Now That Microsoft Is The World’s Most Valuable Company, Has Apple Peaked?

This is the published version of Forbes’ CIO newsletter, which offers the latest news for chief innovation officers and other technology-focused leaders. Click here to get it delivered to your inbox every Thursday.

It’s been quite the bad week for Apple. Following the slide in its stock price that opened 2024, it ceded the title of the world’s most valuable company to Microsoft late last week. The Supreme Court chose not to hear Apple’s appeal of an antitrust ruling forcing it to allow alternative in-app payment options, which could cut Apple’s 30% App Store commission. And a federal appeals court ruled the company could not import Apple Watches with pulse oximeters built in as patent litigation with health tech company Masimo plays out in court.

While some of these issues are just flukes of timing, analysts say it could symbolize a shift in where business is going. Apple is largely a device company. While it has a robust services arm, Apple’s key business is selling iPhones, Apple Watches, MacBooks and iPads—a business that analysts say has been slowing. Microsoft has some devices, but it’s more of a services company today. Microsoft has made itself a leader in the nascent AI sector, owning a 49% stake in AI chatbot titan OpenAI. Microsoft also launched Copilot, an AI-powered assistant. But its non-AI business arms are also flourishing. Its Azure cloud unit helped drive revenue in its Intelligent Cloud unit to $24.3 billion in the most recent quarter, a 19% increase compared to a year prior.

However, Apple has had some good news in the last week as well. While iPhone sales have been lackluster—especially in China, where it faces significant competition from local companies—Apple now dominates the smartphone market. For the first time, Apple has unseated Samsung, shipping the most phones of any manufacturer in the world and capturing a 20.1% market share. And according to Brand Finance’s annual rankings, Apple is the world’s most valuable brand, with 74% growth in its brand value in just one year.

Both Apple and Microsoft are slated to report their new set of quarterly earnings in the coming weeks. The picture of how each company is performing—and what is becoming more valuable to forward-looking investors—will come into sharper focus then.

As the year begins, it’s also a time to take stock of security threats. I talked to Omkhar Arasaratnam, general manager of the Open Source Security Foundation (OpenSSF) in the Linux Institute, about some of the threats that will present themselves in 2024, as well as how AI might be used to make systems and the code behind them more secure.

ARTIFICIAL INTELLIGENCE

While Apple may now have the title as the world’s top cell phone manufacturer, the more-than-decade-long champion Samsung is nipping at Apple’s heels with a new launch that has AI at its core. The Galaxy S24, unveiled this week, brings AI to consumers by marrying some of the potentially most helpful features for everyday users with a popular smartphone interface. The Galaxy AI feature has a new translation function, which performs real-time translations of phone calls, texting and in-person conversation across 13 languages. Users can circle anything that appears on their screen to perform a Google search. AI-enabled transcription and note-taking features can help users organize their conversations and thoughts. And AI photo editing features can help fill in backgrounds, move subjects in the frame and erase items.

Forbes senior contributor Ewan Spence talked to Samsung U.K. Vice President and Head of MX James Kitto about the company’s vision for Galaxy AI. “We can change the rules,” Kitto said. “We can leverage Samsung’s scale, with over a billion users. We can present the world’s first mobile AI use case to [a massive] market.”

AI capabilities are not just coming to smartphones. At the Consumer Electronics Show in Las Vegas last week, many manufacturers showed off their forthcoming “AI PCs,” which are essentially PCs with built in GPU or NPU units to be able to handle the sophisticated processing needed to operate artificial intelligence. Forbes senior contributor Barry Collins spoke to several of the manufacturers of these new AI PCs, who all said the new processors would add much more power to their machines. There weren’t many concrete examples of what they would do, but when it comes to upgrading enterprise systems, the promise of more power and greater efficiency could be enough to seal a business deal.

POLICY + REGULATIONS

In the last couple of years, Nvidia has become one of the hottest tech companies in the U.S. Its top-of-the-line GPUs, which are commonly seen as some of the best to facilitate the current AI boom, has increased the focus and amped up the importance in what it does. And that means Nvidia is putting together a new lobbying and policy team. Last year, Nvidia had only spent $350,000 on lobbying, next to nothing compared to tech giants Alphabet ($10.9 million) and Meta ($14.6 million), and a fraction of rival chip makers AMD ($2.7 million) and Intel ($5 million), according to OpenSecrets figures. Nvidia’s new policy arm, reported on by Forbes’ Richard Nieva, includes at least four government affairs staffers in Washington, D.C. with experience at agencies including the Treasury Department, State Department and Homeland Security. As the need for AI regulations becomes a bigger topic for discussion, as well as restrictions on exporting U.S.-made tech to China, Nvidia will benefit from being able to participate.

FROM THE HEADLINES

Larger social platforms say they are ready to moderate election and campaign-related posts. OpenAI says it will ban politicians, campaigns and lobbying groups from using its ChatGPT and Dall-E tools. The generative AI app also says it will introduce authentication tools to prohibit users from impersonating candidates, and help users assess whether to trust images. Meta will label state-run media, require disclosure of AI and other digital tools, and bar campaign ads in the last week of campaigns. Google will limit the types of election-related queries its chatbot Bard and other generative AI products can answer. TikTok says it will work with fact-checking organizations to prevent the spread of misinformation. And X, formerly known as Twitter, will be promoting its crowdsourced Community Notes to combat disinformation—though it has been widely criticized as inadequate and error-prone.

FUNDING

AI startup Anthropic is on a roll. It’s moving toward a mammoth $750 million funding round, which would nearly quadruple its valuation to $18.4 billion. Menlo Ventures, the lead investor in the round, is using a special purpose vehicle—a smaller fund directing its cash to just one company—to raise $500 million for Anthropic. An additional $250 million is expected from Menlo’s own funds and insider contributions, reported Forbes’ Alex Konrad and David Jeans. Anthropic, which launched its Claude 2.0 chatbot last summer and is known for its work to prevent the “dark side” of AI from taking over, also has massive investments from Google and Amazon.

BITS + BYTES

OpenSSF General Manager Omkhar Arasaratnam Talks Cybersecurity Threats And Mitigating Risk With AI

Omkhar Arasaratnam has spent most of his career working in the realm of cybersecurity. As the general manager of the Open Source Security Foundation (OpenSSF), which is part of the Linux Foundation, he works to combat security threats to open source software, which he estimated comprises about 90% of commercial software out there. I talked to him about the threats—and solutions—in front of us in 2024. This conversation has been edited for length and clarity.

Where are the biggest cybersecurity threats coming from now?

Arasaratnam: If we’re to fast forward December 31, 2024, and we’ve got the balance beam out, what you’re going to see is the majority of breaches are going to be these rather pedestrian, well-known security exploits. Maybe there will be a little bit of sizzle, in terms of some really novel attacks. …If we go back to something like the MOVEit security vulnerability, it was spring of last year that we first started seeing that exploit. That was a SQL injection. SQL injection was first discussed as a novel security issue more than 25 years ago. If I recall, it was Christmas Day of 1998. There was a post to a security mailing list saying, ‘Hey, this kind of thing could be a problem.’

What I come back around to is absolutely as technology evolves, there’s going to be all these other interesting areas that we need to protect, that maybe weren’t as much of a concern before. But I think where the majority of issues are going to continue to occur in 2024 is going to be in the basics: authentication, good patch management practices. And the incidence will occur as a result of those protections not being in place.

Does AI play a role in cybersecurity?

Arasaratnam: One of the ways that we believe artificial intelligence and large language models can help us is by leveraging them to help secure open source software. August of last year, we launched a challenge with DARPA—the Defense Advanced Research Projects Agency, who brought us such things as the internet, who are apt to facilitate these kinds of moonshot challenges—to challenge the community and say, ‘Hey, we think this new technology could be used to secure and eliminate entire classes of problems in open source software.’ That SQL injection that keeps cropping up for the last 25 years. If we could figure out how to use large language models to eliminate those classes of vulnerability from the open source code base, that would be really cool.

How do you think this would be done?

Arasaratnam: We rely on three big buckets. The most basic…is called a linter. It’s called a linter because, much like a lint brush would pick up lint on clothing, it just gets rid of the basic crusty stuff. Think of that as almost an automated editor that goes through and makes sure that everything conforms to the right style. Much like writing prose, when you write code, everyone’s got a different style. It makes sure that all the stylistic things, like putting an enter before an open bracket, is conformed to in a way that’s consistent.

Over and above that, we have static analysis. Static analysis is a little more sophisticated. When your code is being compiled, it’ll go in and say, ‘Ah, you know what? That looks like a potential security exploit,’ and give you a warning. So you, the developer, can correct the code.

Beyond that, there are some things that can only be determined at runtime. Not when the code is being compiled, but when it’s executing on a computer. That’s called dynamic testing. There’s a number of different methods of doing dynamic testing, including things called fuzzers, which are used to just send random input and see how the program will react.

My prediction [and] DARPA’s prediction is that there’s going to be an even more sophisticated set of analysis that large language models will be able to perform. Whether it be static analysis, or dynamic analysis, computers themselves are kind of constrained to understand what good looks like. Our belief is that, with similar benefit to what we’ve seen from Gemini or ChatGPT, our assumption is leveraging these large language models, there’s even more novel approaches to understand the code and how the code will run. One of the most vexing challenges that we get into in software engineering, to pick a very specific problem, is a kind of error condition called a race condition. In a race condition, you basically have all of these multiple kinds of events that could be occurring at the same time, but to observe that effect, everything has to line up just right. Maybe it could be a scenario like that, that large language models are able to quickly identify, that some of our traditional security error checking may not be able to.

You’ve talked about good things that AI could do for cybersecurity. Are there any risks?

Arasaratnam: The way that LLMs can be used to more effectively run social engineering campaigns, whether that be trickery of an AI-generated video. Whether it be an AI-generated voice that sounds like your child, or your mother or another loved one calling you up and expressing a ransom has to be paid in gift cards. Whether that be LLMs crafting the proverbial scam emails en masse, but with much better accuracy and better command of the English language. I think we’re already seeing a lot of these right now, and I think that’ll continue to occur. I think the same analysis that I just mentioned, in terms of LLMs being able to perform this analysis of open source software with the intent of correcting it, can also use LLMs to find holes in open source software that haven’t yet been identified. Or to pore over vast quantities of data that hasn’t yet been analyzed to understand ways of exploiting that data, or being able to glean trend analysis, things like that.

Criminals are no longer the proverbial smash-and-grab punks. It’s not people that are taking a crime of opportunity on the internet. They operate like businesses. We’ve seen evidence that they operate 9 to 5 in their local time zone and have management hierarchies.

…Bad people may try to exploit the LLMs themselves, so they can engineer the large language model to produce a bad result. If it’s an LLM that’s focused on secure code generate, to manipulate it in such a way that it generates insecure code, whether it is by manipulating the training data, manipulating how the LLM runs at runtime. It’s what we call a watering hole attack. If you can make a central place that is accountable for producing an artifact to a large quantity of people, if you can manipulate that to be an outcome that’s insecure and one that you can exploit, I suspect that people are going to start looking to do that as well.

What kinds of outcomes are you hoping to see in the DARPA Challenge?

Arasaratnam: One of the challenges that we’ve seen in software engineering, especially for those of us who’ve been around a couple of decades like myself, is some of the languages that we historically use for a lot of low-level programming, …like C and C++, are particularly fragile when it comes to what we would call now memory safety. There was a study by CISA [Cybersecurity & Infrastructure Security Agency] in DHS that said [almost] 70% of recent security exploits … had been memory safety failures. Were they everything? No. Were they a disproportionate amount? Absolutely. Because of that, especially when it comes to low-level programming, there’s been a lot of popularity and interest around languages like Rust. Rust has this opportunity to be able to perform: very high performance, very low-level environments that were previously the domain of C and C++, but to do so in a memory-safe manner.

How does this apply to AI and LLMs? As much as software engineers would like not to admit it, every time a human touches code, there’s the potential for a bug to be introduced. It would be incredible if large language models could come in and rewrite legacy C code as Rust, or at least do so for what I’d say are security sensitive code paths, where you’re taking input from a user, where you’re handling cryptographic keys, where you’re handling authorization. And in doing so, you balance the potential that even an LLM could make a translation mistake with benefit of recoding and a memory-safe language.

How can you utilize AI and keep your system secure?

Arasaratnam: When it comes to AI in particular, the learnings that I would take from previous technologies is to really be considerate about making it a risk-based approach. There are tons of ways that AI, LLMs and all the new artificial intelligence technologies can benefit your business. Whether that is being able to understand sentiment from text, or to be able to better handle your call center, or to be able to do image analysis. It can benefit your business’s bottom line, and that’s really why we invest in these technologies—not just for the sake of technology. But for each of these business advantages, there’s also a business risk. …You should be making those decisions eyes wide open. If you are going to use an LLM to secure your codebase against security vulnerabilities, you should have some confidence in the LLM’s ability to do that. If there isn’t, maybe keep a human in the mix to make sure that something inappropriate hasn’t been added.

I do think that there’s going to be some novelty in terms of the exploits we see. I think that the controls that we have at our disposal don’t necessarily have to be novel. They need to be common sense. They need to be risk-based.

FACTS + COMMENTS

Sheryl Sandberg, former chief operating officer of Meta, announced yesterday she will leave the company’s board of directors when her term ends in May.

12 years: Length of time she served on Meta’s board

$1.9 billion: Forbes estimate of Sandberg’s net worth

It ‘feels like the right time to step away’: Sandberg’s Facebook post announcing her decision

VIDEO

Mozilla CEO Mitchell Baker On Lessons From Netscape For Ethical AI

QUIZ

Chinese search engine giant Baidu saw its Nasdaq shares drop more than 12% this week. Why?

A. It introduced an AI assistant that didn’t work

B. It was hacked to return violent pro-Hamas content in all search results

C. CEO Robin Li berated the United States in a speech

D. A report linked its chatbot to China’s military

Check if you got it right here.