I’m Baljit Singh, and today we’ve got a special guest who will be present at the ASEAN 5G and OT Security Summit to speak about his exploits, his history, as well as what we have in store for the future.

So, I have with me Harri Husti, a renowned Finnish cybersecurity expert, data security pioneer, and internet visionary, founder of various election security labs and organizations.

He has become internationally recognized for his work in exposing vulnerabilities in electronic voting systems and has been a vocal advocate for digital trust, transparency, and responsible use of technology in the democratic process.

Harri gained attention for the “Husti Hack” – a demonstration that showed how voting results on electronic voting machines can be manipulated. This was part of a series of tests organized by the non-profit Black Box Voting and featured in the HBO documentaries “Hacking Democracy” and “Kill Chain: The Cyber War on America’s Elections.”

Welcome, Harri.

 

For those who are unfamiliar, could you briefly introduce yourself and give us some background?

So, my name is Harri Hursti and I’m a lifelong hacker and security researcher. Basically, this is the only thing I have ever done. I’m really loving it.

For me, if brute force doesn’t work, you’re just not using enough of it. So, I’m always trying to find new ways to break things — break things in order to make them better. As a hacker, the way I look at this is: I break it to see where the weak point, where the vulnerability is, just to make it more secure, more transparent, and more trustworthy.

I actually got into elections by accident. I wasn’t interested in elections. I had basically sold my business, decided to retire, and then I got a call and was asked, “Would you like to take a look into these working systems?” What they told me was so unbelievably insecure and bad, I couldn’t believe it. So I declined for half a year. And then eventually they talked me over.

And what I have seen across the world, in a number of countries, how the election software and election systems work — if somebody tried to convince me today about everything I have seen myself, I wouldn’t believe it.

So, everywhere else in critical infrastructure, we have rules and regulations and carefully constructed software. But somehow, in elections, in a number of countries, everything is 30 years in the past.

 

Really, that’s very surprising. So, do you have anything to say about the level of vulnerabilities that you saw or what were the root causes of what you saw? Was it human-related or process-related?

It was just really bad.

When the 2000 election happened and the world was holding its breath—Al Gore versus Bush—and they were hanging short, and recounts went over and over again, it was embarrassing.

And then America did what America does. They threw a lot of money into the problem. Over three billion dollars, to be exact. And there was a new law called the Help America Vote Act 2002. That created a lot of money but no security requirements.

So, everybody went and bought systems which were designed in a bygone era. These systems were designed when cyber war was science fiction, bad science fiction. So these systems, because there were no security standards, there was no regulation, you ended up with systems which had no security consideration.

And a lot of that security is just talk and marketing, unfortunately. There was no malice. But it’s just that you cannot have unregulated privatized elections.

 

Interesting. So why should Malaysia and ASEAN decision makers be concerned about cybersecurity now more than ever?

Well, first of all, there is no alternative to going towards a more digital society. But as we’re becoming more digital—for example, cashless—it’s very good for fighting fraud, but very bad for the resilience of society.

You can take payment systems down, you can take clearing systems down. And especially now with the Ukraine war, we have seen an increasing amount of unknown reasons for blackouts or hacking. Power grids going down, telecom grids going down, all of that. So we have to prepare society and systems for these blackouts because they are an eventuality.

Trust is very important. If the population loses trust in society, you get civil unrest. In worst cases, you get revolutions. So you have to preserve the trust. Trust has to be earned, and that’s why you have to have transparency.

You have to explain how the systems work. You have to explain to the population what happens when you have exceptions, when you have blackouts.

At the same time, the previous paradigm was ‘Trust but Verify’. Right now, we have to go to Zero Trust – where trust is earned by not trusting. So instead of ‘Trust but Verify’, now it’s ‘Never Trust and Always Verify’.

 

The next question leads on to what you just mentioned. The biggest cybersecurity threats facing organizations in this region, is that something that you’re aware of? Where do you see digital bridging into politics, bridging into investments into countries, and how does it mature with a better security posture? Does that equate to having better appeal to investors and to other countries?

So, the ASEAN region, because it’s a fast-growing digital economic area, has been targeted by cyber criminals. Certain nations in the ASEAN region have even more trust—people have higher trust in their society than others, which is very fertile ground for scammers.

 

So ransomware scamming is on a sharp increase. I believe the Q4 increase of ransomware attacks in Malaysia was give or take 78–80%.

That is a humongous number, but it’s just an eventuality. You have to prepare for that.
So resilience is the key. Training is key. You have to both educate your employees and the general population to be vigilant, because the price of freedom is eternal vigilance. You have to do that.

Now, there’s a very interesting twist in cybersecurity: information technology versus operational technology.
When your IT system in a company is hacked—public trade company or whatnot—the cost is money and reputation. So you are losing money.
When operational technology goes down, it’s loss of life, loss of environment as pollution, loss of property. And additionally—for good measure—also loss of money and reputation.
When operational technology goes down, unfortunately the damage is very hard to reverse. You don’t resurrect dead people.

Now, there’s the other part of this: operational technology has a lifespan of decades, instead of an IT system which you can upgrade.
OT systems are very often installed in hard-to-reach places: in submarine cables, oil pipelines, places where you cannot do software upgrades. And some of these old systems don’t even have upgrade capability. Once it’s installed, it’s there. So you have a completely different lifespan between those two systems.

And today, cyber war is here, it’s real. Cyber criminals are here, they are real. Nation-state attackers using cyber, it’s real.

We have to have a new paradigm, new thinking, on how we protect our operational technology. Because operational technology is running our society, that’s running our critical infrastructure, that’s keeping the lights on, that’s keeping the internet on, that’s keeping the hospitals running and oil flowing.
So we have to have new thinking, a new paradigm.

 

I often get the excuse that operational technology networks are air-gapped, that they are separate. Do you think that’s a myth?

We have been talking about paperless offices. Paperless toilet is more reality than paperless office. The same way, it’s a myth to say that some systems are air-gapped.

We saw in Iran the Stuxnet virus that jumped conveniently over the air gap by using USB sticks.
Today, every single thing is connected to the internet, either directly or indirectly.

Back in the day when viruses started—computer viruses—there was no internet. It was called sneakernet, humans carrying floppy drives. Today, it’s humans carrying USB sticks, humans plugging their mobile phone in to charge
from somewhere they shouldn’t. So eventually, everything is connected to the internet.

Or even when it’s not connected any other way, the data which you put into a USB stick went through the internet before it was put into this disk.

So we have to understand that while air-gapping is absolutely good, you cannot believe that it is actually fully air-gapped.

That’s why you have to use the zero trust principles. You don’t have a perimeter—you defend. You have to defend your crown jewels.

Instead of having a firewall and believing an air gap, believing the bad things stay on the other side of the air gap, you have to think, well, what if it still gets in? How do I defend inside of this walled garden of mine? How do I make sure that my crown jewels are protected?

Crown jewels can be files, they can be payloads, they can be processes—it’s whatever is the critical part of your business process, whatever is the critical part of keeping the lights on, that’s your crown jewel.

 

What role does AI play in both advancing and hastening cybersecurity? We see a lot of traction now with AI – AI making things faster, AI replacing people’s jobs. But in the world of cybersecurity, AI can be used for good, AI can be used for bad. Where do you think that distinction lies currently? And how can we actually thwart very intelligent types of attacks coming in? Because I know a lot of organizations are not prepared for it, but maybe your thoughts.

AI is here to stay, and we are using AI without even knowing it. A lot of systems we are using today have an AI backend. We don’t even realize it. There are a lot of headless systems, which are not visible to the end people, end users, and which drive AI.

But AI is not a two-edged sword, it’s a three-edged sword, because the AI itself is a vulnerability surface. It has its own vulnerabilities. Today, AI is the attacker’s advantage. It’s because AI is used in, first of all, intelligent phishing, intelligent ransomware, intelligent supporting the human threat actors.

But the real monster in the room is autonomous malware. Today, when you have a botnet, you have ransomware, the number one way of both finding it and taking it down is to take down the C&C or C2 Command Control System.
Once you take those servers down, the malware doesn’t know how to operate.

Autonomous AI doesn’t have that. It doesn’t call home all the time for instructions. Instead, it is navigating the system.
It’s penetrating itself. It’s avoiding detection. If it sees the defender is moving, it can go dormant for weeks and then wake again when it can proceed.

It will choose the right target. It will try to find the crown jewels and only strike when it has the crown jewels in its reach.

 

So would it be safe to call it one army on steroids?

In a sense, yes, because the new kind of malware we are also seeing is autonomous teams of agentic malware, AI malware, a team of multiple AI threat actors who are team-working together to carry out the attack.

This is really something we have started seeing out in the wild in the last six months and even more scary because it knows how to distract, it knows how to spread, it knows ways to simultaneously attack multiple systems in parallel, confusing the defenders.

So the teams of agentic malware, AI malware, that’s the new frontier in this area.

 

So in a way, the moment you said that, it made me picture a pack of wolves hunting.

Correct, that’s very similar. You have a pack of wolves. Each wolf is a scary beast of its own, but the pack of wolves have decided that hunting together is better than hunting alone. And still, the isolated wolf is dangerous too. This really is the cutting edge on that side.

But also, we have to remember that the AI itself is a target. It’s a new attack surface, a new attack vector.

You can go and poison the training material of AI. There are certain nation states which are creating tens and tens of thousands of websites, masquerading as real news websites in order to put their political ideas into the training material. We have already seen this, and certain nation states are polluting the global large language models (LLMs).

But the other part is signal models — signal models which are guarding our power grid, guarding our hospitals. If you pollute those models and make certain triggers give completely wrong answers…

So AI itself needs to be guarded, AI itself needs to be protected, and AI itself needs to be analyzed. We really have three edges: we have the attacker’s edge, the defender’s edge, and the edge in the middle.

 

So trust is very important and trust needs to be earned. The international paradigm shift in the everything IT and OT is shifting towards zero trust. How you are always verifying that the system is doing what it’s supposed to do. That’s very important.

The second part is a little bit of criticism to certain societies.

You have to practice. This is same as in military, same as in the firefighters, same as emergency services, ambulance drivers. You have to practice. You have to do the drill.

In certain cultures, people want to do the drill, but they want to feel good about it. So the drill has to be always ending up to happy faces with its success.

That’s not real world. You have to practice for failure. You have to practice what happens when you don’t succeed and how you recover. So practice, practice, practice, but don’t practice for having a good feeling of it. Practice for thinking about unthinkable. Practice what happens when unexpectedly things go wrong and your plan didn’t work and all of a suddenyou are in a deep trouble.

And sometimes the outcome of the exercise was, oh, we lost. Then the question is for the next time, let’s have, let’s learn from this bloodbath. Let’s learn from the sorrow and figure out how in next exercise we can have a processes, procedures, methods which will lead to victory.

So practice is not about having a good feeling – everybody lived to see another day.

Practice to see, oh, this time we couldn’t figure it out. Now we have to figure out a new way, new approach so that this “Thank God not real failure” will never become a real failure in the real world.

 

You’ll be speaking at the ASEAN 5G OT Security Summit. What can attendees expect?

So, the ASEAN region is a fast-growing economic area, and international tensions are rising globally.
We all should be preparing for worst-case scenarios. We all should be thinking about the unthinkable and trying to identify it. Just have an honest, frank conversation about where we are, where we are going, and how to respond to these challenges—challenges which come from geopolitics, challenges which come from aging parts of technology that need to be replaced, challenges which come from AI.

Remembering that operational technology has a long life cycle, we are going to be living with operational technology that is 20 years old for the foreseeable future.

And then we have 5G, which is both good and bad because, when we start relying on technology in the wrong place—as mentioned—if 5G, if everything is cloud-based and 5G goes down, now what?

You cannot have systems that are not capable of keeping the lights on and society going, even if some critical part like the telecom network or power grid fails.

And cascading failures, where you lose one part and the others follow—the mapping has not been done. Your telecom network goes down and it takes the power grid down just to keep the company running.

So we have to really think about these inter-cascading failures and the interconnections between different areas of our infrastructure.

 

So in a nutshell, what would you say would be the key driving or benefits for organizations thinking of attending this site? What can you possibly take out of it or walk away with?

I think the most important part is that cybersecurity is not an option. It is life and death.
It doesn’t matter which business you are in, you don’t know how your products are used outside of your own area.
Consumer electronics get to hospitals. Electronics get into the power grid. It was never intended to be, but it ends up in it. Even if you yourself don’t think that your security matters, the people downstream might be using the technology in ways you didn’t know.

So this is everybody’s shared responsibility.