2021 is drawing to a close, and it’s time to revisit the highs and lows of the past 12 months, and look ahead to the brand new year to come. To mark the year’s end, we’ve recorded a special two-part episode of Cyber Security Sauna. F-Secure’s Chief Research Officer Mikko Hypponen, Security Consultant Adriana Verhagen, and AI researcher Andy Patel join episode 63 to share their key takeaways from 2021, and thoughts on important issues we’ll face in 2022 and beyond. In this episode: cyber security and the board, how companies are doing at integrating security into the business, what a Metaverse could mean, cyber crime unicorns, machine learning in attacks, the future of programming, and more.
Listen, or read on for the transcript. And don’t forget to subscribe, rate and review!
Janne: What stood out to you guys in 2021?
Adriana: At the end of 2020, there was the SolarWinds hack, which was pretty big. And in 2021, we still had an aftermath of SolarWinds, which actually was the board of directors being sued because they hadn’t paid enough attention, although they were aware of the risks. That’s what the claimants claim, that the board was aware.
So I think what this is actually showing is a precedent for the fact that boards are going to become more and more accountable, or held accountable, for cyber incidents and for the aftermath of these cyber incidents. So I think what we will see more and more is the board being more engaged with the organizations and how they manage cyber risk.
Mikko: Yeah. And that would be the high time for this to start to happen. Leadership teams and board members, in my opinion, have just been ignoring the whole topic of cyber security for forever. It’s only becoming a topic for the top management when there is an incident, either in the company or in the news. And in this time and age, that’s simply not good enough.
I think cyber security should be a permanent topic on any board level meeting in any large company. But clearly, the thing that’s preventing this is that you look at the stereotype of the board member of a typical enterprise company and they are people who are not really their strongest in digital topics or technology topics. So I suppose they’re just trying to ignore the topic if they can, and that’s not good enough anymore.
Yeah. I’m sure a lot of people in the field welcome the fact that the top management of organizations is being held accountable. But is that correct? Should we do that? Is it right that we, like you said, these guys don’t know about technology. Is the problem with them or with their immediate subordinates, or who’s responsible?
Adriana: Well, I do think that the board has responsibility in engaging with the leadership team of an organization to ensure that the tone is right. And if the board is unable to do that, then there might be a lax approach towards managing cyber risk. So I do think that there is an accountability, and we will see that that will be going up and up. So we’re already seeing that boards are getting training, and they’re getting involved in crisis management exercises, and so on. So it’s a bit better than what it used to be, but it needs to get better.
Mikko: Yeah. And I do think they are, and should be responsible, just like they are responsible for physical security, and workplace safety, and things like fire safety. They’re not experts in fire safety either, but I think they realize that it’s their responsibility that the company takes care of things like this. And typically, of course it’s done by experts in their own field, but the ultimate responsibility is in the top management of the company. And that’s the way we should be thinking about this kind of security and this kind of safety as well.
Sure. But that’s what I mean. The board doesn’t go around asking, “What sort of locks do we have on our doors? And have we had fire drills this year?” They trust that somebody is taking care of that. So is the final responsibility with the board or with somebody else in the organization? Are the boards, in fact, asking their, I don’t know, CIOs or anybody like, “Are we doing enough for cyber security?” And these people are just nodding their heads saying, “Yes, yes, yes. We are.”
Mikko: Well, I’ve had discussions with leadership team members for large companies over the last couple of years about ransomware in particular. And some companies have done exactly that. Leadership team members and board members have gone to CIOs and CISOs, like, “Are we really taking backups the way we should be taking backups? Or do we really have backups of everything? Are we sure the backups are incorruptible by an outsider attacker? How do we know? How are we sure? Show us, show me, prove me you can recover our data. Prove me we can get our systems back in 24 hours,” questions like that.
And it is a new field. Things like fire safety, workplace safety are well established. I think in most large companies, top management can feel pretty reassured that the professionals hired to do that know what they’re doing, but this is a new field. So they should be asking questions like this.
Like more detailed questions without worrying about micromanagement.
Mikko: Show us, prove it, trust and verify.
Andy: Isn’t it also like a resourcing issue? I mean, I see lot of claims from people on Twitter who work in infosec that there’s just not enough money or people being put into this problem. Whereas building safety is budgeted for, because it’s something that you ordinarily have to do. I mean, it’s just a common sense thing to do, but it feels like it’s a side issue is still, and it’s not resourced properly.
Janne: I think you’re right. A lot of problems out there we’re expecting to do more with less every year. And for example, in cyber security, you could make a convincing argument that the problem is getting more and more complex all the time. So maybe it’s not realistic in this field. I don’t know if it’s realistic in any field, but maybe it’s not realistic in particularly this field to do more with less every year.
So for example, we talked about SolarWinds already. Supply chain attacks are obviously a thing that’s here now. And the supply chains of companies are getting more and more complex all the time. So how do you secure that if your resources are not growing?
Adriana: That’s a very tough question, right? I mean, the answer is that you need to have your resources growing. I don’t see another way around it, right? Although the move to cloud does enable to reduce some of the investment in infrastructure security. But I think with respect to resourcing, what’s interesting is that if the board becomes more engaged, then the attention comes from top to bottom, and then we’ll see that budgets will follow much better to what they actually need. So I think that there will be also an increase in resources, and that will be due to the attention from the top.
Mikko: SolarWind is interesting because that was a governmental attack. We believe it was the Russian intelligence targeting targets, mostly in US and UK governments, with this supply chain attack. But we’ve also seen supply chain attacks which have nothing to do with governmental attacks, or intelligence agencies, or spying, or intelligence gathering.
Most importantly, the Kaseya breach, which was REvil Russian ransomware gang. And the idea that ransomware gangs are now mature enough to exploit unknown zero-day vulnerabilities in software providers’ systems to use them as a supply chain attack to gain access to managed security service providers, clients’ systems, that’s a pretty advanced attack. And I think it’s a symptom of something deeper. It’s an illustration of the fact that these organized crime gangs, organized cyber crime gangs, are now becoming more and more powerful, more and more wealthy.
For example, in the Kaseya incident, we don’t know how REvil got the zero day in Kaseya’s network, but they could have perfectly bought it. They have the money, and zero days are buy-able from the dark net.
Absolutely. What do you guys think about software supply chain attacks? There’s legislation in the works in some jurisdictions where they’re talking about having a software bill of goods, like this is what goes into this software. Is that a realistic way to handle the risk in a world that’s all about DevOps, and things are changing all the time, and you’re putting things, taking things apart and putting them back together all the time? What can we do to secure the software supply chain?
Adriana: I think that you’re absolutely right. I mean, the digital world is highly interconnected. Software uses open source libraries, open source packages, whatever you want to call it, that is, every company uses bits and pieces of other creators. And this means that everything is interconnected. So understanding how to protect that is critical. And there is a lot of discussion around this, which is in 2021 is being a lot talked about shifting security left.
So this basically means that in the process of change in an organization, so software development, we’re looking to address security risks at the very onset of a project. So where do you identify risk? Where do you identify cyber risk? The earlier you do that, the better it is because it’s not only going to be cheaper for an organization, but it’s going to be easier to architect.
The challenge is that this is a fairly new way of thinking. Some people might say that it’s not the new anymore, but for a lot of organizations, shifting left is not something they are doing already. So if we want mass or the mass pop population of these organizations to adapt, that is a big effort. But I think we’re going into that direction because of the supply chain attacks, which are becoming a big concern.
Also in the past year, I think we’ve seen more integration of security with other parts of the business. It’s not that just the IT team anymore. Is this an encouraging sign for you guys?
Adriana: Yes, yes. Yes. We’re definitely seeing that. I mean, in the ideal world, we won’t have a security team. So we’ll have security that is part of the business, and part of… It’s like in the ideal world, we also don’t have an IT team because businesses are a software company, so that’s their core business and will have security integrated in that core business. But that’s very far to say, and we’re not there yet.
With the shift to the left, the business has to be more involved and security needs to get closer to the business to understand what are the real priorities? And we can’t just look at vulnerabilities in an isolated manner. That doesn’t work because it’s just too much. And how do you want organizations to fix hundreds of thousands of vulnerabilities, and not really being able to say why we need to fix them? Because it’s isolated, there’s just isolated instances of weaknesses in the systems.
So if you have a much closer dialogue with the business, we’re able to go towards something that we’re seeing already right now is making the case for attack paths, and using attack chains to describe why there is a risk to the organization instead of looking at isolated vulnerabilities.
So in order to have these attack paths, we need to be able to understand what the business does. And that’s where we are going to see that security is much more embedded in the business because it’s going to talk much more about the impact that an incident would have on the business.
Mikko: The way I like to think about it is that security is the enabler. That’s the part of the organization which enables the rest of the organization to work. And it’s almost never thought about like that. Typically, the security team and security experts, and the CISO are seen as part of the company which always says, “No.” That’s a very typical attitude towards security people, and that’s a completely wrong way around.
No company buys computers, or IT systems to run security software or IDSs or IPSs, or endpoint security, or filters. No, we buy computers, we use technology to make our work easier, to be more productive, to be more creative.
And security is the part of our organization which enables the rest of the company to be productive, to be creative. It’s just a part that we need to be there so we can do the thing we really want to do. That’s the way we should be thinking about it. And we almost never think about it like that.
Are you seeing that shift that businesses are starting to take attention of security? Or is that a real thing or is that a false start
Mikko: No, I do think it’s happening. Slowly but surely, companies are realizing that this is the model and this is how we should be building it. I think there’s a clear shift also towards a world where security is moving more and more away from the endpoint and towards the… I’m not just speaking about cloudification. I’m thinking about a world where the future is a Playstation.
Let me explain this. Yeah, I know it sounds a bit weird, but the future is a Playstation, or the future is an Xbox. An Xbox is a great example. Xbox is a computer which runs Windows. This is a fact. It’s a computer made by Microsoft. The operating system is Windows. So it is a computer, but it’s not like any other computer you have in your home, because it doesn’t really look like a computer. You don’t use it like a computer. You don’t, even if you’re a programmer, you can’t program this computer, even though you own it, even though it runs Windows.
And this is, I believe, the world that we are going towards. More and more of the computing devices we use aren’t really computers. They are more like terminals or consoles like your PlayStation or Xboxes. And we see this very well with, I don’t know, your iPad Pro, which is a very powerful computer, which you can use to do everything, but it’s actually really locked down just like your PlayStation or Xbox is locked down. Or a Chromebook, more and more companies are using these kind of systems for their employees to access the services they use because all the services they use are in the cloud.
All the services they use are in the web. And it’s so much easier to secure your networks if your end users can’t run EXE’s or can’t run binary applications at all. And I think this is the world we are headed in the long run. More and more of the systems we use will be cloud only. And end users will not be able to do the powerful things they have been able to do for couple of decades now.
So we are going back to the world where we were in the 1970s or ’80s, with dumped VT terminals and powerful servers, which then run the real thing. This from a security point of view had tons of benefits. And I think in the long run they will be coming back.
So the security comes from the fact that you don’t have enough rope to hang yourself with?
Mikko: Exactly. You can’t, even if you want to, even if you’re fooled into clicking on a binary, you can’t run it on your device because it doesn’t run binary. It’s so much harder trying to infect your iPhone than your Windows computer.
It’s a powerful image. So what other things happened in 2021 that affected businesses?
Mikko: So one thing which I think is important is the October outage of Facebook. And I don’t really mean that Facebook was down, and WhatsApp was down, and Instagram was down. We all know that. I think the really interesting thing about the outage was how did the rest of the net suffer from Facebook going down?
One of the largest single services going down for six and half hours on during a busy working week had a surprisingly large effect on the rest of the net. And the easiest way to explain why this happens is, is if you think about your WhatsApp running on your phone, there’s literally billions of phones on this planet running the WhatsApp app. All of those phones regularly queried that DNS, the Domain Name Service system, like, what’s the IP address for whatsapp.com?
And during those six hours, DNS servers answered error. There’s no address, which of course, means all these apps ask it again and again, and again. Billions of phones querying the DNS over and over for the IP address for WhatsApp. And of course, the same thing for Facebook and the Instagram. According to CloudFlare, the load on their DNS servers rocketed up by a 300-fold increase, and this slowed down the whole rest of the net. So basically, LinkedIn and Twitter were slower because Facebook was down.
Yeah, that’s a denial of service attack.
Mikko: Global denial of service, which, I mean, it’s not really unexpected, but it’s a different thing seeing it with your own eyes. It’s such a big, black hole on the net when Facebook disappears, that the whole rest of the net becomes slower. And in one way, this was a good lesson. I mean, the internet still worked. It might have been a bit slower, but it worked. For 50-year-old technology, that’s pretty impressive. But it also makes you wonder about just how big these services like Facebook and AWS are becoming as they start to affect the whole rest of the world, and the whole rest of the internet fabric as we use it.
Adriana: What are you actually concerned about with them becoming these, taking this monopolistic, the space of the internet?
Mikko: Yeah. Are they becoming too big to fail? I mean, in early 2000s there was a very serious discussion about splitting up Microsoft because they were becoming this massive monopoly, controlling everything. Microsoft is still huge, but it’s not the kind of monopoly it used to be. Now, I think the biggest monopolies are things like AWS and Amazon as an online platform altogether. And of course, Facebook and, well, the gorilla, Google. So it’s interesting to see if we will end up in serious discussions about splitting up these monopolies like we did 20 years ago. It could happen. It could happen in 2022.
How would you even do that? Facebook has been buying all these companies. Maybe you could kick those out, but how would you? Would you have Europe Facebook and North America Facebook? How would you even go about doing something like that?
Mikko: I don’t know, but I don’t like the idea that Facebook is now, or Meta is now trying to own this Metaverse. If we are going to have virtual worlds and start living more and more of our lives somewhere else than in the real world, I’d rather not live it in a world created by Facebook. So if we start splitting up Facebook, let’s start from there.
But could they even build – could any company out there even build something like that? Or is that going to have to be a collaborative effort anyway?
Mikko: I don’t know. What do you think, Andy?
Andy: I don’t know. I mean, just speaking about the outage while it was going on, people were making Twitter accounts for the first time because they couldn’t get on Facebook.
Mikko: Yeah. And Signal. Yeah.
Andy: Yeah. And actually, I’ve noticed a trend amongst people that I know that they’ve actually really started migrating off of Facebook. Several people I know are now on Twitter instead, and it they’re new on Twitter, but they’ve decided that they’ve had enough of Facebook. And some of the reasons that they state, there’s nobody on there anymore.
So maybe Facebook itself is imploding slowly. And it’s something that we wouldn’t have to worry about. Well, I mean, one would hope. Right?
Because I mean, one of the funniest quotes I saw with regards to this Metaverse and this virtual reality thing was having to deal with those trolls in a virtual reality space where you are actually playing an embodiment of yourself. But one of the things that I tweeted when this whole Meta thing was announced, when that ridiculous video came out, was that these people who make fake troll accounts aren’t going to be able to do that in a virtual reality environment. You can’t run multiple accounts in a virtual reality environment.
Mikko: Maybe that virtual reality, you can just punch them in their faces when they’re –
Andy: Yeah. I mean, I think if we’re going into a social media experience where you are an embodiment of yourself, you log in by putting the headset on, you can no longer do some of these things that people are doing on social networks, like creating multiple sockpuppets.
Oh no. I mean, we’ve seen botted virtual avatars in games like World of Warcraft and things like that. So that’s happened before. Second Life had that problem.
Mikko: Yeah. And when we think about this brave, new Metaverse world, it’s important to keep in mind that this is not just social networking, and not just entertainment or gaming. This is about working for real, 100% real work being done in virtual worlds. Many of the professions we work with can be done better in virtual environments when the technology is good enough.
And if you’ve had a chance to try some of these high-end headsets, like the ones built by Varjo and other similar vendors where the resolution is massive, and the reaction times to your head movements are completely undetectable, it’s easy to see that, for example my work, where I spent almost all of my time at a keyboard and looking at a screen, it would be much more productive for me to work inside a Metaverse because then I wouldn’t have restrictions of screen sizes or resolutions. Or if I would need another screen, I would just drag a new screen over there. And then I would have my workmates in different windows.
And if it would be comfortable enough and visually good enough, I could easily spend 18 hours a day in Metaverse. And it would be much more productive for me than working in the real world. So it could happen.
Adriana: Yeah. And as always, we’ve had fiction precede reality. So there’s a famous book that already talked about the Metaverse, which is something that was written in 2011 by Earnest Klein, which is called Ready Player One. So it’s quite a known book in the geek world because there’s a lot of references to ’80s and ’90s gaming. But here the protagonist, he lives in the Meta world and he not just lives there, he actually goes to university there and to school.
And I think that this book shows just how far this Meta world can become. And if we think about Facebook taking or Meta taking the step towards becoming the owner of that Meta world, it’s actually, yeah, it’s actually quite scary because they already have a lot of power. They already have a lot of data. And this sets them up with getting even more of it.
And not just for the generation that uses Facebook. And even if Facebook will get out of trend, the newer generation will most likely start using this Metaverse or this Meta world. And then they will keep on acquiring more data and more information about everybody else.
See, but that’s what I mean. In the book you’re referenced, Ready Player One, the Metaverse is people study there, they work there, they play games there. And Facebook’s Metaverse is not the only project out there. There’s other projects like that, that are developing. So do we think that any one company can realize that whole vision, or is it going to be a collaborative effort between different companies?
This company understands working remotely. This company understands how to build virtual skiffs for really secure conversations like how to really classify stuff. How do you do that online? This company understands what games require, and how to build those aspects of the Metaverse. Is it going to be a collaborative effort anyway?
Mikko: It’s not. It’s going to be competing companies with completely incompatible-
Winner take all?
Mikko: Well, we see the same revolution happening as we saw with social networks when the social networks started to become a thing. I guess Myspace was the really first, big web based social network. Then the idea that social networks are going to be a big thing and they could be a shared resource where different social networks interact, and you could post content and share it between different social networks.
That sounded like a thing – which never happened. You can’t post to Facebook, which would then show up on Twitter and people could reply on Twitter, and you would see it on your Facebook, or on LinkedIn, or on YouTube, or wherever. I mean, these are all silos. And I think this is the way companies prefer it. They don’t want to play ball together. They don’t want to share.
I think the same thing will happen in virtual environments. And I think Facebook wants to own this. And not just the virtual environment, also virtual currencies. That’s why they’re working with the project DM, which used to be known as project Libra. They want to have us living in a world owned by Facebook, using currency owned by Facebook.
Yeah. But you’re already talking about is Facebook too big and should it be split up? What about that day and age then? That Metaverse, are regulators going to step in and say, “No, you can’t own everything.”
Mikko: Well, God, I hope so, because they are the only ones which can do it. Today, we live in a world where individual consumers and customers have no power and no rights. I mean, whenever you start using a new website, or a new service, or a new app, you’re offered a choice, well, do you agree to our terms and conditions? And you cannot negotiate.
If you don’t agree with any single part of that, then your only choice is to stay out, which means there’s no negotiating whatsoever. The only negotiating part we consumers have is our leaders, our politicians, our regulators. And they really should be the ones paying attention. Right now, they might be paying attention to the revolution which started five years ago. I don’t think they’re paying attention to revolution which is happening right now, which would be these virtual environments and virtual worlds and Metaverse.
Andy: Somewhat related in terms of regulations is that at the end of last year, I predicted that there would be talk this year about Section 230. It’s part of the United States code, which generally provides immunity for website platforms with respect to third party content, according to Wikipedia.
But basically things that people post on social networks, the social networks themselves aren’t liable for them. And interestingly, both Biden and Trump wanted to change or repeal this Section 230, because Trump said that social networks were censoring conservatives too heavily. And Biden said, “Well, there’s all this disinformation and stuff going on. And we need to make social networks accountable for this stuff.”
But nothing really happened this year around that. And there’s of course been a lot of revelations this year about Facebook practices and social media practice in general about disinformation, and this and that. But nothing really happened in regards to Section 230, which it should have. Because if they want to start addressing the problems that exist on social networks, the problems that are causing riots because people don’t want to be vaccinated, or the insurrection at the Capitol on the 6th of January, all of this stuff was basically organized and fomented through social networks.
And despite all these big things happening, still, there’s not much talk about regulation there. And I think that’s a problem that needs to be addressed before we start talking about living in a Metaverse that’s being run by these same companies.
Can you imagine the amount of lobbying and outright bribery happening in that space?
Adriana: Yeah. Just to add to that, there is an oversight board that was launched by Facebook in order to have this type of…the situations where there’s misinformation or there’s people getting kicked out of Facebook – an oversight board that’s supposed to have some external impact on how Facebook can take these decisions. Because they wanted to externalize that decision making so that they would get the advice from that oversight board. That has been set up in 2020.
And I think there’s been cases where they’ve come to deadlock, where in the end there was no decision and where Facebook then was pushing out their decision to the oversight board. But then the oversight board said, “Well, Facebook needs to make that decision.” So it’s not really working there.
But I think that they’re making efforts to have better governance in terms of how, what is being controlled, and what can be said on these social media platforms, and who would be held accountable for misinformation campaigns. And what could follow from that. But it’s a young space and it’s a challenge.
Mikko: It’s now 15 years since the Time magazine selected in their annual person of the year selection, “you” as person of the year in 2006, when social networks were just becoming a thing and YouTube was brand new. We thought that this new world of social network is going to be utopia. Finally, everybody can get their words out and everybody can publish information and content and videos. It’s going to be great.
15 years later, we now, I think, have realized it isn’t great. It sucks because we created this new world where conspiracy theories thrive, and influence operations are going haywire, and elections are lost and won over these operations. Social networks, like the internet itself has a great upside and a great downside.
Mikko Hypponen, you’ve dubbed 2021 as the year of the cyber crime unicorn. Would you like to talk about that? What does that mean in terms of attacker capabilities?
Mikko: Yeah. I came up with the term, originally, five years ago. And five years ago, it felt like science fiction. I wondered if we really would see cyber crime gangs becoming so wealthy that we should be considering them to be unicorns. Unicorn here being a reference to technology startups were valued at over a billion US dollars.
Now, in 2021 it seems quite clear that cyber crime unicorns are real and they’re here today. They’re real because the money being made with ransomware with BEC scams and with denial of service blackmailing has been basically doubling every year for the last five years. And even more importantly, the valuations of cryptocurrencies have skyrocketed. And since cyber crime gangs like to keep their wealth in Bitcoin and other cryptocurrencies, they’ve enjoyed massive increase in the amount of money they control. And I guess the real question then is how do the attacks we see change when our enemy is massively wealthy?
How does the attack change when the enemy is massively wealthy?
Mikko: I think the organizations are becoming more and more like real world, traditional organized crime gangs. So they have real organizations. They hire people. They have an organizational structure. They run their operations professionally. We see things like cyber crime gangs running professional data centers, running professional support teams, working on their branding.
And I think this is interesting. You don’t really think about cyber crime gangs and branding, but clearly this is a thing. This is the reason why we know cyber crime gangs by name. That’s why they have names. That’s why they have websites. That’s why they give interviews. Especially, ransomware gangs need a reputation, reputation which is scary, like, oh my God, we’ve been hit by ransomware and holy hell, this is REvil.
We know these guys. We’ve heard of these guys. We’ve read about these guys. If we don’t pay, they will leak our files. But then again, we know that if we will pay, they won’t leak our files. So see, they need a reputation, which is scary, but also fair like honest criminals. But if you pay the fee, then they will give you your files back, and they won’t hack you again if they promise. And this is a business decision.
They want to do branding. They need a reputation. They need a name, they need a logo. And that’s what they all do. And we can estimate that this is going to go on. They will hire more professional people, more lawyers, more business analysts. Eventually, they will start competing with the scarce skills with legal companies.
And we’ve already seen this with, for example, the FIN7 gang hiring pen testers with fake companies portraying themselves to be legal, penetration testing organizations hiring people to do hacking into companies, making them believe that these company has ordered a pen test when they actually haven’t. Which then one day could lead into a situation where they start competing with the scarce pool of cybersecurity researchers and even machine learning experts.
Yeah. I can see that happening on the semi-legal, the front company side. But the dynamic with the organized crime gang brands is interesting because like you said, at one time you want that brand recognition, but at the same time, that brand recognition also gets you heat from law enforcement. And in some cases, we’ve seen even sort of military organizations stepping in and targeting these high profile organizations. So you want to be big enough to have that name, but not so big enough that you get drone strikes.
Mikko: Yeah. And that’s true. And I think some of these gangs have crossed the line, most importantly, DarkSide with their infamous Colonial pipeline attack, which was one of the biggest cases of 2021. When one of the largest infrastructure providers for energy gets hit by ransomware, it’s a big thing in the United States. And this is the reason why the US State Department has gone to the unprecedented length of offering $10 million for information leading to arrest of members of DarkSide, which is the same amount of money that the US State Department is offering for leaders of ISIS and Al Qaeda terrorist organizations.
So this is how seriously the US government is now taking ransomware. They are taking it as seriously as terrorism, and this is unprecedented and it’s about time.
It’s interesting. Do you guys think that reward is actually like an honest to God reward, or is it more like a price on your head to make you look over your shoulder and wonder about who you can trust?
Mikko: I think what they’re trying to do is to try to make these organizations break from the inside. I mean, it’s very corrosive for an organization when there’s a reward from the outside for members of that organization to rat each other out.
So members of the gang, maybe those who are not very happy about what they’re doing, or who don’t think they’ve been receiving big enough cut off the money they make, could easily start negotiating with US State Department for getting an immunity from persecution, and $10 million for ratting on their friends. And the whole organization starts to… Then they realize that this is a thing that it could start from the inside, which is great.
I mean, this is exactly what we want. We want two things. We want more arrests and sentences for the members of these cyber crime gangs. And maybe even more importantly, we want to show the potential new people entering these field, that cyber crime doesn’t pay. You will be hunted. You will be caught. You will be taking into jail just like for you do for real world crimes.
Adriana: But the challenge with that is that cyber crime is international. So the internet doesn’t really have boundaries like doing crime in a country, right? So we have issues with law enforcement collaborating across borders to handle cyber crime. And this is to the advantage of cyber criminals, because they are actually a step ahead, and they can use that to avoid being prosecuted. Because law enforcement and basically laws are not yet enabling as much as they should be enabling the appropriate prosecution.
So actually, this year is the 20th anniversary of the Budapest Convention against cyber crime. So what it means is that it’s been 20 years since there’s been an international treaty to fight against cyber. That’s not that long. And this year, what they’ve achieved is that they’re adding a new protocol to enable and to actually incentivize countries to publish evidence.
And this is a really good thing, because the challenge for law enforcement is that they need more data on what these criminals are doing and what is the impact. And so we have on one hand, this Budapest Convention, which is now enhancing that. But we’re seeing other types of regulations in the US and in the EU, such as DORA, which is being ratified and which will come and act next year, which stimulates the companies or the public entities to be more open about the impact of cyber crime.
And with that data, I think that we will see that we will understand it much better, because law enforcement has a challenge that first, international collaboration is very hard, but they don’t really understand as much as the attacker understands law enforcement. So we need to start understanding, as the defenders, much better what this means. And to be able to do that, we need to collaborate more together. And these new laws will also stimulate that collaboration.
Mikko: Progress is slow, but at least there is progress. And I’m old enough to remember the time before the Budapest convention. The time before that sucked, because basically we had these countries in the world, which had no legislation on cyber crime at all. Cyber crime, wasn’t a crime, which of course, meant that since internet has no borders, no laws, no geography, criminals were re-routing their operations through a dozen different countries, including couple countries where, what they were doing, wasn’t illegal. And that way it really hard for international law enforcement to do these operations.
At least we’ve been able to do that for now for 20 years. We don’t have global laws. I don’t think we ever will have global laws, but at least we have these conventions. And I do think we are progressing. And I think the year 2021 hasn’t just been a year of the cyber crime unicorn.
It’s also been the beginning of the cyber crime unicorn hunting season. Over the last couple of weeks, we’ve seen more or law enforcement action than in years, including in places which typically don’t do much, including Russia, mainland China, Ukraine, big operations in Poland, which was great. So I’m hopeful.
I think we are going to the right direction. And with these big rewards from US State Department, maybe from other countries as well, these organizations could become weaker, not stronger. And that’s what I’m hoping for.
What I’m thinking about is back in the wild west, the rewards gave rise to the profession of a bounty hunter. So I don’t know how much it costs to run a mercenary unit these days, but $10 million sounds like the kind of money you could hire a couple of big guys with you, and then go to Russia, and grab a guy, and put him in his trunk. And then drive him out of Russia, and hand him over to US officials somewhere.
Mikko: This sounds like a startup. Are you busy? Should we start something?
Now, one of the things that often come up is the topic of machine learning in attacks. And while we have an expert on the topic here, I wanted to talk about that a little bit. Andy, do you see that becoming more of a thing now that the operating environment for these criminals is becoming harder, but at the same time, their resources are getting better and better all the time? Are we now finding only going to start seeing machine learning in attacks more than before?
Andy: I think that if a cyber crime unicorn has a lot of resources, that they would be able to start doing things that companies or larger companies can do. One of those things, for instance, would be related to natural language generation models. So GPT-3, which is more than a year old, is still a very large model that most people don’t have access to.
But the methodology for creating and training this model is very well laid out in the paper. The data sets are available. And anyone with the resources to actually be able to recreate it could, but it costs millions to trade it.
So what could the criminals do with that?
Andy: A lot, actually. It can be used to generate convincing phishing emails. It can be used to generate massive amounts of convincing looking fake news articles. It can be used to interactively phish people, like in a chat bot style. It can be used to generate replies to tweets like trolling, or replies that are designed to push certain viewpoints or to sell people on things at scale as well. The only thing that’s preventing people from being able to do this is the lack of access to these large models. But if a criminal unicorn company could recreate that model, it’s possible to do this stuff.
Mikko: Yeah. And access to GPT-3 has been restricted. There’s been a very long waiting list, which they have just now eliminated. So it’s become more and more accessible to any technical people or any developers out there. There’s another interesting angle which has security implications with GPT-3 and OpenAI research and other big models like this. It might be that the most important security thing happened during 2021 is that GitHub launched the GitHub Copilot during 2021.
And for those of you who don’t use GitHub, Copilot is a auto completion engine, which will write routines for you in variety of programming languages. So basically you’re developing something and you’ve written part of a routine, and you can have GitHub co-pilot finish the routine for you. And more often than not, it does it pretty nicely, pretty, pretty well because it’s been trained with billions of lines of existing code in all possible languages.
So again, it’s a language model. In this case, it’s not a human language model, it’s a programming language model. So what’s the security implication? Well, that this is the first examples of programs programming by themselves in large scale. And when we get closer and closer to an environment where programs are not written by humans, but written by programs, these will make bugs if not extinct, they will at least make them more complex. Which means exploiting bucks to create vulnerabilities becomes harder and harder.
So in a future where all the code is written by programs, and all human programmers are unemployed, security will be better. It’s going to be harder to exploit vulnerable bugs in our code because there’s no bugs, or the bugs that we have are so Goddamn complex, we can’t figure them out.
We’ve long been very critical about software that’s compiled by copy pasting chunks of code from stack overflow. So is this somehow better now?
Mikko: It is somehow better. Yes, it is. It’s not just copy pasting. This is a complex language model, which just like human models, it is very, it’s very different from the tradition world of just copying old code and reusing it. It understands. It’s able to analyze what the code does, and it’ll optimize existing code.
And I guess the biggest scenario is scenarios where you take a language model, a code like this and let it improve itself. So you take a piece of program which can write programs, and you ask it to analyze its own code and rewrite it better. And then you repeat it at infinitum. And eventually, we are in a world where not a single human understands a single bit about what the hell this program is doing, because it’s been rewriting its own code for a billion loops or a billion loops.
So what we’re seeing with artificial intelligence creating an image that it looks like a cat, but it doesn’t look like a cat to us. So that’s what’s going to happen with the code that we’ll get code that somehow does what it’s supposed to do, but nobody on understands why or how?
Mikko: Yeah. And in one way, we are there already. If you go to any Google engineer and you show them a search result and ask them, “How did I get these results?” They won’t know. There’s no way to figure out why a particular Google search got these exact results because it’s been a black box teaching itself for 15 years. It’s a highly, deeply internally optimized system with this massive corpus of information, which we can’t decode anymore. So nobody understands how it works anymore.
Adriana: But Google is very unique in that sense, because it has so much data. So in order to get there, it will take a very long path. So I think that’s even if these cyber crime groups or legal cyber organizations have a lot of resources, I think we’re still far away from that highly intelligent system. And I think we need to also be careful with that, because there’s a lot of noise about AI being something that it isn’t. So that also applies to cyber security.
Mikko: Sure, sure. I agree. I agree. And I think these farfetched ideas about human programmers becoming unemployed, that’s in the far future. What’s in the near future is things like cyber crime gangs replacing the humans operating their malware campaigns with simple Python scripts operating their malware campaigns. If you look at a typical ransomware campaign, for example, it’s run by humans who send out the emails with the malicious links, and operate the websites where the links are turned into exploits, which then will download ransomware binaries.
This all being done by hand. Today, all of that could be done by a machine, which would just automatically detect when the emails are getting blocked or blacklisted, and then changed them automatically. And changed the links and create new websites, and change the vulnerabilities on the websites to avoid detection. And change the binary when it’s detected by endpoint protection.
This would change the speed of the attack, drastically. And this is why we can tell it’s not happening yet, because it’s not that fast. It’s clearly done by humans today. It could be done by machines in the very near future. So this is something which is not science fiction. This is something which could happen in the near future. Then in the long term future, we will maybe see world where programs will be able to program themselves, but that’s going to take a while. I hope I’m retired by then.
Andy: The programming language of the future is, or programming, is going to become prompt engineering. This is in relation to what you are talking about with machine learning based code completion, but also with using GPT-3 to get their desired outputs that you’re looking for. And it’s actually about knowing what inputs to give those models in order to get the right outputs.
So programming is going to no longer be perhaps about writing code, but about giving the right signals to a model to output the code that you want. The second point I wanted to make is regards to self-writing code, let’s say, or the generation of code through machine learning. And that’s something that was actually rather interesting development this year on that with AutoML-Zero, where basically it’s a system that evolves code. And it was able to evolve neural networks from a very primitive set of instructions that it could string together and evolve.
And I saw some other research actually using a similar technique to evolve algorithms that replicate existing behaviors in nature and things like that. So the idea of actually evolving or self writing code is starting to happen. And some of those notable developments that came this year.
Mikko: It’s exciting and scary.
Andy: Yeah. Actually, there was an article, it might still be trending on Twitter about the first robots that self reproduced.
Mikko: Exciting and scary.
Andy: Yeah. So all of this stuff is starting to happen.
Mikko: I think I’ve seen a movie about this.
Mikko: What I need is a robot, which would be able to clean my house and play Space Invaders. When can we get that?
Andy: Not for a long time.
Mikko: Not for a long time. That’s what I was afraid you would say.
That was our show for today, hope you enjoyed it. Please get in touch with us through Twitter @CyberSauna, with your feedback, comments and ideas. Thanks for listening. Be sure to subscribe.