Mikko Hyppönen: WithSecure will bring focus on ML to counter cybercrime

As cybersecurity vendor F-Secure today announced the new name for its corporate security division, now known as WithSecure, the company’s longtime chief research officer Mikko Hyppönen said that machine learning (ML) capabilities will be an increasing focus as it seeks to acquire more business customers.

In particular, ML will be needed to help counter the inevitable adoption of ML by cybercriminals for automating cyberattacks, such as ransomware attacks, Hyppönen said in an interview with VentureBeat.

Hyppönen said he predicts that cybercrime organizations such as ransomware gangs will begin to utilize ML in this way within the next 12 to 24 months.

Currently, for cyber defenders, “our reaction is automated. Whenever there’s a change from the enemy’s side, our systems detect that and adjust very quickly because that’s ML/AI,” Hyppönen said. “So if it’s a game of ping pong, there’s a ‘ping’ coming from their side, and our ‘pong’ goes back immediately. But when they change to automation, then their reaction will also be immediate.”

And when that happens, “it changes into this massively escalating race — where both sides are automatically reacting to what the other side is doing. That is not at all what we’re seeing today,” he said.

Instead, today, “we have a fast reaction. They have a slow reaction,” Hyppönen said. “So it’s going to be really obvious when this happens. And it hasn’t happened yet. And I do believe it’s going to happen in the near future.”

The F-Secure consumer security business plans to split off from WithSecure by the end of June. And once WithSecure is operating independently, AI/ML is an area where “we believe the technology we have on the WithSecure side will shine — because we’ve automated so much of our response capability,” Hyppönen said.

Greater focus

Originally founded in 1988 under the name Data Fellows, Hyppönen has been with the company since 1991. The Helsinki-based company was renamed F-Secure in 1999.

Now, it’s begun the process of separating into two publicly traded companies. The consumer security side will retain the F-Secure name since it’s well known as a consumer brand, especially in Europe, Hyppönen said. It will begin trading on the Nasdaq Helsinki stock exchange starting July 1.

The move will give greater focus to each side of the company — in particular to the faster-growing corporate security business, said Hyppönen, whose title at WithSecure will continue to be chief research officer. WithSecure will retain 1,400 employees, and the other 300 employees will be part of the F-Secure consumer security company.

The business now known as WithSecure provides security consulting services, managed detection and response (MDR), endpoint detection and response (EDR), incident response (IR) and other cybersecurity offerings for businesses.

“As we’ve been expanding into consulting and into the MDR business and EDR business, with larger and larger companies, the same brand that worked really well for home users and small companies, wasn’t working that well for large companies,” Hyppönen said. “It required a lot of explanation — ‘Yes, it is the same company. But we actually have all this expertise in world-class, enterprise-level security and consulting and incident response.’”

The business-to-business side has been “growing very rapidly, but we’re also investing very heavily — which means it’s not very profitable at the moment,” he said.

‘Trustworthy partner’

In part, WithSecure aims to stand out in the cybersecurity space in part through its long track record.

“In many ways, the security business is about trust. And I’d like to think we’ve proven, over the last 34 years, that we are a trustworthy partner,” Hyppönen said.

WithSecure will also distinguish itself through its long-running focus on AI/ML for security. F-Secure started in the area of ML-powered security back in 2005, Hyppönen said, which is “quite remarkable.”

That experience in ML will prove critical, in terms of what’s coming next from the cybercrime threat, he said.

“We’ve been waiting all these years for our enemy to catch up — for the malware creators and online criminals to catch up and start to use machine learning in their attacks,” Hyppönen said.

His forecast — that this will begin to happen in the next 12 to 24 months — is based in part on new information that has recently come out about the amount of money that some ransomware gangs have managed to accumulate. Chainalysis has identified more than $602 million in ransomware payments made in 2021 alone (though it said this is likely a significant underestimate). Ransomware gang Conti led the way with at least $180 million, followed by DarkSide, the group behind the Colonial Pipeline ransomware attack.

Competing for talent

“They certainly are now rich enough that they can start to compete for the same [ML] skillset as real companies do,” Hyppönen said. “The biggest barrier for entry for doing machine learning and AI in large scale — whether it’s for criminal purposes or legal purposes — is to find the skills, find the people.”

The problem that cyber criminals have been having is that if a professional knows how to program ML systems — “if they understand how TensorFlow works” — they don’t have to go into a life of crime, he said.

On the other hand, “some people will always go to the dark side if it’s tempting enough financially,” Hyppönen said. “And now, where these gangs are making tens of millions, hundreds of millions of dollars — I think they can start to compete with legal businesses in finding the skills they need and expanding into that world.”

That development could potentially accelerate the worsening ransomware threat even further. According to SonicWall, the total number of ransomware attacks more than doubled in 2021 — jumping 105% during the year compared to 2020.

Good AI vs. bad AI

While some phishing attacks have used AI/ML already — for instance, in order to produce a deepfake of a CEO to trick employees — for the most part, cyberattacks such as phishing and ransomware attacks are still operated by humans, Hyppönen said.

This is evident from numerous indicators, including the fact that reaction time by cybercriminals is not automatic right now, he said. For instance, “when we add new filters, it takes a while for them to detect that.”

ML, however, could “automatically change the URLs, wrap the exploit into a different wrapper, recombine the binary — even reprogram the ransomware to evade detection,” Hyppönen said. “All of that could already today be done with automation. It simply isn’t done yet.”

And that’s where WithSecure comes in, with its automated systems in MDR and other solution areas, for protecting business customers, he said.

“When we cross the threshold into ‘bad AI,’ really the only thing that will be able to protect you will be good AI,” Hyppönen said.