Category Archives: 2016 election hack

The Six Most Impactful Cyber and Business Tech Trends of 2019 and What it Means for 2020.

By Mamady Konneh, MSST, and Jeremy Swenson, MBA, MSST.

Minneapolis, MN — Every year we like to review and commentate on the most impactful security technology and business happenings from the prior year. Those likely to significantly impact the coming year in unique ways. Although incomplete, these are six trends worth addressing in order of importance.

Fig 1. (Cyber Trend Mashup Overlay, + Stock Image, 2019).
76a23722-c088-4067-92b7-1b2e7f357148

1) The Media Disinformation War Continues Embracing Artificial Intelligence:

With the advancement of communications technologies, the growth of large social media networks, and with the “appification” of everything — users have morphed beyond merely consuming information to being distributors and sometimes contributors. This ripens the ease and capability of disinformation.

Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies and control public opinion (Shelly Banjo, Bloomberg, 05/23/2019). Today’s disinformation war is largely digital via platforms like Facebook, Twitter, iTunes, WhatsApp, Yelp, and Instagram (Fig. 2). Yet even state-sponsored and private news organizations are increasingly the weapon of choice — creating a false sense of validity. Undeniably, the battlefield is wherever a large number of followers are.

We all know that false news spreads faster than real news most of the time, largely because its sensationalized. Since disinformation draws in viewers, which drives clicks and ad revenues, it’s a money-making machine. If you can control what’s trending in the news and/or social media, it impacts how many people will believe it, which in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion.

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace its source and to stop it. Further complicating this phenomenon is the amount of app (application) to app permissions. For example, the CNN and Twitter app having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting on Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and source, but it also weakens privacy and security due to the many authentication permissions.

Fig 2. News, Social Media, and Puppet Master of Disinformation (Right, Chandrajit Banerjee, Left Marc Creighton, 2019).
Purported Russian Disinformation Flow

Disinformation campaigns attempted to influence U.S. elections in 2016 — presidential, and 2018 — congressional (Fig. 2). The effects are not fully known to this day yet there is some undeniable impact, with debates on both sides. This taken in conjunction with outdated electoral policies and poor public-to-private partnerships support the conclusion that disinformation capabilities are on the rise leading up to the U.S. presidential election in 2020. In fact, according to one report, the number of countries engaged in disinformation increased from 48 to 70 or 150% from 2018 to 2019 (Samantha Bradshaw and Philip N. Howard, Oxford Internet Institute, 09/04/19). This is not about politics, this is about truth, appropriate technology, security improvements, and better public-private partnerships.

Fig. 3. Purported Russian Disinformation Flow (Samuel Morales, 11/08/19).

Purported Russian Disinformation Flow

Moving on, large technology companies are increasingly under scrutiny to secure their platforms from disinformation campaigns. One recent example is as follows, “Twitter announced that it had removed more than 88,000 accounts that it said were engaged in “platform manipulation” originating in Saudi Arabia” (Aaron Holmes, Business Insider, 12/20/19). Since platforms like this have so much activity to monitor, many campaigns like this go on unaltered. Yet, let us not forget about the free speech rights of users and the many claims that certain tech companies are overreaching in their screening content to the level of undue bias. Resolving these two extremes is indeed a work in progress.

Another example which used AI (Artificial Intelligence) enabled disinformation is as follows: ‘“On December 20, 2019, Facebook took action against a network of over 900 pages, groups, and accounts on its own platform and on Instagram that were associated with “The Beauty of Life” (TheBL), reportedly an offshoot of the Epoch Media Group (EMG). These assets were removed for engaging in large-scale coordinated inauthentic behavior (CIB)”’ (Ben Nimmo, C. Shawn Eib, L. Tamora, et al; Graphika & the Atlantic Council’s Digital Forensics Research Lab, 12/2019). Many of these profiles were created with AI generated fake profile photos. The group amassed about 55 million followers, so their disinformation efforts largely worked.

Considering these disinformation events this past year, we think small and mid-size companies are likely the next target of disinformation campaigns. Such campaigns may aim to steal their customers, tarnish their reputation, or otherwise combine disinformation with advanced malware or other cyber fraud. They may be a direct target or a pass through medium. Small businesses are not immune from these risks even if never targeted before. While a large company could sustain several disinformation attacks, a small company could be easily run out of business by just one.

Imagine fraudulent Yelp reviews from a dental competitor who hires a non-U.S. based hacking group to have a bot army create 1,000 negative dental reviews on Yelp. Now the victim of this attack has a mess to clean up. Being a dental office, they are not tech experts, so they have to hire a tech consultancy. Yet even when hired, the full damage can never be undone. The stress and cost could drive them to shut down. Then there is the question of who pays for it? This begs the question of cyber insurance, do you have the correct coverage, is there any way your claims can be denied?

Overall, disinformation is a double-edged sword because if one country is using disinformation against another country, then that country is very tempted to use disinformation against them in response. Then when the public sees this state originated disinformation, they and their NGO (non-governmental organization) groups respond whether they believe the disinformation or not —of course with different responses. The same scenario could apply in a company to company context.

Disinformation is indeed a vicious cycle that encourages lies, ignorance, all the while damaging the value of what journalism means. In 2020 we as journalists, thought leaders, consultants and citizens must not be afraid to confront these fallacies and hidden distortions for future generations — a quality based truthful pen is a powerful sword!

2) Ransomware Doubles Attacking More Government Entities:

Ransomware heavily hit hospitals, businesses, and universities in 2019, but local governments were the top target. It attacked at least 103 local U.S. government agencies, mostly at the city and county levels (Emsisoft Malware Lab, 12/12/19). Further validating this conclusion is Barracuda Networks who found more broadly that two-thirds of all known 2019 ransomware attacks in the U.S. targeted U.S.governments (Alfred Ng, C-NET, 12/05/19). Specifically, these ransomware attacks originate mostly from phishing emails. Then the attackers implant malicious code in the targeted entities’ network, after which they encrypt their files making them inaccessible. These are for the most part not federal offices like the FBI, NSA, DOD, or the FAA — these offices have bigger budgets and better defenses.

In August 2019 twenty-three Texas cities were struck by a large coordinated ransomware attack. This overwhelmed them SO they were forced to seek advanced state assistance (Kate Fazzini, CNBC, 08/20/19). Also in 2019, seven Florida cities were struck in a similar attack: River City, Riviera Beach, Lake City, Key Biscayne, Stuart, Naples, and recently Pensacola (Rachael L Thomas, Naples Daily News, 08/20/19 & CISOMAG, 12/27/19). Moreover, the city of Baltimore, Maryland sustained two ransomware attacks in 14 months (Kate Fazzini, CNBC, 08/20/19). Fig. 4. shows the defaced City of New Orleans website which left citizens out of some services and information.

Fig. 4. City of New Orleans Website Down (NOLA.gov, City of New Orleans, 12/23/19).

City Of New Orleans Hack

Foolish as it may sound local governments are more frequently opting to pay the ransomware rather than rebuild their systems. After seeing Atlanta spend $2.6 million in 2018 to restore its systems rather than pay the $52,000 ransom (Lily Hay Newman, Wired, 04/23/18) — many officials have decided that it’s cheaper to pay the hackers. One researcher confirmed this as follows; ‘“These government organizations are not always well-equipped on cybersecurity concerns, which makes them easy targets,” said Kevin Latimore, enterprise malware removal specialist for security software provider Malwarebytes. “Not only do they have the potential to pay, but they are a soft target”’ (Alfred Ng, C-NET, 12/05/19). More examples of this include Lake City, Florida who paid $426,000 to hackers via Bitcoin, and Riviera Beach Florida who paid hackers $600,000 via Bitcoin in 2019. Much of this will be covered by their cyber insurance but it complicates future payouts making denials and premium increases more likely (Scottie Andrew and Saeed Ahmed, CNN, 06/27/19).

For the coming year, this means that local governments need to harden their networks, better train their staff and hire private-sector talent. If they have paid ransom ware once they should expect and prepare for another attack soon, yet this does not rush onboarding of new vendor tools as vendors need to be risk assessed. Moreover, they outsource key IT tasks when they cannot meet the required service or security. Lastly, paying ransomware is not a long-term solution and it increases the likelihood of another attack, plus there is no guarantee they have not copied your data.

3) Insurance Companies Paying Ransoms Are Likely Encouraging More Attacks for Profits:

When organizations have cyber insurance, they are more likely to pay ransom demands. This results in ransomware being more profitable than it would otherwise be and thus incentivizes more well-funded attacks (Emsisoft Malware Lab, 12/12/19). Yet if insurance companies did better due diligence reviewing prospect customer cyber risk processes, tools, SOC reports and the like — there would likely be less grounds for claims denials and fewer simple claims like ransomware, etc. In some cases, the customer is incented to prove their cyber due diligence to justify a favorable risk rating and lower insurance premiums. However, the rigor of this due diligence is inconsistently applied in favor of sizeable companies where more dollars and complex risk exists. Yet can you imagine being a large insurance company asking a government entity for any documentation like this… it might be difficult. Even small county governments often have many unhelpful bureaucrats who are overconfident thus choking the needed risk management process. Private companies have the same issue, but they have less bureaucratic insulation. Overall, better public-private partnerships are needed.

This year we confirmed that cyber liability insurance risk assessment is still a contradictory mess. The carriers are profit-driven while they often confuse customers on what a policy means, especially small and medium-sized businesses that are not tech-focused. The risk assessment standards are immature, not organization specific, and they are outdated with current technology. If ransomware incentivizes cyber insurance, then what about the likely situation where an organization gets hit with ransomware, then the carrier pays it less the deductible, but then the ransomware demands a second payment. Carriers, adjusters, risk assessors, and even companies have not thought this through well enough. Most likely the carrier will deny the second payment demand and often in tandem with costly litigation.

Whatever the size or your organization, you should undergo strict security reviews in the insurance underwriting process. If the carrier does not ask anything or much about your technology or security, you might as well not pay for the coverage because it’s weak at best. Whatever risk diligence completed in underwriting the coverage, you should not publicly disclose that you have such coverage because cyber extortionists could then view you as a target. Cyber insurance should not be considered as an alternative to adequately funded and resourced security programs, rather it’s a failsafe. Our related article from this summer clarifies some of these complexities 10 Things IT Executives Must Know About Cyber Insurance!

Fig. 5. Cyber Security Spending Greatly Outpaces Cyber Insurance Spending, (Gartner, Munich Re, Microsoft, Marsh, 2019)

Cyber Security Spending Greatly Outpaces Cyber Insurance Spending 2019

Lastly, we observed that cyber insurance spending is not growing as fast as cybersecurity spending from 2018 to 2019 (Fig 5). While for 2019 to 2020 there is a $116 billion dollar estimated difference (Fig 5.). This trend is generally good because you cannot insure away what you have not built securely in the first place. In physical security terms, that would be like a bank having wide open doors and windows often yet wanting to get robbery insurance when they are incenting robbery. Of course, this is far more complicated in cyberspace and insurance companies and risk assessors are moderately speculative at best. We anticipate more partnerships with tech-savvy insurance brokers in 2020, more cyber insurance training, and perhaps new FinTech insurance startups can reduce risk and drive efficiencies while the legislators and large companies catch up.

4) Mobile Ecosystem Security Considerations Multiply:

Since the release of the first iPhone in 2007, the appification of everything is the new norm. Since computing power and memory on smartphones nearly doubles about every two years (Gordon Moore’s Law, 1958); the information security risk on these devices gets more complicated and multiplies with each new app installed.

Here are some recent top metrics from one independent blog study (Ian Blair, BuildFire, 2019):

  1. There are 2.8 million apps available for download on the Google Play Store — More apps equals more risk exposure.
  2. The Apple App Store has 2.2 million apps available for download.
  3. Mobile apps are expected to generate $189 billion in revenue by 2020.
  4. 49% of people open an app 11+ times each day.
  5. 21% of Millennials open an app 50+ times per day.
  6. 57% of all digital media usage comes from mobile apps.
  7. The average smartphone owner uses 30 apps each month — Touching many or all of the mobile ecosystem components in Fig. 6. — Thereby increasing complexity.

Fig 6. Mobile Ecosystem Components (Rohit Kumar, 2019).
Mobile Ecosystem 2019

The Apple App Store has a closed API (application programming interface) and thus less apps, unlike the Google Play App Store which has an open API and more apps. Thus, in prior years Apple’s App Store was regularly perceived as more secure than Google’s Play Store. However, in the fall of 2019, a reported 18 malicious apps were able to bypass Apple’s vetting system. Wired described it as follows, “it started small. Wandera’s security software flagged some unusual activity on a client’s iPhone. A lone speedometer app had made unexpected contact with a so-called command and control server, which had previously been identified as issuing orders to ad fraud malware in a separate Android campaign. In other words, the app had gone rogue” (Brian Barrett, Wired, 10/25/19).

Although the new iPhone 11 has no CPU power increase from the prior version, the new Samsung Galaxy S 11 includes a CPU that raises the bar in some ways for both phones. The new CPU is the Qualcomm Snapdragon 865 and will come with the new Galaxy S 11 in 2020. This CPU is 5G enabled while older chips are not. It also supports up to 8K HD video which has an ultra-high resolution that translates into very large files (Jessica Dolcourt, C-Net, 12/19/19). This enables better video chat, HD gaming, and professional level photo capabilities.

Additionally, the Snapdragon 865’s two-finger biometric unlocking feature has been improved for the Galaxy S 11 thereby challenging the new iPhone 11. The CPU’s 3D Sonic Max fingerprint reader is large enough to register two fingers as one commentator detailed: “This means it’s faster to unlock, and more secure when matching up more unique data points in the form of the ridges, valleys, and pores unique to your fingers. On phones, you might get the option to set up one or two-finger unlocking, or perhaps choose to use dual-finger authentication for mobile payments only, or select apps like your banking app” (Jessica Dolcourt, C-Net, 12/19/19).

Faster CPUs in the mobile ecosystem means that there is more room for malvertising, rootkits, viruses and other exploits to hide. Combine that with the increasing number of apps users download, the permissions they give them, etc. The complexity of this increases privacy and security risk. There is a very fine line between a hacked system and consented to app permissions, yet most users have few details on what this means or how many apps they have on their mobile devices.

For 2020, we see education and awareness around the review and removal of non-essential mobile apps as a top priority. Especially for mobile devices used separately or jointly for work purposes. This begs the questions: 1) what is the best BYOD (bring your own device) policy 2) and good containerization to separate company vs. personal use apps? This requires better understanding around geolocation, QR code scanning, in text ads, micropayments, Bluetooth, geofencing, readers, and HTML5. It thus goes without saying that we feel more holes will be exposed with BYOD tools and policy as they gain more adoption 2020.

5)  Cloud Adoption Raises Privacy and Compliance Concerns:

Cloud computing grew in 2019 and is expected to grow in the coming years. Many industries are opting for cloud computing because it is less costly than on-premises and the service quality is generally better. This especially applies to small and medium businesses that often don’t have the technology resources to build their own infrastructures. According to one study, “83% of enterprise workloads will be in the cloud by 2020” (LogicMonitor, 2019). As a result, many industries are increasing their investment in cloud computing and the costs are likely to go down as cloud providers improve — the services are being democratized via niche cloud service tool startups. At present, “50% of enterprises spend on average of $1.2 million dollars on cloud services annually” (LogicMonitor, 2019).

Although cloud computing might seem cheaper than on-premises solutions, it has its downsides when it comes to security and privacy. Moving to the cloud is accepting the risk of having your data in someone else’s warehouse. Of course, the service level agreement and vendor risk assessment compliance documents will address most of this, but it’s not comprehensive. This is because cloud vendors are selective about what they disclose to customers in their annual or quarterly vendor risk review. This is because they are protecting their own privacy and the privacy of their many other clients where shared infrastructure is relevant. If you want complete privacy and control, build your own cloud but accept the higher cost.

Fig. 7. Public Cloud Challenges Influencers Survey (LogicMonitor, 2019).

Public Cloud Challenges Influencers Survey LogMonitor 2019The above survey by a vendor Logic Monitor confirmed that security, governance and compliance, and privacy were top challenges in 2019. We think these challenges will hold steady in 2020, while costs will likely decrease for basic use cases. If organizations continue to struggle with cloud trained employees, it will negatively impact vendor lock-in. This can be bad from a failover perspective. We think organizations should spend more on cloud trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add ons, but it also mitigates risk and makes vendors bid more competitively.

6) Supply Chain Cyber Security Threats Increase:

All organizations depend on other entities for goods and services. Everything from manufacturers, distributors, marketers, attorneys, drivers, resellers, software providers, accountants, and more. The flow of this from start to finish is called the supply chain, and vendor management is the biggest part of it. As a result, it becomes challenging for organizations to identify and assess the security of every vendor they do business with. In fact “at least 59% of organizations have suffered from cyberattacks through third-party companies” (Olivia Scott, Supply Chain Brain, 10/09/19). Depending on the vendor and the connection point there may be more or less steps. More steps increases complexity and often decreases transparency, which in turn often increases risk.

Every aspect of supply chain has an internet-connected component from UPS Package scanners, to invoice creation, inventory management, quality control, and more. Vendors who say or suggest they are not internet-connected are usually wrong because they forgot one thing like utility applications, HVAC applications, coffee machine apps, navigation apps, payment processing apps, and their own 3rd parties that have access to customer data via the vendor, etc.

People often need clarification on what is a 4th party vendor. They are the vendors that your 3rd party vendor contracts with to meet your needs. With a 4th party vendor, you will have less insight into their infrastructure and process, if at all. Most likely any risk documentation you get from them with come via your 3rd party vendor. A lot of misinformation and hidden risk is here. Vendors managers need good communication skills and business tact to deal with this.

In the context of cybersecurity, supply chain is posing a growing threat because most of the parts of our computers and smartphones are made in other parts of the world, including the software used to run these machines. For example, iPhone chips are made by Taiwan Semiconductor Manufacturing Company (TSMC) who works with other vendors for even the smallest of components in a highly complex supply chain, acting as a manufacturer and assembler. If there is a security hole in one of the iPhone components, the customer Apple may not be the first to know because TSMC or their 3rd and 4th party vendors may not know about it or may not disclose it. This negatively impacts Apple and iPhone users.

Observing this paradox, security pioneer Bruce Schneier stated, “the computers and smartphones you use are not built in the United States. Their chips aren’t made in the United States. The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a backdoor into the final product” (Bruce Schneier, New York Times, 09/25/19). Thus the supply chain path needs to be scrutinized for security compliance regularly, especially in the context of large-scale hardware manufacturing for data-centric products like smartphones, cars, computers, and medical devices — few devices are not data-centric these days.

In sum, supply chain is here to stay because organizations will need to collaborate with one another in order to conduct their business efficiently. According to the Ponemon Institute, 3rd party misuse was the second-biggest security threat in 2019 (Olivia Scott, Supply Chain Brian, 10/09/19). Yet we need a reminder that supply chain is no longer merely transportation and inventory management, even if we are a goods and services company like a small construction company with no website. We need to rethink of supply chain as more digital and more data-centric than we did in prior years. It is a part of core business operations.

Thus, supply chain security should be a top priority for organizations in 2020 with a focus on 3rd party risk ranking and 4th party identification. Lastly, for big entities like government and corporate conglomerates who have many different internal organizations they interact with. They would be well advised to think of their own internal procurement process as “external supply chain” in an effort to better training and internal defenses — they are often their own worst enemy.

About the Authors:
Mamady Konneh and Jeremy Swenson 2020Mamady Konneh (left) is a senior information security professional, speaker and mentor with 10+ years of relevant experience in security, risk management, and project management in the healthcare, finance, and retail industries. He is a dynamic team player who leads by taking initiatives in developing efficient risk mitigation and situational awareness tactics. He is proficient at assessing the needs of the business and providing the tools to resolve challenges by enhancing the business process. He holds an MSST (Master of Science in Security Technologies) degree from the U of MN where he researched global I.D. card best practices for the country of Guinea.

Jeremy Swenson (right) is a senior IT consultant, writer, and speaker in business analysis, project management, cyber-security, process improvement, leadership, music, and abstract thinking. He has been employed by or consulted at many banks, insurance companies, retailers, healthcare orgs, governments, and so on over 14 years. He has an MBA from St Mary’s Univesity of MN and MSST (Master of Science in Security Technologies) degree from the U of MN.

Five Unique Tech Trends in 2018 and Implications For 2019

By Jeremy Swenson, MBA, MSST Angish Mebratu, MBA.

Every year we like to review and commentate on the most impactful technology and business concepts from the prior year. Those that are likely to significantly impact the coming year. Although incomplete, these are five areas worth addressing.

5. 5G Expansion Will Spur Business Innovation

Fig. 1. 1G to 5G Growth, Stock, 2018.

2018 was the year 5G moved from hype to reality, and it will become more widespread as the communications supply chain adopts it in 2019. 5G is the next iteration of mobile connectivity and it aims to be much faster and more reliable than 4G, 3G, etc. Impressively, data speeds with 5G are 10 to 100 times faster than 4G. The benefits of this includes enabling: smart IoT connected cities, seamless 8K video streaming, improved virtual reality styled gaming, self-driving cars that communicate with each other without disruption thereby enhancing safety and reliability, and improved virtual reality glasses (HoloLens, Google Glass, etc.) providing a new way of looking at the world around us.

As emerging technologies such as artificial intelligence (AI), blockchain, the Internet of Things (IoT), and edge computing — the practice of processing data near the edge of the network where the data is being generated, not a centralized data-processing repository — take hold everywhere, 5G can offer the advancements necessary to truly take advantage of them. These technologies require 5Gs bolstered data transfer speeds, interoperability, and its improved reliability. Homes will get smarter, hospitals will be able to provide more intelligent care, the Internet of Things will go into hyperdrive — the implications of 5G are massive. Yet most importantly, 5G has much less latency, thereby enabling futuristic real-time application experimentation.

“There’s no doubt that much of the recent 5G activity has been focused on investments from service providers and equipment manufacturers,” Nick Lippis, co-founder and co-chairman of the Open Networking User Group (Kym Gilhooly, BizTech, 11/08/18). “However, more IT leaders are starting to make plans for 5G, which includes determining its impact on their data center architecture, procurement strategies and the solutions they’ll roll out”(Kym Gilhooly, BizTech, 11/08/18). 

AT&T is one of the leaders in 5G distribution and as of 12/27/18 they have service up and running in these 12 cities: Atlanta, Charlotte, Dallas, Houston, Indianapolis, Jacksonville, Louisville, Oklahoma City, New Orleans, Raleigh, San Antonio and Waco (CNN Wire, 12/27/18). Verizon has a similar initiative in an earlier phase in some cities. While Google has Google Fiber is some cities, but there is lots of debate about if its better or worse than 5G – time will tell. More data and faster speeds derive more connected devices which need security, data protection, and privacy — failure to protect it aggressively derives to much risk at high costs.

Fig. 2. Likely 5G Use Cases in 2020, Stock, 2018.

4. Browser/Device Fingerprinting Growth Will Spur Better PET (Privacy Enhancing Technologies)

Browser fingerprinting is a method in which websites gather bits of information about your visit including your time zone, set of installed fonts, language preferences, some plug-in information, etc (Bill Budington, Bennett Cyphers, Alan Toner, and Jeremy Gillula, Electronic Freedom Foundation, 12/22/18). These data elements are then combined to form a unique fingerprint that identifies your browser or more. The next step is to identify your specific device, and then you individually.

Fig. 3. Browser Finger Printing Data, Stock, 2018.

Device fingerprinting overcomes some of the inefficiencies of using other means of customer-tracking. Most notably, this includes cookies installed in web browsers, which businesses have long used monitor user behavior when we visit their websites (Bernard Marr, Forbes, 06/23/17). Employers do this at a much more invasive level, but the pay is the tradeoff. Yet when employees use their own mobile device for work-related things, protection of their personal data is best achieved via data containerization tools like AirWatch and Centrify. Even on these devices, the problem is that cookies can be deleted whenever we want. Its relatively easy for us to stop specific sites, services or companies from using them to track us — depending on how technical we are. Device fingerprinting doesn’t have this limitation as it doesn’t rely on storing data locally on our machines, instead, it simply monitors data transmitted and received as devices connect with each other” (Bernard Marr, Forbes, 06/23/17).

This type of data exploitation, even with the user’s consent, allows for more complexity and thus higher malware or SPAM/advertising risk. Antivirus makers are challenged to stay ahead of these exploits. The GDPR (General Data Protection Regulation) unequivocally states that this kind of personal data collection and user tracking is not permitted to override the “fundamental rights and freedoms of the data subject, including privacy” and is, we believe, not permitted by the new European regulation (Bill Budington, Bennett Cyphers, Alan Toner, and Jeremy Gillula, Electronic Freedom Foundation, 12/22/18). The high courts will validate this over time.

Further complicating the matter is the terms of service on data-centric technology platforms such as Facebook, Twitter, LinkedIn, WordPress, Instagram, Amazon, etc. Their business models require considerable data sharing with third and fourth-party business entities, who gather elements of specific user data and then combine them with other browser and device fingerprinting data elements, thus completing the dataset. All the while the data subject and interconnected entities are mostly clueless. This further complicates compliance, erodes privacy, but is great for marketers — many people appreciate that Amazon correctly suggests what they often desire. Yet that is not always a good thing because this starts to precondition a person or a culture to norms at the expense of originality. In the past we saw tobacco companies do this unethically targeting young people, and there are more examples — think for yourself.

This begs the question of who owns these datasets and at what point in their semblance, where are they stored, how are they protected, and to what extent can informed consumers opt out if practicable — observing there is be some incidental data collection that has business protection. This paradox spurs competition and the growth of privacy enhancing technologies (PETs). Existing PETs include communication anonymizers, shared bogus online accounts, obfuscation tools, two or three-factor authentication, VPNs (virtual private networks), I.P. address rotation, enhanced privacy ID (EPID), and digital signature algorithms (encryption) which support anonymity in that each user has unique public verification key and a unique private signature key. Often these PETs are more useful when used with a fake account or server (honeynet). This attempts to divert and frustrate a potential intruder but gives the defender valuable intelligence.

Fig. 4. VPN Data Flow Diagram, Stock, 2018.

Opera, Tor and Firefox are leading secure browsers but there is an opportunity for better security and privacy plugins from the Chrome (Google) browser, while VPN (Virtual Private Network) technologies should be used at the same time for added privacy. These technologies are designed to limit tracking and correlation of users’ interactions with third-party entities. Limited-disclosure (LD) often uses cryptographic-techniques (CT) which allows users to retrieve only data that is vetted by providers, for which the transmitted data to the third party is trusted and verified.

3. Artificial Intelligence Will Grow on The SMB (Small and Medium Business) and Individual Market

In the past artificial intelligence (AI) has been primarily the plaything of big tech companies like Amazon, Baidu, Microsoft, Oracle, Google, and some well-funded cybersecurity startups like Cylance. Yet for many other companies and sects of the economy, these AI systems have been too expensive and too difficult to roll out effectively. Heck, even machine learning and big data analytics systems can be cost and time prohibitive for some sects of the economy, and for sure the individual market in prior years. However, we feel the democratizing of cloud-based AI and machine learning tools will make AI tools more accessible to the SMB and individual market.

Fig. 5. Open Source TensorFlow Math AI, Google, 2018.

At present, Amazon dominates cloud AI with its AWS (Amazon Web Services) subsidiary. Google is challenging that with TensorFlow, an open-source AI library that can be used to build other machine-learning software. TensorFlow was the Machine Learning behind suggested Gmail smart replies. Recently Google announced their Cloud AutoML, a suite of pre-trained systems that could make AI easier to use (Kyle Wiggers, Venture Beat, 07/28/18). Additionally, “Google announced Contact Center AI, a machine learning-powered customer representative built with Google’s Dialogflow package that interacts with callers over the phone. Contact Center AI, when deployed, fields incoming calls and uses sophisticated natural language processing to suggest solutions to common problems. If the virtual agent can’t solve the caller’s issue, it hands him or her off to a human agent — a feature Google labels “agent assist” — and presents the agent with information relevant to the call at hand” (Kyle Wiggers, Venture Beat, 07/28/18). 

The above contact center AI and chatbots can both be applied successfully to personal use cases such as medical triaging, travel assistance, self-harm prevention, translation, training, and improved personal service. Cloud platforms and AI construction tools like the open source TensorFlow will enable SMBs to optimize insurance prices, model designs, diagnosis and treat eye conditions, and build intelligence contact center personas and chatbots, and much more as technology evolves in 2019.

2. Useful Big Data Will Make or Break Organizational Competitiveness

Developed economies increasingly use big data-intensive technologies for everything from healthcare decisioning to geolocation to power consumption, and soon the world will to. From traffic patterns, to music downloads to web service application histories and medical data. It is all stored and analyzed to enable technology and services. Big data use has increased the demand for information management companies such as, Oracle, Software AG, IBM, Microsoft, Salesforce, SAP, HP, and Dell-EMC — who themselves have spent billions on software tools and buying startups to fill their own considerable big data analytics gaps.

Fig. 6. Big Data Venn Diagram, Stock, 2018.

For an organization to be competitive and to ensure their future survival a “must have big data goal” should be established to handle the complexity of the ever-increasing massive volume of both, structured (rows and table) and unstructured (images and blobs) data. In most enterprise organizations, the volume of data is too big, or it moves too fast or it exceeds current processing capacity. Moreover, the explosive growth of the Internet of Things (IoT) devices provides new data, APIs, plugins/tools, and thus complexity and ambiguity.

We know there are open source tools that will likely improve reliability in big data, AI, service, and security contexts in 2019. For example, Apache Hadoop is well-known for its capabilities for huge-scale data processing. Its open source big data framework can run on-prem or in the cloud and has very low hardware requirements (Vladimir Fedak, Towards Data Science, 08/29/18). Apache Cassandra is another big data tool born out of Facebook around 2010. It can process structured data sets distributed across a huge number of nodes across the world. It works well under heavy workloads due to its architecture without single points of failure and boasts unique capabilities no other NoSQL or relational database has. Additionally it features, great liner scalability, simplicity of operations due to a simple query language used, constant replication across nodes, and more (Vladimir Fedak, Towards Data Science, 08/29/18).

For 2019 organizations should consider big data a mainstream quality business practice. They should utilize and research new tools and models to improve their big data use and applications — creating a center of excellence without being married to buzzwords or overly weak certifications that all too often squash disruptive solutioning. Lastly, these centers of excellence need to be dominated not by the traditional IT director overloads. Rather, the real people between the cracks who know more and have more creative ideas than these directors who often build yes clichés around themselves and who are often not the most qualified — great ideas and real leaders defy title.

1. Election Disinformation and Weak U.S. Polling Systems Harms Business and Must Be Fixed

The intersection of U.S. politics and media can be at times nasty, petty, selfish, or worse outright lies and dirty smear campaigns under shadow proxies who skirt campaign finance laws by being either a policy advocacy group – non-political, or worse yet, a foreign-sponsored clandestine intelligence agency of an enemy to the nation whose only rule is to disrupt U.S. elections. Perhaps Russian, North Korea, or even China affiliated groups.

Innovations in big data and social media, browser proxies and fiber optic cable, 5G, in conjunction with the antiquated and insecure U.S. polling system, makes election news and security complicated, fragile and highly important. At present, there are few people and technology companies that can help resolve this dilemma. For a state-sponsored hacker group altering a U.S. election is the ultimate power play.

Respect for all parties is a must and disinformation of any type should not be tolerated. Universities, think tanks, startups, government, and large companies need to put time and money into experimenting as to how we can reduce disinformation and better secure the polling systems. The first step is public awareness and education on checking purported news sources, especially those from digital media. The second step is more frequent enforcement of slander laws and policies. Lastly, we should hold technology companies to high media ethics standards and should write to their leaders when they violate them. 

As for securing the polling systems, multi-factor authentication should be used, and voting should be done digitally via secure encrypted keys. If Amazon can securely track the world’s purchases of millions of products with way more data and complexity, and with service a moon shot better than your local state DMV (driver and motor vehicle) office, than the paper ballot and OCR (Optical Character Recognition) scanners need to go. There are many Android and iOS applications that are more secure, faster, and easier to use than the current U.S. polling system and they are doing more complex things and with more data that is changing at an exponentially faster rate. They were also made for less money. Shame on the U.S. OCR election system.

Business should not be afraid to talk about this, because, like a poisonous malware, it will spread and be used to easily run businesses out of business – often due to greed and/or petty personal differences. Examples of this include hundreds or thousands of fraudulent negative Yelp reviews, driving a competitor’s search rankings down or to a malicious site, redirecting their 1-800 number to a travel scam hotline, spreading false rumors, cyber-squatting, and more. Let 2019 be the year we stand to innovate via disruptive technologies for a more ethical economy.

About the Authors:

Fig. 7. Swenson and Mebratu.

Jeremy Swenson, MBA, MSST & Angish Mebratu, MBA meet in graduate business school where they collaborated on global business projects concerning leadership, team dynamics, and strategic innovation. They also worked together at Optum / UHG. Mr. Swenson is a seasoned (14 years) IT consultant, writer, and speaker in business analysis, project management, cyber-security, process improvement, leadership, music, and abstract thinking. Over 15 years Mr. Mebrahtu has worked with various fortune 500 companies including Accenture and Thomson Reuters, and he is currently principal quality engineer/manager at UnitedHealthcare. He is also an expert in software quality assurance, cybersecurity technologies, and design and architecture of technology frames.

Five Unique Tech Trends in 2016 and Implications for 2017

1) Russian Hacking in U.S. Elections – critical infrastructure implications:
For more than ten years candidates and advocacy groups have used internet marketing hacks to steal their opponent’s websites, redirect internet traffic, or increase negative search results on them by manipulating search engine algorithms. For example, former GOP Presidential candidate Carly Fiorina failed to register carlyfiorina.org and thus had an opposition group use it as negative publicity against her, but she has since acquired the site. Yet 2016 proved to be a turning point in political hacking because of the level and sophistication and sustained effectiveness. The Washington Post reported, “Russian government hackers were able to penetrate DNC servers, compromising opposition files, chats, and emails on republican nominee Donald Trump (Eliza Collins, 12/30/16, USA Today). With this information, Russian intelligence agents masqueraded as third parties to create very believable spear phishing campaigns. These fake emails worked to trick victims into typing in their usernames and passwords after which Russian agents moved further into their networks, undetected at the time.

On 12/29/16, in a first of its kind move, the Obama Administration released a joint FBI and DHS report (JAR-16-20296: GRIZZLY STEPPE – Russian Malicious – US-Cert) on the technicalities of the hack and sanctioned the GRU and the FSB (Russian intelligence agencies) and key companies they contracted with (Katie Bo Williams, 12/29/16, The Hill). The following diagrams (Fig. 1-a and 1-b) show there were two main hacking groups and that they used mostly classic hacking tactics that were clearly preventable. APT29 hides via encrypted communication and speeds up commands via PowerShell code automation, applied to multiple operating systems. Thus they must have been observing and studying/testing for a while to get this right as its complex across phones, tablets, and PCs. At the same time, APT28 was using a private tunnel (like a VPN) to install and remotely run applications – key loggers designed to steal information and credentials.

Russian DNC Hack Diagram – Fig. 1 – a: (JAR-16-20296: GRIZZLY STEPPE – Russian Malicious – US-Cert).
Russian Hack Part 3.png
All this started as far back as the summer of 2015, so the full penetration went undiscovered for more than a year. In that time, it has been alleged that the hackers were releasing embarrassing info to manufacture fake negative news against Hillary Clinton. In one instance the release of this info resulted in the resignation of the on DNC Chair, Florida Representative Debbie Wasserman Schultz. Yet the hack is not fully partisan because many sources confirmed that, Republican House members, thought leaders and non-profits to the GOP, were also hacked (Jeremy Diamond, 12/16/16, CNN).

Russian DNC Hack Diagram – Fig. 1 – b: (JAR-16-20296: GRIZZLY STEPPE – Russian Malicious – US-Cert).
Russian Hack Part 2.png
On 12/30/16 the Obama Administration took the strong action of expelling thirty-five Russian diplomats in response to the hack. Shortly thereafter they enacted OFAC (Office of Foreign Asset Control) sanctions against Russian business entities associated with these people. They left the country under close U.S. escort on 01/01/17 as they arrived at an airport to depart on a private Russian plane sent by president Putin.

Alleged Hacker and Russian Spy, Alisa Shevchenko – Fig. 3:
1483128352073-cachedInterestingly, one of the people expelled, Alisa Shevchenko, was praised a year before by the United States which does not speak well for U.S. intelligence agencies. Specifically, The Department of Homeland Security said “Alisa Shevchenko had helped prevent cyber crime under a program for information sharing between the public and private sector. Ms. Shevchenko was also said to have assisted a French company, Schneider Electric, in identifying vulnerabilities in its software” (Andrew E Kramer, New York Times, 12/31/16). However, we think she may have been a Russian spy all along and could have been inside key U.S. systems at that time but this unconfirmed. Her company, Zora Security, has been a key supplier to the Russian Military’s Main Intelligence Directorate, or G.R.U. In her recent Twitter posts she indicates that she is indifferent to being discovered by the U.S. intelligence agencies. This is likely because she is a close pawn of Putin’s who did a fairly good job going undetected as long as she did. More intel is likely to come out substantiating this.

At present, the election systems aren’t considered among the sixteen U.S. critical infrastructures and thus they have no federal protection. This is because current law defines the administration of elections as in the hand of each state and these states do not want federal involvement into their election systems out of fear of political persecution. We can understand this (especially Texas) but think some compromise could be accorded if a state election system was targeted by a foreign government, thus making it a national interest. The federal government is less involved in the day to day activities and security of the sixteen critical infrastructures because 80% of them are owned by private enterprises. However, when Sony got hacked in 2014 it became a national issue a few days later and then the Federal government helped out, but afterward, Sony quickly wanted to avoid contact with them. This is because, although well intentioned and large, the federal government is not as good at most I.T. security as the private sector is. Yet the case of multiple state election systems is unique because they are used only for elections and then are put in storage. Ultimately each states voting data rolls up to the federal level and most of this supply chain is at risk to hacking and manipulation. Thus, the maintenance and updates of these systems and the systems used by dispersed political parties for campaigns need to be improved. This may require some sort of hybrid-critical infrastructure protection, increased private sector partnership, or just more dollars spent by the state election bodies and political parties. Why are commercial facilities and their systems more important than the systems that track election activity and results in a country that fought several wars to stay democratic? By including the election process and systems as a critical infrastructure or hybrid-critical infrastructure, researchers and entrepreneurs will be inspired to improve the process, all the while sustaining or increasing privacy which is a must for a nation as diverse as the United States. More news outlets, advocacy groups, consultants, and academics need to debate this publicly!

2) Tesla and the Growth of the Electric car – decline of the gasoline based car: 
2016 was a profound year of announcements when it comes to the market for electric cars. Many car manufacturers have been playing catch up with Tesla for a few years now. That being said, several companies have produced versions of their own electric car. But there are very few that have produced an electric car designed from the ground up. The Nissan Leaf and BMW i3 were two of those, and as of November 2016 Chevrolet started manufacturing its Bolt EV. Mercedes also announced that it will have several different types of electric vehicles soon. This includes their urban electric-powered straight truck (Fig. 3) which has self-driving capabilities. This would allow inter-city delivery on an EV platform.

Mercedes Electric Self-Driving Truck Prototype – Fig. 3:

mercades-self-driving-truckSimply put, the market is starting to catch up to Tesla. 2017, we think will be the year that makes or breaks Tesla. If Tesla can ramp up production like it plans to, it will continue to maintain market share. By 2018, it has audacious production goals of a half million. With just about every major automotive company producing plans for electric vehicles, competition for this segment will start to get really competitive.

3) Self-Driving Cars – personal and commercial:
Google has been developing a self-driving car for a few years now, but it has been slow to fully develop and bring them to market. In fact, a few of Google’s employees left to start their own company for self-driving trucks. That company, Otto, was recently sold to Uber for $680 million (Mark Harris, Business Insider – Back Channel, 12/03/16). Uber has also been working on self-driving cars with its Ford Fusion line. Now, these cars still have people behind the wheel just in case of an emergency, but it’s the next step in fully rolling out an autonomous fleet of vehicles. Uber gave their fleet of Volvo XC-90s a try for only a week in San Francisco but picked up and moved on to Arizona to continue testing. This was because they didn’t want to comply with California DMV requirements to file paperwork and pay a registration fee. Otto, on the other hand, also made their first delivery of Budweiser beer in Colorado (Fig. 4).  

Otto Self-Driving Budweiser Delivery Video – Fig. 4:

This is dawning the start of Uber Freight where shippers can ship through an Uber App for their truckloads. C.H. Robinson and Amazon are both developing apps like this. We think before cars get the green light to drive in inner-cities, self-driving semis will get the regulatory green light, firstly on interstates. This is because commercial vehicles cost a lot more, are bigger, serve thousands of customers per year, thus the investment in self-driving technology is a justified priority in spite of any risk.  Additionally, commercial shipping is automated in most parts of the supply chain and this is a precursor for self-driving trucks. The NHTSA did publish guidelines on self-driving cars and their testing in September (link here). We think 2017 will be the year of testing self-driving vehicles and in 2018 it will start to become a mass market idea.

4) Surveillance via Smart Phones – privacy implications:
Smartphones are small supercomputers that house more personal info on their users and families than any other device in modern history. From texts, PHI, fingerprint scans, downloaded documents, contact lists, photos, geolocation tags, the use of many cloud databases – both upload and download, and apps that take away some of our privacy – via partial and full consent. A smart phone is more advanced than any gadget dreamed up by 007 and the need for privacy on it is just as important.

2016 proved to be a turning point in the privacy vs. government surveillance debate. It intensified after the mass shooting in San Bernardino, CA, which happened at the end of 2015, killing 14 people. Then in 2016 the government sued Apple to get them to build a backdoor into the perpetrators iPhone to which Apple strongly objected. The government eventually broke into them phone shortly thereafter with the help of Israeli tech contracts. Keep in mind that ever since Edward Snowden leaked NSA documents in 2013 about the government’s overreach into technology companies, to get them to build back doors, it has become more politically acceptable to resist such demands. Congress has made very minor surveillance rollbacks, mostly related to phone metadata but much more work needs to be done (Ellen Nakashima, The Washington Post, 11/27/15).

Andriod phones have also suffered hacks and backdoors.  A source described it this way, “security experts say they have discovered secret ‘backdoor’ software in some Android phones that sends users’ personal data to China. Kryptowire, the security firm that discovered the vulnerability, confirmed this information on its website on Tuesday. The firm wrote that certain Android devices contain pre-installed software that collects and sends personal data, such as texts and geographical location, to an unauthorized third-party” (Matt Apuzzo and Michael S. Schmidt, New York Times, 11/15/16).  This is a clear blow to android privacy and will require costly R&D by Google.  With the growth of third party phone applications these risks will continue to increase and get more complicated.

Illustration of Apple vs. The FBI – Fig. 5:
1458594148060Although the government argues that back doors make the nation safer, this makes no logical sense and there are no real world case studies to support it. First of all, the fact that the government needs to rely on the private sector for such backdoors and tech consulting proves that the private sector is where technology innovation comes from and that supports the concept of intense free competition.

The U.S. intelligence agencies would not be much better than a “drunken inspector gadget” without third-party consultants and tech firms. Key private sector innovation in the military industrial complex has helped this nation win wars and secure freedom for all – way back to the founding of the Union. This includes stealth fighter technologies, radar technologies, canons, and it does not require government overreach or back doors. The government is a paying customer of the best tech products and has always been.  

Yet when the same consultants and tech firms serve regular customers, like Apple with the iPhone, those customers have a reasonable expectation of privacy and quality. This should not diminish merely because the government can’t solve a crime or problem quickly. Apple CEO Tim Cook described the government’s request this way, “it’s the software equivalent of cancer. He said he was prepared to take the fight all the way to the Supreme Court. This would be bad for America, he said. It would also set a precedent that I believe many people in America would be offended by” (Enjoli Francis, ABC News, 02/24/16). There are far more security benefits in keeping private technology data private. This includes privacy after domestic breakups, privacy from cyber-stalking, privacy from annoying marketing, privacy from political persecution and harassment. Also, Government agencies can use these same private technologies to conduct military and intelligence operations without worrying about being hacked by opposing governments or terrorists.

In 2017 we think technology companies will increase the security of their products, and companies like Apple and Google are already in the process of doing this. In Apple’s case, they have spent millions to hire encryption legend Jon Callas, who invented PGP encryption, to redesign the security of their products (Reuters, 05/24/16). We think most company shareholders, investors, customers, and finance people now see the additional cost to build in great security as required.  To customers, security on a product is worth a price premium and a globally competitive company must have secure products.

We also think policy makers will have to do more to accommodate the privacy concerns of citizens, perhaps partly like the E.U. has done. We also think 2017 will further debunk the connection between backdoor system hacks and terrorism prevention. Clearly, monitoring the entire free world’s metadata is a violation of democratic norms, and it waters down security greatly because it can easily be manipulated for every imaginable bad reason. Most likely, setting people up, and government leaders throughout all history like to find people to blame for their problems/misdeeds. Yet behavioral profiling and good traditional police and intelligence work in conjunction with advanced sustained diplomatic dialogue with a range of diverse groups, friends and enemies alike, should produce better intelligence for more specific actionable results. The intelligence community has thousands of tech tools to use to secure the nation, mostly private sector based, so they don’t need to monitor all metadata.

5) Using Drones for Last Mile Deliveries – suited for rural and high traffic areas:

Amazon Prime Drone via Prime air – Fig. 6:
imagesAmazon made its first test delivery by a drone in the U.K. in 2016. This will continue to be developed as Amazon continues to test and tweak its system for making deliveries by drone. In fact, this is one of many programs where Amazon is developing its systems in “last mile” delivery. They also currently have their own fleet of vans to deliver and they use their Flex program of drivers to pick up and deliver packages. They also recently filed a patent for “floating warehouses” where these would have inventory in an airship that drones could pick up products and then deliver them, for example to a sporting event (Kate Abbey-Lambertz, 12/30/16, Huffington Post). Realistic but far out innovation like this will continue to challenge UPS and FedEx to provide a better customer experience. Drone delivery is just one idea. The benefit or idea behind drone delivery is that it could deliver to customers within a half hour. This would drastically improve the time to deliver to its customers. Currently, with Prime Now, you can get one-hour and two-hour delivery in certain areas.  

We think Amazon will continue to develop its drone delivery in 2017 by testing it in many countries across the world. The FAA in the U.S. has been one roadblock to Amazon testing in the United States. This is just one agency that is figuring out how to regulate this new technology as it tries to prevent small planes and traffic from colliding with drones. Amazon’s competitors are watching and we’ll see how far they get in 2017.

jeremy-swensonmike-cassem
Jeremy Swenson and Mike Cassem are two seasoned, part-time, Intel certified, retail technology marketing and training representatives on assignment at Best Buy for clients including Intel, H.P., Trend Micro, Adobe, and others – presently on sabbatical. They also spent five years crafting their public speaking and writing skills in Toastmasters International. For full-time work, Swenson doubles as a Sr. business analyst, process improvement and project management consultant. While Cassem doubles as a marketer and sales logistics analysis consultant. Tweet to them @jer_Swenson and @micassem.