Cybersecurity Musings

Amazon Go, the online retailer’s first completely automated store, debuted in Seattle last week. Using a bevy of smart cameras, deep machine learning and artificial intelligence (AI) algorithms, the store makes it possible for shoppers to simply pick up the products they like and go, with their accounts being automatically charged for the products — completely eliminating the need for cashiers and checkout lines. Though staff members still stock the shelves, they too will likely soon be replaced by robots.

This is revolutionary and will likely be how all stores will operate in the near future. Stores won’t have to invest in employees — salaries, training, overtime, health care. Customers will like it, too. No more standing in boring check-out lines, interacting with indifferent staff.

What we are witnessing is surely the future of the retail industry, but there is also a downside that needs our attention. Cashiers and retail workers are two of the most common occupations in the US, employing roughly 8 million people, many of who tend to be younger, white women, making modest yearly incomes in the $20,000-$25,000 range.

Most of these jobs require little formal education for entry, and so the sector supports many individuals with relatively low skills and education who are likely to find it particularly hard to quickly retool and fit a different employment sector. Most of them will likely find themselves jobless.

Of course, this isn’t the only sector that AI will decimate. Driverless trucks are already being tested on major highways. They, too, have many advantages over today’s long haulers: they can run 24/7 and never get fatigued; no need for mandatory breaks; no more wasted fuel idling overnight.

Truck drivers account for a third of the cost of this $700 billion industry, and there are over 1 million mostly middle-aged, white male truckers in the US. Their jobs will be rendered obsolete. And these numbers will likely be even higher once driverless cars replace all taxi and local delivery drivers.

Such fears of computing-led obsolescence aren’t new. In 1964, less than a few years after IBM had launched the first solid-state mainframe computer, “The Twilight Zone” ran a skit titled “The Brain Center at Whipple’s” — where Mr. Whipple, the owner of a vast manufacturing corporation replaced all his factory workers with a room-sized computing machine.

Mr. Whipple’s economic justification for his “X109B14 modified transistorized totally automated machine” could just as well be applied to AI: “It costs 2 cents an hour to run … it lasts indefinitely … it gets no wrinkles, no arthritis, no blocked arteries … two of them replace 114 men who take no coffee breaks, no sick leaves, no vacations with pay.” In the show, Whipple’s machine quickly replaced everyone from the plant’s workers to its foremen to all the secretaries.

The story was prescient and many of its fictionalized fears in time came true: Most of the large manufacturing plants were indeed shut down; secretaries and typists mostly became obsolete; and the jobs that created the American middle-class were all eventually outsourced. Much of this computer-driven automation replaced low-skilled easily routinizable functions.

But AI is different. It utilizes deep-learning algorithms and acquires skills, so it can routinize many complex functions.

Take journalism — a task that has always been performed by humans. After its purchase of The Washington Post last year, Amazon tested Heliograf, a new AI based writing program that automates report-writing using predefined narrative templates and phrases. From the Olympics to the elections, the software has already auto-published close to 1,000 articles.

And given its ability to churn through virtually any amount of data and spit out endless reports instantaneously, AI newsbots are way better than humans. It’s no surprise then that USA Today, Reuters, BuzzFeed and growing numbers of financial organizations are already employing AI for tasks ranging from reporting to data authentication.

In the near future, AI will replace many other such so-called highly skilled professions, from chefs to pilots and surgeons. Going back to school, learning new skills and retooling might not be an option because it would be impossible to learn as quickly, provide the kind the nuance from distilling terabytes of information or outpace AI. And besides, by the human-time it takes to acquire a new skill, AI might have learned to replace it.

If these trends materialize — and some might not — we are looking at a seismic shift in the American economy. If the last election was a push back against globalization, imagine what a rage against AI will look like.

The solution, of course, is not to stop the march of progress but to prepare for it with forward thinking investments in education, human capital and public policy. While Washington is busy cleaning up yesterday’s self-inflicted mess, this is tomorrow’s crisis that requires attention today.

In the end of the Mr. Whipple skit, he, too, was rendered obsolete — by a robot. Rod Serling’s ominous closing message: “Man becomes clever instead of becoming wise; he becomes inventive and not thoughtful; and sometimes, as in the case of Mr. Whipple, he can create himself right out of existence.” One hopes that this isn’t what AI does to us.

 

*A version of this post appeared in CNN

Thanks to the ongoing Senate hearings on election hacking we are learning about how the Russians interfered with our presidential elections by sponsoring numerous fake social media accounts and even placing advertisements on Facebook, YouTube and Google that targeted people with interest on divisive issues.

But while policy makers are rightfully angered by these platforms’ inability to curb these attacks proactively, it is important to recognize that Facebook, Google, and even some web hosting services were mere vehicles providing a convenient platform for what was a much larger propaganda process made possible by the Internet’s Dark Triad: spearphishing, trolling, and fake news.

It is this trifecta that Vladimir Putin used to interfere with our elections as well elections in Germany and other parts of Europe. And it is this triad that we need to understand and stop.

At the tip of this triad is spearphishing—malware-laden email attachments and hyperlinks that when clicked provide the hacker backdoor access into an individual’s computers and networks. Every major attack from the Chinese military led theft of our F35 spy plane blueprints, to the infamous North Korea-led hack into Sony Pictures, to the Russian hacks into the DNC computers during our elections employed spearphishing. In fact, spearphishing attacks are so easy to craft that the Russians used the help of a 15-year old Canadian-Khazak citizen to conduct the attacks.

Anchoring the other end of the triad is organized trolling campaigns. What started with PR firms attempting to “manage” consumer reviews got co-opted by nation states to hijack online conversations by flooding message boards with vitriolic comments and counter-narratives. Confessions from “professional” trolls in Russia and investigative reports by the NYT’s Adrian Chen show how Russia’s state-sponsored Internet Research Agency orchestrates campaigns using phony social media profiles, interconnected networks of fake friends, even faked LiveJournal blogs for the profiles.

The final dark anchor is “fake news”—the latest form of online propaganda aimed at distorting information and spreading contrarian, even speculative views as real news. Enabling this phenomenon are some of the same phony social media profiles used for trolling along with pseudo “news” websites with seemingly credible names like The Conservative Frontline or The American Patriots, with a presence on multiple social media channels, many directly linked to Russian propaganda channels, providing the critical mass for a story to get noticed.

And as the stories are discussed by various groups the lies get crowd-sourced—arguments are strengthened, connections created, facts added—and quickly the fake news morphs into another more sensational story, spinning further news cycles. Some fake news and trolling campaigns link back to phishing websites, leading to still more breaches and even more fake news.

This was how the Russians influenced our elections. By hacking DNC emails, leaking it via WikiLeaks, and then seeding divisive political arguments, counter narratives, and conspiracy theories through fake news websites and trolling campaigns—such as pointing to the murder of DNC staffer Seth Rich in 2016 as evidence of his involvement in the hack—the Russians made many among us question our democratic processes that ultimately influenced the elections.

Unfortunately, our collective focus today is on organizations like Facebook and Twitter, who have reacted by creating task forces that curate internal lists of fake profiles and identify fake news feeds. Others like Snopes.com, Factcheck.org, and the BBC have likewise developed internal task forces that curate lists of fake news and sites. But these initiatives only address small parts of the triad—its trees—and does nothing to stop the forest that is the triad from propagating using a different platform during the next election cycle.

What we need instead is a mechanism to stop the triad completely.

And this can be done because the triad has an Achilles: it is highly coordinated. Attacks usually reuse the same, finite set of social media profiles, web domains, fake news websites, email accounts, and even malware. In fact, the reuse of email profiles and malware signatures was our basis for identifying the source of the DNC hack as being Russian intelligence.

We can thus stop the triad if we develop mechanisms to track such coordination. But this will require a unification of efforts on our end, not the diversified approaches currently in place.

This must begin by the development of a centralized breach reporting system where individuals and organizations can report suspected spearphishing attacks and get remedial help. Such a system could help track attacks and serve as an early warning system to other organizations, who can take effective counter measures to stop further breaches.

A similar mechanism could help stop organized trolling and the propagation of fake news. Rather than the internal policing efforts now being done covertly within social media organizations, what we need is a centralized repository—a WikiFacts page of sorts— where fake profiles, news, and suspicious data from different media websites are continuously reported, flagged, and publicly displayed. This information can be populated by social media organizations, search engines, as well as by user reports. Such a system would directly benefit the general public, who can report and review suspicious information; it can also help smaller media organizations who could directly use this intelligence to forestall any misuse of their platforms.

The Dark triad is a dystopian version of the game of telephone played online using hacked information and fake news. Ironically, the origins of this game can be traced to a medieval game in which players wrote stories that got increasingly distorted as people passed it along—a game called Russian Scandal. Only this scandal is for real.

As eager customers meet the new iPhone, they’ll explore the latest installment in Apple’s decade-long drive to make sleeker and sexier phones. But to me as a scholar of cybersecurity, these revolutionary innovations have not come without compromises.

Early iPhones literally put the “smart” in the smartphone, connecting texting, internet connectivity and telephone capabilities in one intuitive device. But many of Apple’s decisions about the iPhone were driven by design – including wanting to be different or to make things simpler – rather than for practical reasons.

Many of these innovations – some starting in the very first iPhone – became standards that other device makers eventually followed. And while Apple has steadily strengthened the encryption of the data on its phones, other developments have made people less safe and secure.

The lights went out

Among Apple’s earliest design decisions was to exclude an incoming email indicator light – the little blinking LED that was common in many smartphones in 2007. LEDs could be programmed to flash differently, even using different colors to indicate whom an incoming email was from. That made it possible for people to be alerted to new messages – and decide whether to ignore them or respond – from afar.

Its absence meant that the only way for users of the iPhone to know of unread messages was by interacting with the phone’s screen – which many people now do countless times each day, in hopes of seeing a new email or other notification message. In psychology, we call this a “variable reinforcement mechanism” – when rewards are received at unpredictable intervals – which is the basis for how slot machines in Las Vegas keep someone playing.

This new distraction has complicated social interactions and makes people physically less safe, causing both distracted driving and even inattentive walking.

Email loses its head, literally

Another problem with iOS Mail is a major design flaw: It does not display full email headers – the part of each message that tells users where the email is coming from. These can be viewed on all computer-based email programs – and shortened versions are available on Android email programs.

Cybersecurity awareness trainers regularly tell users to always review header data to assess an email’s legitimacy. But this information is completely unavailable on Apple iOS Mail – meaning even if you suspect a spear-phishing email, there is really no way to detect it – which is another reason that more people fall victim to spear-phishing attacks on their phones than on their computers.

Safari gets dangerous

The iOS web browser is another casualty of iOS’s minimalism, because Apple designers removed important security indicators. For instance, all encrypted websites – where the URL displays that little lock icon next to the website’s name – possess an encryption certificate. This certificate helps verify the true identity of a webpage and can be viewed on all desktop computer browsers by simply clicking on the lock icon. It can also be viewed on the Google Chrome browser for iOS by simply tapping on the lock icon.

But there is no way to view the certificate using the iPhone’s Safari – meaning if a webpage appears suspicious, there is no way to verify its authenticity.

Everyone knows where you stand

A major iPhone innovation – building in high-quality front and back cameras and photo-sharing capabilities – has completely changed how people capture and display their memories and helped drive the rise of social media. But the iPhone’s camera captures more than just selfies.

The iPhone defaults to including in each image file metadata with the date, time and location details – latitude and longitude – where the photo was taken. Most users remain unaware that most online services include this information in posted pictures – making it possible for anyone to know exactly where the photograph someone just shared was taken. A criminal could use that information to find out when a person is not at home and burglarize the place then, as the infamous Hollywood “Bling Ring” did with social media posts.

In the 10 years since the first iPhone arrived, cyberattacks have evolved and the cybersecurity stakes are higher for individuals. The main concern used to be viruses targeting corporate networks; now the biggest problem is attackers targeting users directly using spear-phishing emails and spoofed websites.

Today, unsafe decisions are far easier to make on your phone than on your computer. And more people now use their phones for doing more things than ever before. Making phones slimmer, shinier and sexier is great. But making sure every user can make cybersafe decisions is yet to be “Designed by Apple.” Here’s hoping the next iPhone does that.