 Hei, hei, hei, hei! ...working with information security or computers, privacy, everything connected. I spent the pandemic time writing a book about the things I've learned. This book right here comes out in a week. And in this book I tried to think through the revolutions that we've been living through. Because that's what we're doing right now. We're living through a digital revolution. Revoluutio on tärkeintä nähdä, mitä on tapahtunut, kun olet siltä tehtävä revoluutioon. Se on tärkeintä nähdä revoluutioon, kun olet tarpeeksi tärkeintä, kuten ajattelua tulevaisuudesta historiasta. Se on tärkeintä, että me olemme tärkeintä, johon aina, ... on, että me olemme ensimmäisen gennaisen niin, että Suomessa on Suomessa, joka käy online edustajien... ... Suomessa on käy... ... ja tämä planeti on 100 000 vuotta lähtien... ... jäi meidän kentä, jäi online ja me olemme online järjestelmät... ... me olemme täysin jälkeen, me olemme täysin käyneet tämän jälkeen... ... kun tämän kenttä käyneet... ... ja se on yksi kenttä. When big shifts happen, they bring great benefits and they also bring great new risks. The thing that I keep repeating in my book is that the internet is the best and the worst thing to happen during our time. The upsides are easy to see. I mean that's why we're all here. I think we all love the internet. I know I love the internet. It's the best thing ever. All this connectivity, all this possibility of making connections around the world, how geography no longer restricts us, how entertainment or connectivity or business can be done globally. Great, huge upsides. But with the upsides, we get the downsides. Completely new kinds of risks, completely new kinds of crime. When the internet was young, parents were warning their children that don't go and believe everything you read on the internet. Now, 25 years later, it seems obvious to me that it's the parents who should be much more careful about believing what they read on the internet, not the kids, the parents, because parents are the ones believing all these goddamn conspiracy theories and falling for every single influence operation thrown by any intelligence agency on the planet. Internet works great in distributing information, whether the information is right or wrong. And of course we have the huge shift in crime. So I've been thinking about this shift through my career. I started working in a small Helsinki-based security startup in 1991. Back then, the viruses we were analyzing were almost trivial compared to what they were today and the spreading mechanisms. Well, some of us still remember how viruses used to spread in the early 1990s. And now it feels laughable that malware, which requires people to carry it physically from one computer to another, could actually become a global problem. But these kind of viruses did become a global problem in their time, in the early 1990s. So crime before the internet was local, today crime is global. Internet has taken away geography in all the good things, but also in all the bad things at the same time. Before the internet, you had to worry about the criminals living in your city. Today you have to worry about the criminals in your city, but also you have to worry about the criminals wherever on the planet. There is no local anymore. One great example on how internet has changed the world for the better and for the worse, is how the world of minorities has changed thanks to the internet. Before the internet, if you belonged to a minority, you were pretty alone. That's what minorities mean. You're different. And here I mean all kinds of minorities. Certainly people who belong into sexual minorities, but also let's say people who have rare hobbies. Before the internet, if you had a rare hobby, you were probably the only person in your town who had that hobby. You knew no one who shared the hobby with you. Then internet comes around and you realize that you're not alone. There's thousands of people like you. They are just not close to you, but you can now find them and reach them out through the internet. And we people are social animals. We like to be around people like us. We like to share what we do. We like to get support from people like us. And that's great. And then we have the downside, which is exactly the same phenomenon when it applies to destructive minorities. What do I mean by destructive minorities? Well, people who are planning school shootings, for example. That would be a destructive minority. And they will find exactly the same kind of support from their online communities as a person with a rare hobby would find from their support communities. People who are planning suicide or self harm or who are starving themselves. People who want to join a terrorist organization. People who are on the verge of radicalization. They will find destructive support from the internet. Just like people who need support for their productive good hobbies or because they belong to a minority. I mean, we can't take one side of the coin and leave out the other side. Internet is the best and the worst thing happening during our time. And technology is not neutral. It's almost too easy for us to just keep repeating the fact that technology is just a tool. It can be used for good. It can be used for bad. Now, I agree and I don't. I both agree, but I also don't. Because there's plenty of examples of technologies that we have invented which are mostly used for bad things. Let's take an example. All right, cryptocurrencies. Let's pick a cryptocurrency. Let's say Monero, for example. Now, of course, Monero can be used to trade and to buy goods and to send money from one place to another. Sure, absolutely can be used, but the vast majority of the use that I see in my profession is illegal and evil use. People buying and selling illegal things. The vast majority of the trade with some of the cryptocurrencies we see out there is being used for things like that. And the thing about technological innovation is that once we've invented something, we cannot uninvent it. We cannot put the cat back in the bag. Once it's out, it's out. We can restrict the usage of innovations is by making them illegal. So once we invented uncrackable strong encryption and then realize that bad people can use uncrackable strong encryption, there's nothing we can do about it except to try to make it illegal, which won't work. Because us law-abiding citizens, we wouldn't then break the laws. But criminals, of course, are criminals because they break the laws. We cannot uninvent things. So where are we headed? What's the future ahead of us? In my job, I've, for many years, tried to do the forecasting of the near future. What's going to happen in the next two years, four years? That's hard. It's almost always prone to failure. What's easy to do is to give a forecast of the long future. What's going to happen in 20 years, 30 years, 40 years? That's easy. That's actually really obvious. All we have to do is to look at the past and see where computing and technology used to be. Where are we today and where are we headed? Computing, processing, bandwidth, storage has been getting better and better and bigger and faster for decades and cheaper. You look at the computers we had 20 years ago, 30 years ago. You look at the supercomputers we had 20 years ago and you're right now carrying a supercomputer in your pocket today. The processing power of your iPhone or Android device is faster than a Cray 2 supercomputer. And this runs on a goddamn battery. Think about that. 20 years and the supercomputer which took the whole room is now in everybody's pockets. Cray 2 cost millions. These aren't cheap, but it's not millions. So with that, it's obvious where we headed. We headed towards a future where we very concretely and in practical terms will be embracing limitless computing. Everyone will have access to unlimited processing power, unlimited storage and unlimited bandwidth for free. Unlimited processing power, unlimited storage, unlimited bandwidth for free. Well, maybe not exactly free and maybe not exactly unlimited, but close enough. That's where we headed. The way we can think about it is that you would be given the, I don't know, biggest possible AWS instance with unlimited storage and bandwidth and you would pay pennies per month. That's what I'm speaking about. That's where we headed. That's pretty obvious the direction where we headed. When we will be there, nobody knows for sure, but in couple of decades it's going to happen. And that's a pretty powerful thing to think about. Because for us creators, designers, coders, it opens up a world with no limits. The question we can ask from ourselves is what would you build if there would be no limits? What would you build if you would have access to limitless computing? What would you build if you didn't have to worry about costs or that it takes a lot of processing power or bandwidth, a lot of storage? What would you build? That's the future where we're going. So what's the downside? Well, the downside is the better the internet is, the more connectivity we have, the more mandatory it becomes. Internet today and internet connectivity, it's not yet mandatory. It's really nice to have, but it's not mandatory. It's not mandatory for our society if the internet would go down here in this country in the Netherlands right now and stay down for a week. It would be very expensive, very painful, very nasty. But the society would survive. Factories would recover, they would carry on functioning, planes would continue flying, trains would continue running, but eventually that will no longer be the case. And we know this because we have earlier examples of similar innovations which were so good that they then became mandatory. Think about electricity. Electricity and electric grids were taken into use in most western countries around 150 years ago. Today electric grids are completely mandatory. If electricity would go down here in the Netherlands and stay down for a week, it wouldn't just be painful and expensive. People would start dying. Maybe not in a week, but if it would stay down longer, that's exactly what starts happening. Why? Because for 150 years we've been building our societies assuming that there will always be electricity. There will always be electric grid which runs everything around us. And today everything we buy requires electricity. Everything we buy we either plug into the wall or recharge their batteries from the electric grid. So eventually during our lifetimes connectivity will be as mandatory as electricity. Connectivity will be as mandatory as electricity. This is what's happening during our lifetimes. And it's the right choice. Even though it's a bit scary, it's still the right choice to make. Our great-grandfathers made the right choice when they embraced electricity. We are making the right choice by embracing connectivity. The other option is worse. We definitely should go towards the digital revolution and towards connectivity. Even though it will then become mandatory, just like electricity is already mandatory. But at least we should be aware that we are now making this call. You and me, we are making this decision for all future generations. It's happening right now. And part of this revolution is the fact that all devices start to require connectivity. We speak about these smart devices. And yes, I am the father of the hypon and law. If it's smart, it's vulnerable. The typical example I use for that is my watch. I have an old watch, 20 years old. It's mechanical, contains no chips, contains no connectivity. How do you hack my watch? Well, you don't. You just don't, because there's nothing to hack. Then you look at smart watches. Are they hackable? Well, of course they're hackable. They might be hard to hack, but they run code. They have connectivity and they run code. Of course they can be hacked. That's the pessimistic outcome of the hypon and law. When we add functionality and connectivity to everyday devices, they become vulnerable. And there's nothing we can stop. There's nothing we can do to stop that. The reasons why everything is going online are way beyond our reach. Some devices go online to give us functionality. Some devices go online only to collect data. Because the vendors building these devices know that data is money and money is data. And the more they can collect data, the richer the companies will become. And this means that eventually every device will be online. And that also means that we're increasing complexity. Complexity is the enemy of security. Complexity is the enemy of security. It's pretty obvious. The more code we have in our systems, the more protocols, the more we have room for bugs. And when we have bugs in connected systems, they become vulnerabilities. And if this is true, and it's true, then the solution should be really obvious, which is that we should be reducing complexity, which means every new version of every new app and application and operating system should be smaller and have less features, less code. And you know that that's not happening. Every new version of everything has more code, more features, more stuff. Nothing is becoming simpler. I had a really eye-opening discussion with David Weston from Microsoft, and he gave me this startling figure that Windows, the operating system, is built from an internal GitHub instance that Microsoft runs, which has 5.7 million source files. Not lines, files. 5.7 million files of code to build Windows. I wonder if any of those files have any bugs. So when we add complexity, we are building systems which are becoming harder and harder to secure. And that's what the attackers are looking for. And if we want to secure our systems, we have to understand who we are fighting. Today it's fairly easy to define. It's organized crime gangs and then it's nation states which do espionage and sabotage, even wage war online. Organized crime gangs target everyone. Governments target specific targets. And around five years ago, I coined a new term around the biggest and the most powerful cyber crime gangs. I started speaking about cyber crime unicorns. Unicorn here is a reference to unicorn companies, privately owned technology companies which are valued at over a billion US dollars. It's a typical definition of unicorn company. And I started wondering if we one day would see cyber crime gangs which are so wealthy that we should be considering them to be unicorns. Five years ago this wasn't obvious. Today, unfortunately, the age of cyber crime unicorn is here. Cyber crime unicorns exist. They are real. Most of them are Russian organized cyber crime gangs making most of their money with ransomware. But we also have unicorns specializing in things like BEC, business email compromise, also known as CEO scams. So the wealthiest organized cyber crime gang they would be companies. They have offices, they pay monthly salaries, they have hundreds of people on their payroll, hire lawyers, hire business analysts, they have HR teams just like real world traditional organized crime gangs like mafias and triads. So where else are they spending their money? Well let me show this to you. This is a website for one of our competitors, a company specializing in penetration testing. What makes them or sets them apart is that they pay three times higher salaries than the industry average. They hire pen testers for fully remote and really competitive salaries. What's the trick? Well the trick is that this is not a company, this is a crime gang operating from Russia. They've set up fake front end companies to make it look like a trustworthy security company so they can hire security professionals to work for them. They hire these people, enroll them into the company, then point them at the client. Here's a client who has ordered a pen test, please scan their network, break in and write a report about the vulnerabilities. Please leave the report once you're ready, go. And then these pen testers break into companies which have not ordered pen tests at all and they end up working for the enemy. They end up working for the enemy. This is the kind of tricks crime gangs can start doing when the money is no longer on object. So is the situation getting worse? Well actually, no. I think it's getting better. Mikko, what do you mean? I think we're living right now a time where security is better than ever and I know it doesn't look like that. But I'm confident that is the situation. You look at the security of the computers we run today or the mobile phones we have today. You look at what we had 10 years ago. It's like night and day. We have been able to improve the built-in security of our devices and the operating systems and the apps. One of the biggest revolutions has been what I call security by PlayStation and I know it's an Xbox, but excuse me. Interestingly, Xbox runs the most secure version of Windows ever released by Microsoft because Xbox runs Windows, but it's a very limited, very secure version of Windows, which is kind of weird. The biggest software company on the planet puts their most secure operating system in a games console. Isn't that a bit weird? But that is the situation. The end result is that you never hear about malware on Xboxes or on PlayStation or hacks or things like that. It's just not a thing. Why is that relevant? Because these are playstations. It's exactly the same model. Restrictive environments, which are not real computers. They look like computers. They have processors and things like that, but you're not allowed to program them. But as an end result, they are much more secure. So how can I say that mobile phones are secure when we've just seen the headlines through this last year about things like Pegasus being used to hack iPhones and Android devices? Well, this is a success story. This is not a failure. This is a success story. Because the price of Pegasus per victim is 100,000 euros. Pegasus is used by governments to spy on people they're interested in. They buy the product from a company which only sells to governments and the rough price per head is 100,000 euros. Someone paid 100,000 euros for the right to hack the iPhone belonging to the Spanish prime minister. That's a success. If you have to spend 100,000 euros to hack a phone, that's a pretty high bar. That means that most of us are safe. Most of us will never be targeted by someone who would have to spend 100,000 euros to hack our phones. You have to be someone special to be targeted by this. Security by PlayStation works. It does work. This is a success story. That's what it is. I used to call myself computer security researcher or computer security expert. Because that's what I thought I was doing. I secure computers. Well, I don't secure computers anymore. Neither do you. Society around us runs on computers. We, me and you, we are not securing computers. We are securing the whole society. And when we do this, the successes in our business are invisible. For years I've been speaking about cybersecurity tetris. Because in the game of tetris, your successes disappear. When you make a whole line, it disappears. Your successes disappear, but your failures pile up. That's what we see in cybersecurity as well. When we succeed, it only means that nothing happens. When we succeed, it only means that nothing happens. And the fact that nothing happened will never make the headlines. When we fail, everybody sees that. When we fail in securing our systems, when we fail in securing our employer systems or our client system, that's when we see the headlines of yet another data leak, yet another data breach, yet another malware outbreak. Failures are very visible, successes are invisible. That's what I mean by cybersecurity tetris. And I hear the stories, the success stories regularly, stories of the IT team, which worked through the night to patch all the servers against the new vulnerability. And they were able to finish patching early in the morning, just an hour before their network was scanned by an outsider who was looking for the vulnerability. They saved the company, but no one knows. No one will ever know. Successes are invisible. And rarely is anyone thanked for stopping a disaster which didn't happen. Rarely is anyone thanked for stopping a disaster that didn't happen. Thank you. Thank you very much.