AI, self-driving cars and cyberwar – the tech trends to watch for in 2017

by: Alex Hern

In some ways, tech in 2017 will be a steady progression from what came before it. Time marches on, and so too does the advance of technology. In other ways, though, it will be just as upended as the rest of the world by the unprecedented disruption that 2016 has left in its wake.

Here are the trends to watch out for in the coming year:

More AI, less data

The artificial intelligence revolution is well and truly upon us, but so far, the biggest players are venerable Silicon Valley titans such as Google, Amazon and Apple. That’s partially because they have the money to hire teams full of PhDs at seven-figure salaries, but it’s also because they have the data.

That could change. One of the key areas of research for 2017 is data efficiency: the problem of trying to teach machine-learning systems how to do more, with less. Think about how many times your average three-year-old needs to see a particular animal before they can correctly identify it, compared with the thousands of images a neural network needs to ingest to perform the same basic task.

Solving the problem of data efficiency could dramatically open up the industry, letting new startups compete on a level playing field with those who have access to petabytes of customer data. And it could also change what an AI can do for you, letting an assistant become far more sensitive to your personal quirks and foibles, or a photo-tagging service recognise specific locations, objects, or situations.

Mostly-self-driving cars

Self-driving cars exist on a scale. At one end, you’ll find technologies that are barely more than fancy cruise control: lane-assist features ensure your car doesn’t drift out of lane, while adaptive cruise control will maintain a steady distance from the car in front. At the other end is full automation: a car that can drive from a parking space outside your house to a parking space outside your office with no-one touching the steering wheel, or even sitting in the car at all.

The story of 2017 will be car companies racing almost all the way to that final hurdle, but just stopping short. Not only the tech companies, either (although expect Tesla’s own models to lead the way, closely followed by Google’s sister company Waymo’s alliance with Fiat Chrysler). Conventional manufacturers the likes of Nissan and BMW are jumping into the field with both feet, and their systems will only get smarter. And who knows what Apple’s plans are?

But don’t expect anyone to make the difficult jump to full self-driving capability any time soon. Not only are the regulatory and liability hurdles immense, but the tech just isn’t there for the vast majority of journeys. There’s a reason Google tested its first ever fully automatic trip in Texas, land of wide lanes, huge highways, and car-centric development. Drop that car in the middle of a busy London backstreet and it won’t do so well.

The big question is whether all this automation will actually make things safer. On the one hand, cars don’t get distracted, drunk, or tired, all of which lie at the root of most fatalities on the road. On the other hand, if people are told to supervise a car which mostly drives itself, they tend not to be prepared to take over if it actually does need assistance – a problem that lay behind the first self-driving fatality in May.

Cyberwar

Let’s not mince words: cyberwar has already begun. If it didn’t start in 2008, when (probably) the Israeli and US intelligence services used the Stuxnet virus to destroy Iranian nuclear centrifuges, and it didn’t start in 2015, when the US Office of Personnel Management was hacked by (probably) China, stealing the personal details of millions of government employees, then it certainly started in 2016, when (probably) Russia hacked in to the Democratic National Congress, exflitrating emails which were released with the intention of altering the outcome of an election.

Those “probably”s expose part of the appeal of cyberwar for nation states: attribution is hard, and rock-solid attribution to not just a nation but a chain of command is almost impossible. The incoming US administration is already making aggressive overtures about its desire to get on the attack, which will inevitably also make it a bigger target, according to security expert Hitesh Sheth, head of cybersecurity firm Vectra.

“US businesses and the US government should expect an increase in the number and severity of cyber-attacks, led by select nation states and organised political and criminal entities,” he says.

The ghost of Christmas data breaches past

It feels like data breaches are everywhere. But that’s often not the case; while companies are indeed compromised on a regular basis, modern security practices usually ensure that not much is stolen, and what does get taken isn’t easy to exploit.

Instead, the more dangerous trend is old breaches surfacing, like an unexploded second-world-war bomb, to wreak havoc on the present. That’s what happened to Yahoo, twice in one year, when data breaches from 2013 and 2014 resurfaced. The breaches were huge, containing a billion and half a billion accounts respectively, and the information within them was barely secured. Passwords were obfuscated with a standard which has been known to be insecure since 2005, while other info, including security questions, was in plain text.

Because data breaches can happen undetected, fixing your cybersecurity in 2016 isn’t just locking the stable door after the horse has bolted; it’s locking the stable door without even realising the horse made its escape years ago.

The information in historical breaches has often been traded on the darknet for some time before their existence surfaces, meaning the damage comes in two waves: first, slowly, and then all at once.

Meet eSports, the new sports

Competitive video gaming is a huge business. In 2016, investment bank GP Bullhound estimated it hit a global audience of over 250 million people, and amassed a total annual revenue of $493m – and in 2017, that’s predicted to more than double, making eSports a billion-dollar sector.

The scale of the eSports industry is down to a number of factors, from increased broadband penetration making online multiplayer gaming accessible to most of the world to online streaming allowing budding eSports stars to skip conventional media and go straight to their fans.

But it’s now big enough to warp the very industry that spawned it, with major games publishers courting the eSports community from the inception of their latest releases. Blizzard, a Californian company best-known for its online game World of Warcraft, has been one of the leaders in the field, with games including Heroes of the Storm, Overwatch and Hearthstone all having online viewerships in the millions, but the standout success is Riot Games, whose sole title League of Legends had more viewers in its 2015 world championship than the final game of 2016’s NBA Finals.

GP Bullhound says the next big wave is going to come from mobile, with games like Clash Royale and Vainglory representing the fastest growing segment of the global $37bn games market. Of course, this might all pass you by: over half of eSports fans are millennials, by far the youngest skew of any group of sports supporters.

The great privacy divide

The world’s most advanced surveillance operation will shortly be under the direct control of a far-right demagogue who routinely attacks critics on social media and uses the office of US president-elect to bolster his commercial interests. That has left some people worried.

As a result, many are re-examining their online privacy, switching to encrypted messaging services, locking down social media accounts, and limiting the amount of information they put online. Signal, an encrypted messaging app recommended by Edward Snowden, saw a huge spike in downloads following Donald Trump’s election, while hundreds of tech workers signed a pledge to never implement the president-elect’s proposed registry of Muslims.

At the same time, though, trends in AI and online monetisation have pushed other tech firms to slowly chip away at the amount of privacy their users have, data-mining ever more aspects of their online lives in an effort to offer better services and create smarter software. Google, for instance, will now train a machine-learning system on your photos, read your emails to find useful information to add to your calendar, and save everything you say to it to improve its voice recognition.

Over 2017, this divide will only increase: companies like Apple and Signal on the one side, and Facebook and Google on the other. In the end, the market will decide. Are people willing to give up the latest and greatest fruits of machine-learning to limit their exposure to surveillance, or do they not really care about online privacy and want everything as soon as it’s technologically possible?

Chinese tech goes west

The likes of Foxconn may build the world’s most premium tech, but in the west, Chinese brands are still largely associated with cheap electronics: no-name flat panels and cheap smartphones that spy on you. As for software, the entire country can feel as if it’s seen through analogues to Silicon Valley, from “China’s Google” (Baidu) to “China’s Twitter” (Sina Weibo).

But an increasing number of Chinese companies have their eyes set on the richer markets of Europe and America, without giving up on the customer base in their own country. Shenzhen-based OnePlus, for instance, has slowly carved out a niche for itself with its high-quality, low-price range of smartphones, which aim to match the flagships from Apple and Samsung while offering price-sensitive users savings of hundreds of pounds. Huawei, already a fairly well-known brand in the west, is pushing its Honor brand as a way to drop the budget image for a new demographic.

And software firms are getting in the game too. Tencent, makers of WeChat (that’s “China’s WhatsApp”, for those playing along at home), is pushing hard into the west, taking on Facebook at its own game. The service is currently most popular with Chinese expats, but it’s clear that Facebook is watching closely: a number of features in Messenger are ripped wholesale from the hugely influential service.

The Internet of Things (IoT): The Single Biggest Risk to Your Privacy

blog-pict1

According to Gartner, by 2020 there will be 20.8 billon devices connected to the Internet. To provide a bit of context, the U.S. population is 318 million, and the worldwide population is 7.5 billon, which means there will be roughly 3 devices per every 1 person on Earth. These devices include everything from smartphones to home automation tools to cars, and everything in between – all connected to the internet and accessible.

Historically, one of the biggest threats to security has been ease of use and conveyance for the end-user, which has never been more true than it is right now in relation to deploying consumer devices connected to the Internet of Things (IoT). Consumers devices make up the single largest segment of IoT devices and because of that, plug and play, ease of use, zero configuration devices are in high demand and manufactures are listening. Ease of deployment has, unfortunately, resulted in in a huge lack of proactive security measures including patching vulnerabilities within firmware or operating systems which renders most devices connected to the IoT exploitable.

Alarmingly, it isn’t very difficult to find IoT devices that are connected and available for access. Utilizing search engines like Shodan you can quickly create search for IoT devices such as web cameras, routers, firewalls, and smart TV’s, and determine their locations. Many of these devices are using default user names and passwords which can also be easily discovered with a quick internet search.

Due to this lack of security and ease of identifying vulnerabilities, exploits and locations, individuals are at risk of being targeted which, surprisingly, doesn’t seem to be a huge concern among consumers. A recent survey of 2,000 households found that 66% of consumers are more concerned with the price of their devices rather than the privacy and security features they may offer. As more of these devices are being deployed in households the risk of a security/data breach increases.

Protecting your IoT devices not only protects your privacy but protects the privacy and security of the entire Internet community. Compromised devices can become infected with malware and become part of a large army of botnets used to attack other users or services on the Internet. A recent attack on the infrastructure of the internet cause an large scale outage that lasted hours. Users and manufactures have a responsibility to secure and protect the devices that are attached to the internet.

Until manufactures build higher levels of security into these devices, there are some easy measures that can be taken to secure your IoT environment:

• Evaluate whether your device has to be connected to the Internet. Just because it can doesn’t mean it’s necessary 100% of the time.

• Change the default user name and passwords that your device came equipped with. If this is not possible, do not deploy the device.

• Create a separate network for these devices. Putting your IoT devices on a separate network from your computes and files will allow your IoT devices access to the internet, but not the primary network that stores your private information.

• Disable universal plug and play (UPnP). This protocol makes it easy to deploy devices, however it’s also a large security risk as these devices could be discovered beyond your local network.

• Make sure you can update the firmware. If this is not possible do not deploy the device. Updating firmware is critical and should be done regularly as updates fix vulnerabilities within the software (firmware) that controls the device.

New ‘nasty’ ransomware encourages victims to attack other computers

Popcorn Time malware offers users free removal if they get two other people to install link and pay

If the software gets a full release, its innovative distribution method could lead to it rapidly becoming one of the more widespread variants of this type of malware.
If the software gets a full release, its innovative distribution method could lead to it rapidly becoming one of the more widespread variants of this type of malware. Photograph: Alamy

Any user who finds themselves infected with the Popcorn Time malware (named after, but unrelated to, the bittorrent client) is offered the ability to unlock their files for a cash payment, usually one bitcoin ($772.67/£613.20).

But they also have a second option, described by the developers as “the nasty way”: passing on a link to the malware. “If two or more people install this file and pay, we will decrypt your files for free”.

The affiliate marketing scheme was discovered by security researchers MalwareHunterTeam. For now, it’s only in development, but if the software gets a full release, its innovative distribution method could lead to it rapidly becoming one of the more widespread variants of this type of malware.

Like most ransomware, Popcorn Time, encrypts the key files on the hard drive of infected users, and promises the decryption key only to those users who pay up (or infect others). But the code also indicates a second twist: the ransomware may delete the encryption key entirely if the wrong code is entered four times. The in-development software doesn’t actually contain the code to delete the files, but it contains references to where that code would be added.

Advice varies as to what users who are infected with ransomware should do. Most law enforcement organisations recommend against paying the ransoms, noting that it funds further criminal activities, and that there is no guarantee the files will be recovered anyway (some malware attempts to look like ransomware, but simply deletes the files outright).

Many security researchers recommend similarly, but some argue that it should not be on the individual victim to sacrifice their own files for the sake of fighting crime at large. Some ransomware has even been “cracked”, thanks to the coders making a variety of mistakes in how they encrypt the hard drive. Petya and Telecrypt are two types of malware that have been so defeated.

 

Information Technology should Embrace Marketing

Tags

One of the biggest challenges facing IT departments today, beyond that of the ever-changing technology itself, is their inability to effectively communicate with their end-users. These lapses in communication, whether they’re caused by not communicating frequently enough or a “language barrier” between the technical and non-technical staff, can lead to security risks, improper use of technology, and over-all dissatisfaction of services being provided by the department.

As we well know, the focus of IT delivery is to treat the end-users as consumers. Based on that methodology and the understanding that information technology departments are moving to an operational model where they act as a business providing services to customers rather than a department within an organization, marketing to the end-user is an essential component of ITaaS (IT as a Service).

In order to ensure effective, efficient communication, technology departments must start at the beginning and examine and revise their current end-user notification and education methods. Each year the workforce is reinvigorated with employees that are a bit younger than most of their colleagues and that are used to absorbing information and communicating in different ways. These employees are more used to a more social, less “corporate” means of communicating and are often quite adept at using social media platforms such as Twitter, Facebook, Instagram, and YouTube as primary communication method. Unfortunately, most IT departments are not equipped to effectively communicate in this manner.

As prime example of when marketing to end-users is important we can take a look at Cyber Security Awareness Month, which falls in October. For the most part IT departments will (if they do anything) send an email acknowledging that it is Cyber Security Awareness Month and highlighting the importance of taking proper cyber security measures. They may even go so far as to share video tutorials or PDFs containing step-by-step instructions on how to activate certain features or how to be more aware of suspicious attachments. In most cases, however, those methods are ineffective. Many people delete emails like that as soon as they see them or, if they’re arriving from their employer, will quickly scan them so that they can truthfully tell their employer they received and read it, and will then forget or ignore most of the content. In the majority of cases, though, emails like that just aren’t a high priority for many employees – they’ve get lost in the daily shuffle of emails coming in from clients and coworkers and no one really remembers to go back and check them.

In an effort to get your messages out to your employees, you may consider utilizing social and digital marketing tactics and communicating via mediums that they’re familiar with and readily checking. Create a Facebook Group for your employees where you post daily tips and security information. (Fun Fact: when you add someone to a group, the initial settings are that they will receive notifications when you post to the group in addition to seeing it appear in their newsfeed). Similarly, including infographics and images into newsletters – as opposed to blocks of text – will increase the likelihood that your employees will focus on and absorb the information provided to them. Creating learning activities and challenges will also provide ways to make security awareness training social and dynamic.

In order to effectively implement marketing strategies and tactics in your end-user education programs, it’s helpful to understand the seven fundamental elements of marketing in general. These elements are:

·      Distribution: The method employed of getting your message to your consumer (in this case, your end-users). There are a variety of methods, both traditional (printed brochures and flyers) as well as digital/multi-media (email, social media, video, text messaging, etc.)

·      Financing: Every marketing campaign has a cost, even if it’s an internal campaign, and in order to demonstrate the effectiveness of the campaign you must examine the ROI (return on investment). However, with campaigns directed at the end-user, it’s important to consider the offsetting cost. That is to say, the amount of money that would be saved by the success of the campaign. For example, your organization may find after an internal audit that it “spends” (after applying an hourly rate to employees and evaluating the cost of equipment purchases) roughly $15,000 per year troubleshooting and remediating issues and replacing workstations. Comparatively, a 100 person company may elect to dedicate $25 per employee ($2,500 total) to security awareness training. When you consider the value of simply avoiding the problem in the first place, the cost the campaign is minimal and well worth the spend.

·      Market Research: Understanding your work forces is key, just like understanding the target customer.  You’ll want to consider what methods of communication might be most effective across your workforce as a whole as well as across various segments.

o  Younger employees may be more apt to watch a YouTube video or read an infographic, whereas your older employees may benefit more from in-person training.

·      Pricing: As you will be marketing to your own end-users, assigning the “price” of your endeavors differs a bit from the usual sense. Typically when assigning the price of an item the company will examine the cost to manufacture the item, the cost to ship the item, their desired profit margin, and a host of other factors and come up with a per-piece price. When marketing to your own end-user, you’ll instead want to examine what the most effective and reasonable method of communication is and determine which option has the highest value, regardless of the actual cost of the campaign.

o  For example, it may – at first glance – be more cost effective to spend $25 per person creating training videos versus deploying a web-based training program that costs $35 per person. However, if the effectiveness rate of the $25/person program is 30% and the effectiveness rate of the $35/person program is 75% then it becomes obvious that in the long run the more expensive program is the most cost-effective.

·      Products and Services Management: Once we understanding the other foundational elements of the campaign, it’s important to consider how the campaign is managed and – specifically – how the end-user training is deployed and followed-up on. This goes back to understanding your users and their needs. You’ll want to develop a method of measuring the success rate (i.e.: comparing the number of IT support tickets created month over month) as well as a method of soliciting feedback and providing additional resources or explanations. Your campaign will never be effective if there is no way for your end-users to tell you whether or not it makes sense or to get clarification on issues.

·      Promotion: This is simple, IT should be promoted in a positive manner and the training and campaign should be framed as being a big-picture solution. You don’t want to frame it as “the IT department has dropped the ball in the past and now we’re catching up.” You’ll also want to use your campaign to create a positive identity for IT. In far too many organizations the over-worked, under-staffed IT department employees are often seen as people who are short-fused and grumpy. This is usually because they simply don’t have the time for idle chit-chat when their primary communication with their colleagues is people complaining that things aren’t working. They also have the responsibility of prioritizing the order in which tickets are worked, which often will leave their co-workers feeling miffed if their issue isn’t deemed the highest priority. Take that into consideration and use your campaign as a means of explaining these issues to the larger employee pool and highlighting all of the great things the department does for the organization.

·      Selling: In this case you’ll want to focus on getting your employees to buy into the program. Get your message out, evaluate its success, make changes where needed, and continue to improve upon what you’ve already implemented.

Marketing can affect an IT department in a very positive manner as long as your organization is willing to commit to a long term relationship with your marketers. One and done does not work, this is an ongoing process. Once you’ve begun to implement awareness and training campaigns you have to be prepared to continue – simply sending out one campaign and calling it a day won’t work. Continuously pushing your message in new and innovative ways that your audience responds to, however, will.

Ransomware; another way for vendors to make money

As we see more and more news stories about ransomware, security vendors are jumping on the bandwagon with their solutions. Most of these are incomplete and only offer a small part of the overall solution.  Few vendors offer a complete solution and for those that do, configuration and deployment is a nightmare for the average IT guy.  Most SMBs rely on endpoint protection (aka AV), UTM, etc., and vendors are taking advantage of that; rebranding and marketing to the ransomware hype.

The first line of defense is user education. What I am seeing when a company gets infected is that an end user opens an email and clicks on a link, or opens an attachment.  When discussed after the fact, most end-users say something like, “I did not read the email, just clicked on the link,” or “The attachment said resume, so I opened it.”  In these cases, endpoint protection (more on this in a minute) would not have protected the end user; education would have.

Speaking of end point protection, most vendors will say that they protect against zero day threats as well as ransomware, this may be true if you use the most restrictive settings on the product, however that comes at a cost and in most cases it’s the end-user’s ability to do their daily job.  The key is a balance between education and configuration.

A strong security program that includes multiple levels of protection decreases your chances of being infected.  An ideal solution would include web filtering (cloud based), Unified Threat Management at the firewall, endpoint protection on the desktop and lastly email filtering that offers URL scanning and attachment scanning. Let’s not forget end-user training, the human factor.  A single vendor solution does not provide the defense in depth model that multiple vendors can provide (belt and suspenders).

Lastly when you do get infected – and you will – your last line of defense is solid backups.  Bottom line, when all else fails, you have your backups (make sure you do test them, don’t assume).  When thinking about backups think about recovery point objective (RPO).  I will discuss in greater detail later (another post).  Most SMBs backup once per day (most likely at night).  Let’s say you back up Tuesday night at 8 pm and Wednesday afternoon at 2 pm you get ransomware, you can restore from the night prior and lose a day’s worth of work.  Is that sufficient?

Something to think about.