In his Black Hat Asia keynote, Mikko Hypponen explored implications of "the next arms race" and why cyber will present challenges never before seen in warfare.
BLACK HAT ASIA 2019 – Singapore –The nature of war has moved across land, sea, air, and space. Now we find ourselves in the cyber domain, where a new arms race will challenge defenders as adversaries adopt new tools, technologies, and techniques.
Mikko Hypponen, chief research officer at F-Secure, today took the stage at Black Hat Asia to discuss the implications of cyber warfare and how it will present challenges not seen before. The nuclear arms race, which he noted lasted about 60 years, is behind us. Today's conflicts unfold differently; as a result, we have different domains for different types of fighting.
"Technology has changed where wars are fought," Hypponen explained in an interview with Dark Reading. When the Internet was first built, he continued, geographical lines didn't seem to exist. It seemed a kind of borderless utopia where cross-country collaboration may be possible. Now, as we know, times have changed, andwars are now fought online.
Just as the domain of war has changed, so, too, have tools used in battle. We're no longer as worried about nuclear weapons as we were 20 years ago, Hypponen said. Nuclear weapons, only used twice in human history, are built on the power of deterrence. You know who has nuclear weapons and avoid conflict with them because of this power. The number of traditional weapons fighter jets, bombers, and aircraft carriers in each country can be learned via Google.
"We know exactly how many tanks the Russians have. We know exactly how many aircraft carriers the US has," Hypponen explained, pointing to a screenshot of this information found online.
Digital weapons are poor in creating deterrence because nobody knows who has which tools. They are effective, affordable, and deniable – a dangerous combination of traits. "There are very few weapons that have deniability," Hypponen emphasized. "Cyber weapons have that."
It's one of many qualities that make digital weapons particularly nefarious. Like guns and cannons of the past, cyber weapons also rot over time. The problem is, there's no way of knowing when their expiration dates will arrive. Offensive toolkits used in the military include exploits targeting vulnerabilities that security researchers are constantly hunting and patching.
Because they don't know how long their tools will be viable, militaries have no guarantee their investment in digital weapons will yield an ROI. This creates a scenario in which it's likely those attacks will end up being used so they can justify the cost of building them, Hypponen added.
Nation-States vs. Cybercriminals: Defensive Tactics
Today's government cyberattacks are predominantly for spying and espionage, and Hypponen noted the importance of distinguishing between spying and warfare. Most cybercriminals are after money. If a cybercriminal targets your organization, chances are they're not particularly interested in the business itself. They're looking for quick, easy cash.
Businesses don't need advanced defenses to keep cybercrime at bay, Hypponen explained. If someone is seeking money and their target makes it difficult or expensive, they'll move on to a victim with weaker defenses. "The Internet is a garden of low-handed fruit," Hypponen added.
Nation-states are different. They won't change their mindset or swap targets. They're following orders to break into a specific organization and steal data. They'll keep at it until they succeed.
There are ways of fighting back, he continued. When an attacker creates unique Trojans or backdoors, for example, you can use those to detect them by reputation. Hypponen also advises companies to avoid building defenses like a fortress. High walls won't prevent attackers from getting in – and the larger a network is, the more likely it will be breached.
Knowing your outside defenses will fail should change security experts' mindset. Instead of focusing on the perimeter, focus on what's inside the network. You're more likely to spot intruders early, which will help your ability to detect attacks and respond faster.
What Comes After Cyber?
"I believe we are in the very beginning of the cyber arms race," Hypponen said. Still, he added, "it's important to remember this isn't where it ends; there will be new domains." While it's hard to imagine what comes after cyber, mankind will never stop fighting. New conflicts will emerge.
Robotics and drones come to mind, he continued. Both already exist; however, ethics pose a challenge in development. We don't like the idea of machines deciding who is killed, Hypponen explained, but different forces are driving us to war in a world where machines will kill on their own. Artificial intelligence (AI) and machine learning, both modern buzzwords in cyberspace, have potential to drive this.
We still have to define what we mean by AI and machine learning, he continued. We also have to be very, very careful about where technology companies draw the line as they race to build genuine AI. This concerns Hypponen in the rush to AI development.
"When you're in a race, what you don't do is stop and look around and make sure you're doing everything carefully," he pointed out.
Hypponen said he anticipates we'll see machine learning in real-world cyberattacks as the barrier to entry lowers. Today, you have to be a computer science gradute to deploy a machine learning system. But in 10 years, or five years, these systems will be so easy to deploy that anyone could do it – and they will. The lack of skill protects us now; it won't protect us much longer.