will be fought when it becomes, in fact, a problem?

─We have time to react, to build solutions to counter these issues, and the best solution to fight the problems of artificial intelligence is artificial intelligence itself. AI-powered defenses.

─You talked about WormGPT, a kind of ChatGPT for writing malware, AI-assisted social engineering, and other types of threats. What do you think will be the biggest threat and the biggest advantage that cybersecurity will be able to gain from AI?

─The most concrete and biggest threat will be AI-assisted malware. Malware attacks where the virus can undergo a metamorphosis to avoid detection, with generative techniques, and where an entire malware campaign can be orchestrated and executed by automation—this is a real threat. It will change the way it functions, communicates, spreads, and sends information. And all of that will be a perfect example of a type of malware that we’ll only be able to fight with, precisely, defensive AI: to combat these issues that AI will generate, we will need AI itself.

Sources

Written by Juan Brodersen, from the Technology section of Diario Clarín, Buenos Aires, Argentina.