Profile Interview: Mikko Hyppönen

Written by

Few industry names carry quite as much weight as internationally renowned security expert Mikko Hyppönen. Don’t just take my word for that; he’s been selected among the 50 most important people on the web by PCWorld magazine, included in the Foreign Policy’s Top 100 Global Thinkers list and made worldwide news for tracking down and visiting the authors of the very first PC virus in history. To put it simply, if infosec celebrities exist, then Mikko is one.

It might therefore come as a bit of a surprise to some that, despite his fame, expertise and recognition, Mikko has served the same company, F-Secure, for the best part of 30 years. Having first walked through its doors in 1991, the firm back then was a small Finnish start-up called Data Fellows and Mikko was studying computer science at university. Fast forward 27 years and now he’s the chief research officer and F-Secure has more than 1000 employees with over 25 offices around the globe.

My Mother Was Right

As he sits down with me fresh off the speaking stage at an information security event in London, Mikko reflects on growing up in Helsinki and how his introduction to the world of computers came at a very early age.

“My mother was born in 1935, and she went to work with computers in 1966. I was born in 1969, and as a small boy, me and my brothers would play around with the computer punch cards and punch tape that our mother would bring home from work. So I was exposed to computers extraordinarily early.”

A few years passed and, shortly after getting his first home computer (the Commodore 64) in 1984, a teenage Mikko was writing and selling his own software products, mastering a proficiency in assembly language. He recalls a conversation with his mother then that shaped his life more than he could have imagined.

“My mother sat me down at the kitchen table when I was 16 and she said ‘Mikko, you should go and study telecommunications, telecommunications is the future!’ – so that’s what I did. My mother has since passed away, but I’m glad I had the chance to tell her that she made a pretty good call! That was years before smartphones, years before the web and apps…so I got lucky, and she gave me a good guiding for my career.”

However, that’s not to say that working in the computer industry was always Mikko’s intended profession.

“When I was a boy, I wanted to be a doctor, because I wanted to help people, but it turns out I can’t look at blood. You can’t be a doctor if you can’t look at blood, so I didn’t become a doctor, though I like to think I did become a ‘virus doctor’ (sort of),” he laughs.

“When I was a boy, I wanted to be a doctor, because I wanted to help people"

Employee No. Six

A virus doctor he may be, but how did his security career start, and how did he get to where he is today?

“When I was studying at the University of Helsinki I needed a place to work to support myself, and I got hired to this small start-up company as employee number six, and that’s the company where I still work today.”

Interestingly, Mikko’s first role had nothing to do with IT security, because at that time, Data Fellows mostly specialized in building customized databases.

“My first job was working on a database development project for a factory making porcelain cups and plates,” he says. He must have done a good job – the company was still using the same system he built until just a couple of years ago.

However, the one tie to security that Data Fellows did have back then was in training; teaching computer users how to back up systems, how to do encryption and how to deal with the ‘new’ problem of viruses, spreading in those days through floppy disks.

“As we were doing training and teaching people about this new problem, quite often we would be asked about solutions and if we could recommend a good anti-virus. Well, we couldn’t, because there were very few players in the industry then – so we saw a market opening.”

A market opportunity indeed, but making the jump from training provider to security software business would require some knowledge and expertise.

“When we started looking into malware and anti-virus technologies in 1992, we needed capabilities of reverse engineering viruses, and you need to be able to read assembly language to do that. The only guy in the company who had any knowledge of assembly was me, so it landed with me to spend my time collecting virus samples, figuring out how they worked and decompiling the code. Eventually I did nothing but that.”

As the company expanded, Mikko found himself managing larger and larger malware analysis teams within the organization, and it was during that time that he learnt where his strengths lie, and where they do not.

“I realized that my expertise is not in managing people and running big teams,” he says honestly. “I steered myself away from that and became more independent within the company. I love having a position where you have little official influence but tons of unofficial influence.”

As chief research officer, Mikko is perfectly situated to do just that, balancing his time between maintaining F-Secure’s internal threat assessment and travelling the world as a public speaker.

“I spend 50% of my time now doing keynotes and meetings, and it gets me to interesting places. If I was going from city to city and repeating the same talk over and over again like a parrot, I wouldn’t enjoy it, but we are in an industry that is constantly changing and there are always new things to speak about. I update my presentations every week, and that’s what keeps it interesting.”

Everyone’s a Fellow

It was in 1999 that Data Fellows became F-Secure, a rebrand that signified the beginning of the company’s substantial business transformation from relatively humble beginnings to the security all-rounder that it is today. However, the interesting thing about the organization, Mikko explains, is that it has never lost sight of its fundamental roots. For example, anyone who works for the company is not referred to as an employee or a colleague, they are all ‘fellows’ – a nice throwback to the organization’s heritage.

It’s at this point that I wonder whether there’s something unique about F-Secure that has kept Mikko at the company for so long – after all, almost three decades is quite a stint and it has been his only employer, if you disregard a summer job as a forklift driver many years ago.

“The culture at F-Secure is very good,” he says. “It’s becoming larger and larger as a company, but the culture has always been very warm and very inclusive. The best example of that is that I can easily list 20 people that are currently working for us that have at some stage left, and eventually returned home to us. If your company culture is so good that people who leave realize they actually didn’t want to leave and come back, that is very telling.”

Of course, Mikko’s loyalty to F-Secure has also been helped by its location, headquartered in Finland’s capital city, Helsinki.

“I like Finland, it’s a very good place to live. Just recently some international statistics were released that said Finland is the happiest country on earth – I’m not sure if I agree, although that’s probably me being very Finnish, as we always like to prove you wrong,” he says with a smile. “I haven’t ever felt like moving to work in other countries, and I have no regrets about that!”

Then there’s the pure love for the work he and F-Secure do: “it never gets boring in security – I’ve never had a boring day at work. Things are changing all the time and we have a very genuine enemy that’s always trying to figure out ways around the defenses that we build. I believe that we are doing work that matters. When I go to the office in the morning, I look around and I see some of the smartest people, not just in IT security, but in IT full stop. Some of the best minds choose to work in IT security when they could be doing anything, and that’s because when you work in security, it feels like you are making a difference, which feels good.”

“I haven’t ever felt like moving to work in other countries, and I have no regrets about that!”

The Summer of Stuxnet

Mikko’s painted me the perfect picture of his career journey so far: from inquisitive youngster to world-renowned security expert and public speaker, with a snapshot of how F-Secure has evolved along the way. So, what I want to know next is what he considers his proudest achievements since he became employee number six of Data Fellows back in 1991.

“The first that springs to mind is the summer of Stuxnet, in 2010,” he answers. Stuxnet is the notorious computer worm that targeted SCADA systems and was responsible for causing substantial damage to Iran’s nuclear program. “That was the most paranoid time in my life! When we found Stuxnet in June 2010 we didn’t know what we were facing – it was abnormally large, it had zero-day exploits in it and it was hiding in plain sight, quite different from other malware we were seeing.”

Mikko explains that summer was a rare example of the whole industry coming together as a collective to share information and decode the virus slowly but surely: “even the biggest competitors were working together to try and figure out what the hell it was!”

As time passed, it became clear that the Stuxnet program was far bigger than anything that came before it; it was a multi-million euro project beyond the means of cyber-criminals and could only realistically be attributed to a government.

“The joint effort taken by my team, and by other teams in our fellow companies, really stays with me,” adds Mikko. “It was huge work that was done over several weeks and months, and we still speak about time before Stuxnet, and time after it – that’s how big a deal it was.”

The Virus Wars

There was also the period of the early 2000s, which Mikko coins ‘The Virus War Years’. He tells me that this was a time when there was a huge upsurge in malware authors changing from hobbyists writing viruses for fun to large organized crime gangs writing viruses for money.

“Back then, we only had one lab, the Helsinki lab, which means that when an outbreak started at 3am, we had to work at 3am. The first few times that happened it was exciting – we’d get a phone call in the middle of the night and we’d go to ‘save the world’, and then we’d go back to sleep. When that started happening every week, then two times a week, or three times, it did get very tiring.

“I don’t remember much of the summer of 2003, because we were working ridiculous hours around the clock. We had a bed at the lab so people could take a nap! It was, in one way, a really fun and rewarding time, but also an exhausting and terrible time. I’m glad it’s not like that anymore, but then again I wouldn’t change that experience for anything. I’m glad I lived through it, and I’m glad I survived it.”

Back to the Brain

Mikko’s next fond memory is probably my favorite, and it all centers around a piece of malware called Brain. Brain was released in January 1986 and is considered the first computer virus for MS-DOS. In 2011, it was the 25-year anniversary of its release, and Mikko tells me of a time when he was asked what F-Secure could do to mark the occasion. After dismissing one or two ‘boring’ ideas to raise cybersecurity awareness, he had the notion of tracking down the two men who created Brain – after all, they had included their names and address in the code of the virus.

“So I packed my bags!” he says. His destination? Allama Iqbal Town, Lahore, Pakistan. “I flew to Doha, and then to Lahore, and I knocked on the door. Sure enough, the guys who opened it were Basit and Amjad, the brothers who created Brain, still living at the same address!”

Mikko recollects the “very interesting day of discussion” he had with Basit and Amjad, and how he even took his own original Brain-infected floppy disk and returned it ‘home’ to them.

“These guys really didn’t understand what they started in 1986,” he says. “They were programmers who had been working with IBM mainframe systems and when the new PC systems became commonplace they were horrified about their lack of security, and with good reason. They were trying to showcase how bad it was by writing a piece of code that would copy itself to every boot sector and spread around. When it did start spreading there was nothing they could do about it – eventually Brain went worldwide and infected computers in almost every country on the planet.”

Naturally the brothers, in their twenties at the time, became very fearful about the problem they had caused: no laws had been broken, but the first computer virus was born, and Mikko explains they took no pride in the fact that all of the thousands of malware cases since Brain are linked to that very first virus, and to them.

Perhaps the most remarkable part of this tale is its ending: Allama Iqbal Town, Lahore, Pakistan – the birthplace of the first computer virus in history – is the same place in which Basit and Amjad now run their own ISP, providing internet connectivity across the city. The company name is, inevitably, Brain Telecommunication.

Stories of Missed Opportunities

To say that Mikko has achieved a lot in his career would be quite the understatement, and whilst I could sit listening to him for hours, my time with him draws to a close. The one question I have left for him is what he hopes his future might have in store.

“One thing I do feel very passionate about is trying to prevent people from entering a life of online crime,” he answers. “I’ve tracked down countless online criminals over my years in the business; I’ve taken people to court, I’ve taken people to jail and I’ve met them face-to-face. The story I almost always hear from caught online criminals is one of missed opportunity, of people who had the skills but didn’t have anything productive to do with them.”

I don’t doubt Mikko’s passion on this subject, and he makes the very valid point that if you’re a programmer or a network expert living in London, you can get a job no problem. The same can’t be said for those living in the countryside of China, or Siberia, or the slums of São Paulo: for them it’s a very different story.

“Typically the easiest way for these people to make a living with their skills is to go into a life of crime, and that’s something we really should be doing better with, showing people productive ways of using their skills to avoid a life of cybercrime. That’s what I’d love to work with more and I want to do what I can to get young people to use their skills for good.”

So there you have it, a whistle-stop tour of the life and career of Mikko Hyppönen, a truly fascinating man with an equally captivating story. His mother certainly had it right all those years ago when she predicted that telecommunications would be the future, and Mikko has undoubtedly made a huge contribution to the world she envisaged. Mikko, it’s been a pleasure!

What’s hot on Infosecurity Magazine?