The dangers of online crime QA with Mikko Hypponen

Mikko Hypponen is the chief research officer at F-Secure corporation, where he has led his team through some of the largest computer virus outbreaks in history. On stage at TEDGlobal 2011, he delivered a witty, entertaining, and deadly serious talk about the dangers of internet crime.

TED’s Ben Lillie reached him at his office in Helsinki, Finland to follow up on ways to address this widespread problem, and the risks of not facing it.

(Also read: Hypponen’s Ask Me Anything thread on Reddit.)

I loved the moment where you knock on the door and meet Basit and Amjad, the pair who wrote the first PC virus. What did they say when you talked to them? Why did they do it?

They were curious. They had history working with UNIX-based systems, and then along came this new DOS system. They thought the security model of those was horrible, and they wanted to prove how horrible it was by writing a demonstrations, and that became Brain. They weren’t trying to do anything harmful, and they weren’t expecting their virus to go global. If so, they probably wouldn’t have left their names and number in there.

(Watch: Brain: Searching for the first PC virus in Pakistan, Mikko Hypponen talks with Basit and Amjad.)

How far did it go, and how did it go that far?

Well, in 1986 we didn’t have networks basically at all, a few research systems. Most companies obviously had no internet, but also no local area networks. They’d have multiple computers, but the only way to move data between those computers would be floppy disks. So, Brain spread with these floppies. For Brain to go from one country to another, somebody had to travel from one country to another, carrying that infected floppy with them. And that’s how it went global.

So it’s the same basic idea, but takes a lot longer.

Exactly. You have to physically travel.

And by the way, if you look at Stuxnet, which made the headlines last year, that’s the way it spreads. Unlike almost all of the other stuff that we see, Stuxnet does not spread over the internet. It spreads only on USB sticks. The only way for Stuxnet to spread from one country to another is for somebody to travel, carrying an infected USB stick. Just like Brain, it went global, and we have infections from countries all around the world. And this is 25 years later.

That leads to the point you made about how we have to learn to function even when the computers stop working. Not to be too broad, but how do we do that?

Well, we can’t function as well as we can with the computers. And that’s the reason we use computers. They’ve brought us so much more productivity and we are so much more efficient with computers, but we still should be able to continue operating the most critical parts of our operation when computers fail.

So for example, if you lose your customer databases, you should have a copy somewhere else. An off-site copy. You should have mechanisms of communication, like faxes, which are obviously getting removed from offices because nobody uses them anymore. Faxes are great when e-mail doesn’t work. I wouldn’t be throwing them away.

So, thinking about alternative ways of working, thinking about how do you reach the key people you need to reach who you always reach through your computer if computers don’t work. Do you have every body’s phone numbers? Do you have ways of reaching them through other mechanisms? How do you reach all your staff if you can’t e-mail them for some reason? Things like that. These are the basic building blocks that are thought about when disaster recovery plans are designed, when there’s also somebody designing them who also thinks about computers. Normally disaster recovery is just about ‘fire burning the house down’ and how do you continue working after that.

There’s a cost-benefit calculation you have to do to figure out how much is worth the extra expense.

That’s true. Like I said, we can’t expect to be able to work as efficiently without computers, but we should be able to continue to do the critical parts. This matters more when it has to do with the critical infrastructure of our societies and things like that, but it also affects normal companies.

You said we need to invest in a global internet crime-fighting network. How do you envision that working?

Well, the problem is that the mechanisms we have in place work fine when we handle traditional international crime. They don’t work as well when we talk about this kind of online crime. Online crime is practically always international, because they almost always cross traditional national borders.

This means that the amount of international crime has absolutely exploded over the last ten years. We still have roughly the same amount of traditional international crime, but we have all this online crime that has appeared on top of it. When I look at the resources that we have to fight online crime, I’m sorry to report that they haven’t exploded.

Even more worryingly, the mechanisms we’ve built to fight international crime have been built to fight single, large, financially important crimes like smuggling, or money laundering at large scale, or drug-trafficking. We’re fairly good at doing that — police forces from independent countries that are involved work together and share information, and they help each other, and it’s prosecuted in one of the countries, and we get the bad guys.

But all these countries are typically motivated to work together because it’s such a big crime, and it involves so many people. In the world of online crime… Well, you can imagine what happens when the police in one country starts to investigate a botnet, and they call the police in another country and they say, “We’d like your help to investigate this case — and to gather 400 gigs of information and do some research for us — because we’re investigating this one guy who stole a credit card number from this one grandmother in your country and stole $900 from her account.” That’s not going to fly.

That’s one of the main problems we have. These crimes don’t look as serious, and they don’t look as big, and they don’t look as important, and they don’t look as financially relevant as traditional crimes. But, what we easily miss is that it’s not just that grandmother. It’s like 10,000 of them, and the total amount of money is significant.

I understand that traditional crime has to get the priority. Especially when we start to think about problems that involve threat to life. For example, I was in Sao Paulo not too long ago. Some of the local law enforcement there spoke to some of the big banks. They have big problems with online crime, especially banking trojans, in Sao Paulo. One of the local police officers told me, “Yes, yes, we understand” that they have big problems. But what I don’t know (pointing at me) was that Sao Paulo is one of the murder capitals of the world and they have people gunned down on the streets every single day. So, where exactly are they supposed to put their resources?

When you look at it from that point of view, it becomes painfully obvious that you first worry about crimes where people die. And it also makes it obvious how easy it is for Westerners like us to point the finger to Brazil or China or Russia or some far away country and say, “You have a problem, fix it.” That’s not actually the answer, it’s too easy a way out.

So, if this is going to happen it need a lot of resources from the first-world countries who are most affected by it?

Yes, and it would also need something of a framework where the member countries would be required to cooperate if another country is investigating, even if the crime doesn’t seem too important, or too big, or too financially important from your point of view.

What’s the danger if we don’t put something like this together?

Well, we’re risking the future of the net. People are already loosing their trust. Once you get burned once — somebody steals your credit card, or makes a purchase on your account — people tend to stay away from online commerce, and from trusting online services.

You could also argue that that’s good. Right now we might be in a situation where most end-users trust the online world way too much — clicking every link, downloading every attachment, putting their password into every field. The risk is that if people lose their trust completely, or don’t rely on the information they see, we are going to lose the momentum and the growth of the net, and run the risk of losing all the great things that we’re expecting.

And our societies are already assuming that everybody is online. Everybody from teenage girls to grandmothers are online, and we can rely that they have internet connectivity and we can start to move things like social-security services, voting, and all these things to the online world since everybody is there. And that implies that everybody has to be there, which implies that everybody has to be capable of protecting themselves there as well. And we can’t really put that kind of a burden on the teenage girls and the grandmothers of the world. We can’t assume that they know how to secure themselves. It is complicated, and it is technical. It should be on a higher level — the operating system manufacturers, security companies, and the internet operators.

Yeah, you’ve said that ISPs could be doing more. What could they do?

Well, there’s lots of stuff about blocking malicious addresses. Every single day we automatically detect malicious websites, or spam email servers, or peer-to-peer clients which are used by botnets to talk to each other so they can be controlled. Operators can simply block traffic to these sites — not just web traffic, but internet traffic altogether. And some operators do.

There’s actually quite a bit of difference between different operators in how much they do stuff like this. Things that are completely behind the scenes, but which concretely protect their paying customers. And that’s a tough position for an operator. Of course they want to protect their customers, but if the customers don’t see any benefit — and it’s quite costly to do this — it might be hard to explain it to their shareholders.

So then you have the question of making it required by regulation, and how much power you give to an international agency.

Right. Well, there are many different mechanisms to do this. I’m not very keen on regulation, or political choices.

Also, one thing I want to make clear: I don’t want to increase networked monitoring, or countries monitoring what their citizens are doing online in any way. I believe in the freedom of the net, but I don’t believe in the freedom of the net at the cost of having these online criminal gangs running completely loose, and using the freedom of the net to steal every body’s money and take away the trust we have.

One other mechanism you talked about was finding the people who have the skills, but not the opportunities. What are the opportunities? And how do you go about finding the people, who tend to be all over the world?

Yeah. Once you cross the border and start doing online crimes the situation is much more difficult to fix. Once you’ve broken the law you have to pay, one way or another. So it would be much more beneficial for our societies to find these people and prevent it before hand as much as they can.

And the situation is vastly different in different parts of the world. For example, I’m in Helsinki, Finland, which is one of the high-tech capitals of the European countries. If you live here and you understand networks and protocols, and you understand how to code, you’ll get a job, no problem.

If you’re the same person, with the same skills, living in the countryside of China, or Siberia, or the slums of Sao Paulo, nobody is hiring you. You have no opportunities to earn a living with the skills you have, unless you go to the online life of crime. You still have access to the internet, can still reach all these rich Westerners, who are easy targets for a clever attacker. And that’s one of the reasons why many of these people tend to this life of crime. All the initiatives that help giving opportunities to people who have skills but can’t find a way of using them would work.

There are some examples, like Imagine Cup, run by Microsoft, and Campus Party, originating from Mexico and Brazil, which are initiatives aimed at teenagers and people in their early twenties, getting them together and showing them productive stuff they can use their skills for.

Was there anything you really wish you’d been able to get in your talk, which you couldn’t for time?

Yes, when people who aren’t working in this field hear about things we are fighting and see some examples in practice, the obvious end result is that they get scared. And the outcome of that is that they think, “Oh my god, it’s horrible, I’ll never go online again, I’ll never use my credit card again.” And that’s not the right thing to do either, and it’s not what I’m trying to say.

What I’m saying is that we have criminals in the real world, and we have criminals in the online world. Of course we do, the online world is just the reflection of the real world. We have good people and bad people in both places. And the bad people in the real world don’t prevent us from living our lives and going to work and going to the shop, and they shouldn’t prevent us from doing that in the online world either.