Risto Siilasmaa is a pioneer in IT security and one of Detectify’s early investors. He is well-known for founding the Finnish IT security company F-Secure as well as his accomplishments as the chairman for Nokia, a company he turned around. We got the opportunity to pick his brain on hackers, AI security (a topic he actually went back to school to learn more about last summer) and how cyberpunk sparked his interest for security.
What made you interested in security in the first place?
My interest for security came from the science fiction world. Have you heard of William Gibson? He is the sci-fi writer who created the cyberpunk genre. In the worlds he wrote about, there were living programs, both good and bad, that fought against each other and humans lived somewhere in the middle.
When the first computer viruses appeared in 1986, I became intrigued. I started to write a book on data security and I think that was an excellent way of learning, to have a project you have to finish and by setting very high-quality criteria for the content. I then became a ”certified” expert on the topic, which led me to start consulting larger companies on their IT security, and I learnt from every client I met.
From the time you did consulting to now, what has changed in security?
Security has changed dramatically. Back then, it was mostly about physical security and access; if you protected the office building well, you were pretty safe. But then the PC came and changed everything, and then came laptops, smartphones, cloudification – and several times, everything was completely changed.
Gartner explained the security transformation like this: “The old type of security is a medieval castle, where you build thick walls around your office. Nowadays, the world we live in is more of an airport, where a lot of unknown people just whiz by. You have no way of knowing who they are and you can’t prevent them from being there. Your information is everywhere, in your pocket, suitcase, and in the cloud. You can’t protect it with thick walls anymore.”
The attackers have also changed completely. The first viruses were created by young boys (there was one female virus author over the first 8 years), who didn’t try to cause damage, or intentionally make money. The first malware to make money was the AIDS trojan that was delivered on a floppy disk and encrypted your hard drive and made you pay ransom, just like the modern ransomware we see today.
For a long time, security was about preventing things from happening. However, over the last few years, most companies have moved to a state of mind where they know that it is impossible to prevent bad things from happening – we have to make it as difficult as possible, but we can’t stop there. We have to assume that the bad guys will get in.
F-Secure does a lot of Red Teaming, and our success ratio is 100%. We have never failed a client that has given us the task to breach one of their systems, networks, CEO email, or data centers.
How have hackers changed over time?
The biggest change has been that the nation states have become very active, not only towards other governments, but also against companies. We are talking about attackers that have practically unlimited resources. Whatever the big ones do, the smaller ones will follow. What we see is only the beginning.
Also, organized crime is on the rise. Today we see very professional groups out there, that can also be hired by governments, even though they still do most business for themselves.
Ransomware is largely driven by one phenomenon – cryptocurrency. If we didn’t have cryptocurrency we wouldn’t see nearly as much ransomware. That technology has created a new subarea of cyber threats.
Any other trends that will impact security going forward?
AI and machine learning, not only on the defensive side, but also the offensive side. That’s a topic that really spurs one’s imagination.
What would be your #1 advice to information security managers and CISOs?
Let me instead give some advice to the CEO, or chairman of the company: Ask yourself whether you know which of your company’s systems a very knowledgeable attacker would target to cause maximum damage to you? If you don’t know what those systems are, then you need to find out. When you know the top 5 systems, order a red team attack against those (don’t believe your CIO or CISO when they say that your protection is excellent).
Order a red team attack, and don’t tell your CIO or CISO about it. Then wait for your CIO or CISO to come to you and say “we are under attack”, and hope that they will come to you and say that, otherwise they haven’t noticed anything. It starts with the management. Security is the CEO’s responsibility. If a security incident gets bad enough, the CEO will be the one to get fired since they were accountable.
The big companies’ biggest challenge is not their own environment, it’s their subcontractors and suppliers. The easiest way to hack into a company is often through a subcontractor or a supplier. I’m the chairman of Nokia and we have way over 20 000 suppliers. It’s an impossible task to keep track of everyone.
What is your view on automation and automated security tools?
Obviously, you should automate as much as you can, not only in security but overall. The reason machine learning is becoming so important for companies is that it allows you to automate routine tasks. You can scan your network address space for new hosts, which ports are open, what services are running etc.
You can scan your website, as one should, as Detectify believes everyone should. The more you can automate that, the more efficient you will be. Think about those thousands of suppliers that a company has, it’s impossible to keep up! There is too much data for a human being to analyze, it would be like looking for a needle in a haystack. You need to use automated systems that try to paint the picture of where the biggest vulnerabilities are.
How can people utilize the knowledge of white hat hackers?
The reason this hasn’t been widely used is of course that it is a novel thought for a company to ask someone to break into their systems. It has only become more prevalent once companies have made the mental shift to understanding that it’s not only about prevention anymore, it’s about detection How do we detect? And how do you test your ability to detect? You need to hire somebody to attack.
But what do you say to those that still don’t believe they are a target?
Some companies are not the original target, but let’s take the Petya example, a malware that Russia used on Ukraine. It was spread through a software that companies needed to install to be able to submit taxes in Ukraine. The Russian teams hacked into that software and pushed out an update that included Petya ransomware code that encrypted the hard drive of the file servers of all the companies that used that software. One company that had an office in Ukraine was Maersk. The damages for Maersk were in hundreds of millions – and they were never the target to begin with.
There are so many examples where companies were not the original target but have suffered badly because they didn’t detect that something odd is happening in their network.
You never know, things may change. And you can’t build up the technical and cultural routines of a security-savvy organization in a flash, you need to build it up over many, many years. The sooner you start, the sooner you will be there if things change and you are the target.
Do you think the GDPR will affect the security of companies in EU?
It will definitely have a big impact, and companies in general are not ready. GDPR will make it compulsory for companies to protect themselves against the kinds of attacks we have talked about.