Mikko Hypponen's 20 years of cyber crime fighting

In September 1986, brothers Amjad and Basit Farooq Alvi sat in a small office in Lahore, Pakistan, finalising the first MS DOS virus. Ten thousand kilometres away Mikko Hypponen was driving a forklift.

It would take twenty five years for the three to meet. The brothers maintained their technology careers, but it was Hypponen who five years later made the curious jump resigning from a comfortable job careening around warehouse floors to begin crafting databases on Commodore 64 and later, to chase cyber criminals around the world.

He was the sixth employee at Data Fellows, and maintained his seat as the company quickly diverged into information security.

In 1999 it became F-Secure, one of the most recognisable anti-virus companies in the world.

Mikko analysing the Omega virus

Hypponen, now Chief Technology Officer, today celebrated twenty years at the company, making him its longest-serving employee.

He says his mother was to blame for his initial interest in technology that is now almost an obsession.

“My mother worked with computers in 1968 and she retired from the industry five years ago,” Hypponen says. “She would bring home punch cards for me and my brothers to play with. Computers were always around the house.”

The one-time tradie is now a self-confessed geek, and loves the industry which he all but fell into.

The career bridge between coding and security came on 13 September 1991 when his colleagues sent him a virus sample.

“Some of the guys got this virus, they were all around 440 bytes long, and gave it to me because I knew Commodore Assembly. It was the first virus I ever analysed. I named it Omega.”

Hypponen has many cyber crime scalps to his name. Most notable was the SoBig.F worm which infected millions of Windows machines in August 2003. He lead his team on a sophisticated take down of the malware network that same year.

He also was the first to warn the world of the Sasser worm which in 2004 would ground a US airliner, force the closure of a bank in his homeland, and infect untold masses of corporate networks.

But many of the primordial viruses were toys: Artistic prank experiments played out as kids mastered faster and more capable computers. Malware soon became a booming cash cow for organised criminals, sending revenues of the anti-virus industry soaring as victims sought protection.

F-Secure, Sophos and McAfee Associates, among the world’s first anti-virus companies, were later joined by giants Symantec, Trend Micro and Kaspersky.

But anti-malware companies were losing the fight. Malware was created much faster than it could be destroyed, and it was evading traditional detection techniques.

Hypponen remains pragmatic.

“Anti-virus is a bandaid because it doesn’t make the problem smaller,” he says. “You need to show the criminals that they can get caught, will get caught and if they do, they will go to jail. This is the only way to safeguard people.”

Protecting users and catching criminals is Hypponen’s maxim. He analyses malware code and works closely with police to hunt cyber criminals, publishing some of his work on the F-Secure blog.

His offensive drive to crack crime contrasts sharply with the bulk of the security industry which hunkers down into a tight defensive ball in efforts not to be attacked.

But he does not want to be a cop.

“Their hands are tied in ways that those in the private industry are not.” He acknowledges with a grunt that this refers to limitations when operating in the criminal underbelly of the web.

As he pulls up to collect his children from school, talk swings back to his drive to protect the future users of the internet.

“If we don’t try to fight this online crime, we risk losing those things we take for granted."

It was also critical to help the young and talented coders rich in skill but poor in opportunity to prevent a new generation entering the lucrative cyber crime business.

The future of information security and the safety of the internet is uncertain, and Hypponen ponders how security professionals would survive in a world prophesied to be dominated by cyber war and taciturn nation-state surveillance.

"In security, things are changing. It is easy to make money by defending against criminals, but in this  cyber war, what do we do if the American Government or the [Finnish] Government write viruses? Should we combat it? I think this situation will happen."

He pauses. "There is never a boring day in security."

Copyright © SC Magazine, Australia