We started our conversation by talking about his latest project, which focuses on one of the most harrowing cases we’ve ever seen in this field: the story of Julius Kivimäki.
The path from gaming to delinquency
Kivimäki is a Finnish hacker who was convicted for what Joe described as the cruellest cyber crime ever. He hacked a chain of psychotherapy centres in Finland, Vastaamo, and stole the patient notes of 33,000 people. As Joe put it, that in itself is a tragic and important story to tell. But what really struck was the arc of Kivimäki’s career. This wasn’t an isolated incident; it was the climax of a 10-year cyber crime spree that started when he was just a teenager.
It made us reflect on that transition from being a curious kid to a serious criminal. We discussed how these young boys can go from being gaming obsessed to moving into online delinquency and then sometimes, like Kivimäki, into very serious cyber crime. I wanted to kind of expose that and try and shine a light on this corner of the internet that we sort of overlook, Joe told us.
The line between being inquisitive and becoming a delinquent is becoming increasingly blurred. When kids are trying to work out a cheat code to beat a friend, that is one thing. But when they start moving into the kind of territory where they ask, can I hack this person to get their Robux money in Roblox, the line is being crossed. Joe noted that when this behaviour becomes so prevalent and so normal, it becomes normalised and then before you know it, you could be down a very dark path of carrying out serious cyber crime.
The shifting landscape of cyber crime
Over the last ten years, Joe has covered the whole gamut of cyber threats. We talked about the bread and butter of the industry—the Russian-speaking cyber crime ecosystem responsible for the massive ransomware attacks we see today. But there is also this other, perhaps more unpredictable, side: a very strange, destructive, nihilistic, anarchic corner of cyber crime which is teenagers, English speaking teenagers.
This mix of state-sponsored actors and nihilistic teenagers creates a complex environment for any organisation to navigate. But what Joe finds most concerning isn’t just the attacks themselves—it’s how the victims are choosing to talk about them. Or, more accurately, how they are choosing not to.
The decline of transparency
One of the most striking parts of our chat was Joe’s assessment of organisational communication. He believes it is getting worse and worse. From his perspective as a journalist, the public is being told less and less every year. Even when companies are praised for their openness, Joe often finds that the reality is quite different. He told us that they’ve only spoken because I have found out stuff or colleagues of mine have found out stuff.
We looked back at what he calls the gold standard of cyber security response: the 2019 Norsk Hydro attack. The Norwegian aluminium maker was honest and open from the very beginning. They were clear: We’re not paying. We’ve been hacked. We’re going to take a hit here. Sorry customers. Sorry the public. They provided regular updates and framed it as them against the bad guys.
Today, that level of honesty feels like a rarity. Joe suggested that the issue we have nowadays is that I don’t know where the advice is coming from but from my perspective as a journalist—and I will always lean towards transparency—it’s pretty dire. We are raising the drawbridge, telling the public nothing, telling journalists nothing, sometimes paying the ransom, and sweeping all under the carpet.
Shareholders versus society
Why the shift toward a cloak of silence? It often comes down to damage limitation and protecting shareholder value. Joe acknowledged that he doesn’t run a company and understands the pressures CEOs face, but he argued that this silence hinders our collective ability to learn.
If we’re not talking about these things, then we’re not learning, he said. He believes that some organisations are getting bad advice—perhaps from lawyers or even the NCSC—telling them to say nothing. While that might be good for the individual company in the short term, Joe argues it’s bad for the overall societal problem because if we’re not talking about these things, then we’re not learning. It’s been going on now so long… and we’re not learning.
There is something incredibly powerful about a victim organisation that is willing to be honest. When Joe finds a company that actually wants to talk, the story is a thousand times more powerful than the usual boilerplate responses. You know the ones: “We care about your security,” “We’ve hired experts,” “We are going to make sure that this doesn’t happen again.”
A call for stronger leadership
We think Joe is right to challenge the motives behind this increasing secrecy. While a company might take a hit on its share price by being transparent, society gains a lot more. We need to see more senior leaders who are willing to say: We tried our best, but we’ve been beaten in this case, and now we’re looking at a recovery.
Transparent communication shouldn’t be seen as a sign of weakness, but as a part of a strong, resilient response. When you are able to be strong in your response, both in terms of the technicals, but also in terms of the public outreach, I just think that’s superb. It was a fascinating conversation that left us thinking about how we can encourage more of that Norsk Hydro spirit in the face of ever-evolving threats.
