|From: Ron||11/11/2019 4:14:18 PM|
|Google’s Secret ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans|
Search giant is amassing health records from Ascension facilities in 21 states; patients not yet informed
Google is engaged with one of the country’s largest health-care systems to collect and crunch the detailed personal health information of millions of Americans across 21 states.
The initiative, code-named “Project Nightingale,” appears to be the largest in a series of efforts by Silicon Valley giants to gain access to personal health data and establish a toehold in the massive health-care industry. Amazon.com Inc., Apple Inc. and Microsoft Corp. are also aggressively pushing into health care, though they haven’t yet struck deals of this scope.
Google began the effort in secret last year with St. Louis-based Ascension, the second-largest health system in the U.S., with the data sharing accelerating since summer, the documents show.
The data involved in Project Nightingale encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.
Neither patients nor doctors have been notified. At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and documents.
Some Ascension employees have raised questions about the way the data is being collected and shared, both from a technological and ethical perspective, according to the people familiar with the project. But privacy experts said it appeared to be permissible under federal law. That law, the Health Insurance Portability and Accountability Act of 1996, generally allows hospitals to share data with business partners without telling patients, as long as the information is used “only to help the covered entity carry out its health care functions.”
Google in this case is using the data, in part, to design new software, underpinned by advanced artificial intelligence and machine learning, that zeroes in on individual patients to suggest changes to their care. Staffers across Alphabet Inc., Google’s parent, have access to the patient information, documents show, including some employees of Google Brain, a research science division credited with some of the company’s biggest breakthroughs.
In a press release issued after the Journal’s article was published, the companies said the project is compliant with federal health law and includes robust protections for patient data.
|RecommendKeepReplyMark as Last Read|
|From: Glenn Petersen||11/16/2019 9:21:23 AM|
|Wikipedia co-founder wants to give you an alternative to Facebook and Twitter|
WT:Social will be funded by user donations, not advertising.
Christine Fisher, @cfisherwrites
Rosdiana Ciaravolo via Getty Images
Two years ago, Wikipedia co-founder Jimmy Wales launched Wikitribune, an online publication meant to combat fake news with original stories by reporters and "citizen journalists." Wikitribune never really caught on, so now, Wales is shifting gears. Wikitribune is relaunching as WT:Social, a social-networking site and news sharing platform. He hopes it will be an alternative to Facebook and Twitter.
Like those platforms, WT:Social will let users share articles. But WT:Social will be funded by donations, rather than advertising. "The business model of social media companies, of pure advertising, is problematic," Wales told Financial Times. "It turns out the huge winner is low-quality content."
Unlike Facebook and Twitter, which use algorithms to bump posts with the most comments or likes to the top, WT:Social will show the newest links first. It may add an "upvote" button in the future.
WT:Social will also support small, niche communities. Those sound wholesome now (think: beekeeping), but we've seen how small communities can fester online. WT:Social promises, "We will foster an environment where bad actors are removed because it is right, not because it suddenly affects our bottom-line."
WT:Social will be free to join, but at the moment, you either have to sign up for a waitlist, donate or invite friends. Just a month old, it already has 50,000 users, Wales told FT, adding "Obviously the ambition is not 50,000 or 500,000 but 50m and 500m."
|RecommendKeepReplyMark as Last Read|
|From: Ron||11/18/2019 12:40:36 PM|
|‘Low-Code’ Becomes High Priority as Automation Demands Soar |
CIOs are expanding the use of tools that let noncoders create applications Chief information officers, on the hook to automate manual and repetitive business processes, are increasingly turning to tools designed to create applications quickly, without the sweat of writing and debugging lines of code.
Collectively known as “low-code,” these tools have been available in some form for decades. But they have grown more popular with information-technology staff and other departments as workplace automation grows and young, mobile-savvy people join the workforce.
With low-code, employees can quickly make apps by picking, dragging and dropping from a collection of ready-made software building blocks.
Johnson Controls International PLC, an Ireland-based industrial and technology conglomerate that makes heating, ventilation, and air conditioning systems, tapped nontech employees like engineers to create low-code dashboards that track installations, record project metrics and manage service calls, said Chief Information Officer Nancy Berce.
The company, which has about 105,000 employees across more than 100 countries, set up guardrails so the low-code apps don’t disrupt the resiliency of its central systems, she said.
“A lot of people are creating a lot of good things; how do we start to share that and make that more available to broader users? We haven’t quite figured that one out yet. That’s the next level of maturity,” Ms. Berce said.
Freeing up staff to focus on core technology issues was one of the reasons St. Luke’s University Health Network in Pennsylvania started using low-code, said CIO Chad Brisendine.
“There’s always a bigger appetite for IT than what we’re able to provide. I see this as helping meet that demand,” Mr. Brisendine said.
IT employees turned to low-code to build more than 20 applications using Microsoft Corp. tools. None of them took more than 20 hours to create.
It took eight hours to make an app that pulls information from the hospital’s systems, including a Workday Inc. platform, to track and send reminders to staff on continuing medical training, a requirement for doctors to retain their license. The author, an analyst in the IT department, didn’t know how to code, Mr. Brisendine said.
Mr. Brisendine next year plans to expand low-code training to more business units within St. Luke’s, which has about 15,000 employees.
Companies including Siemens AG , Appian Corp. , Pegasystems Inc. and Salesforce.com Inc. also provide low-code tools.
Forms of low-code have been around for decades, but combining it with the use of application programming interfaces, chunks of code designed to connect systems and platforms and share data, has made it easier for those not conversant in C++ or Java to create applications with a punch, said Jason Wong, senior director at research and advisory company Gartner Inc.
Gartner is projecting that low-code will account for more than 65% of application development activity by 2024.
David Hoag, CIO at Chicago-based Options Clearing Corp., a central clearinghouse serving as a backstop for trades in the options market, said making low-code applications is as easy as dragging and dropping widgets.
The company used low-code to develop a visitor-registration system as part of an “app a day” program, where technology teams work with other departments to create applications to solve pressing business problems. The system, created in less than a day, registers visitors, logs arrival and departure times, captures visitor and badge information, and helps the facilities team generate reports on visitor activity.
Similar commercial software was quoted at costing between $30,000 and $50,000 a year, Mr. Hoag said.
OCC started building low-code apps in 2015 and today uses about 30 of them. Mr. Hoag sees low-code’s use spreading beyond IT.
|RecommendKeepReplyMark as Last Read|
|From: Glenn Petersen||12/8/2019 9:51:02 PM|
|Musk's defamation win may reset legal landscape for social media|
Saturday, 7 December 2019 14:58 GMT
By Tom Hals
Dec 6 (Reuters) - Elon Musk's daring has left its mark on electric cars and rockets, and now experts say the entrepreneur may have reshaped U.S. defamation law with his willingness to defend at a high-stakes trial a lawsuit over an off-the-cuff tweet.
The victory by Tesla Inc's outspoken chief executive over a Twitter message describing a British cave explorer as "pedo guy" has raised the bar for what amounts to libel online, according to some legal experts.
Musk defended his comments as trivial taunts made on a social media platform that he argued everyone views as a world of unfiltered opinion, which is protected as free speech, rather than statements of fact.
"I think this verdict reflects that there is a feeling that internet tweets and chats are more like casual conversation whether you call it opinion or rhetoric or hyperbole and should not be punished in a lawsuit," said Chip Babcock, a lawyer who defends against defamation lawsuits.
Several other attorneys who specialize in defamation cases privately expressed surprise at the outcome of what they viewed as a strong case for the cave explorer, Vernon Unsworth. They attributed it to Musk's fame and the perceived youthfulness of the jury.
But they also agreed it would shift the legal landscape, undercutting the cases that would have seemed viable before the trial while defendants would use it to try to reduce possible settlement values.
Musk's court papers cast his comments as part of the rough-and-tumble world of Twitter, which rewards and encourages emotional outbursts and sucks in readers worldwide but that no one takes seriously.
Mark Sableman, a lawyer who defends defamation cases, said the freewheeling nature of social media has inevitably changed the understanding of language and what amounts to defamatory factual statements, versus opinion.
"I think defendants in modern defamation cases are likely to point to the vitriolic no-holds-barred nature of modern social media, cable TV, and political discourse, in contending that many words and accusations formerly considered defamatory are now understood only as mere opinions, not factual assertions," he said.
In general, to prove libel, the written form of defamation, someone must show the existence of a false statement, which defendants often try to present as opinion. The plaintiff also must show it was published to a third party, it was negligent and it caused harm.
"While there is more leeway and more hyperbole online and in social media in general, courts never really accepted that argument that social media is a libel free-zone," said Lyrissa Lidsky, a professor who specializes in defamation at the University of Missouri School of Law.
Several attorneys said Unsworth appeared to have a strong case, and noted that Musk failed to convince the judge to dismiss it at an early stage. But they cautioned that anything can happen in a courtroom where factors such as the credibility of witnesses and likeability of parties can become important factors.
"Based on the court's pre-trial rulings on motions, Mr. Unsworth's case going in had the potential to underpin a substantial verdict in his favor," said John Walsh, who represents people bringing defamation cases.
Unsworth helped rescue a boys soccer team from a flooded cave in Thailand and during a TV interview criticized Musk's "PR stunt" of showing up at site with a mini-submersible, which was never used. Musk responded with several tweets to his almost 30 million followers and a damaging email to a news outlet, and the lawsuit followed.
In recent years, judges have been wrestling with social media comments and whether to consider them factual statements or protected opinions.
U.S. President Donald Trump, singer and actress Courtney Love and actor James Woods have all been embroiled in multiple libel lawsuits over tweets, with mixed results.
Trump has had success casting Twitter as a place where combatants trade demeaning messages that users understand are not defamatory statements of fact.
Judge James Otero in Los Angeles dismissed a case against the president for a tweet blasting as a "total con job" a claim by adult film actress Stormy Daniels that she was threatened for speaking about an alleged affair with Trump. Otero described the message as "rhetorical hyperbole," fired off with an incredulous tone that no reasonable person would take as factual statement about Daniels, whose real name is Stephanie Clifford.
Unsworth's attorney, Lin Wood, warned social media is "tearing at the fabric of society" and the Musk verdict would worsen that trend.
"It is now said by this jury that insults are completely open season," he said. "Everyone should be concerned about their reputations."
(Reporting by Tom Hals in Wilmington, Delaware; Editing by Noeleen Walder and Daniel Wallis)
|RecommendKeepReplyMark as Last ReadRead Replies (1)|
|To: Glenn Petersen who wrote (6572)||12/10/2019 9:50:56 AM|
|From: Glenn Petersen|
|In wake of Shutterstock’s Chinese censorship, American companies need to relearn American values|
Danny Crichton @dannycrichton /
5:25 am CST • December 8, 2019
cameraImage Credits: Ashley Pon/Bloomberg (opens in a new window) / Getty Images
It’s among the most iconic images of the last few decades — a picture of an unknown man standing before a line of tanks during the protests in 1989 in Beijing’s Tiananmen Square. In just one shot, the photographer, Jeff Widener, managed to convey a society struggling between the freedoms of individual citizens and the heavy hand of the Chinese militarized state.
It’s also an image that few within China’s “great firewall” have access to, let alone see. For those who have read 1984, it can almost seem as if “Tank Man” was dropped into a memory hole, erased from the collective memory of more than a billion people.
By now, it’s well-known that China’s search engines like Baidu censor such political photography. Regardless of the individual morality of their decisions, it’s at least understandable that Chinese companies with mostly Chinese revenues would carefully hew to the law as set forth by the Chinese Communist Party. It’s a closed system after all.
What we are learning though is that it isn’t just Chinese companies that are aiding and abetting this censorship. It’s Western companies too. And Western workers aren’t pleased that they are working to enforce the anti-freedom policies in the Middle Kingdom.
Take Shutterstock, which has come under great fire for complying with China’s great firewall. As Sam Biddle described in The Intercept last month, the company has been riven internally between workers looking to protect democratic values, and a business desperate to expand further in one of the world’s most dynamic countries. From Biddle:
Shutterstock’s censorship feature appears to have been immediately controversial within the company, prompting more than 180 Shutterstock workers to sign a petition against the search blacklist and accuse the company of trading its values for access to the lucrative Chinese market.Those petitions have allegedly gone nowhere internally, and that has led employees like Stefan Hayden, who describes nearly ten years of experience at the company as a frontend developer on his LinkedIn profile, to resign:
The challenge of these political risks is hardly unknown to Shutterstock. The company’s most recent annual financial filing with the SEC lists market access and censorship as a key risk for the company (emphasis mine):
For example, domestic internet service providers have blocked and continue to block access to Shutterstock in China and other countries, such as Turkey, have intermittently restricted access to Shutterstock. There are substantial uncertainties regarding interpretation of foreign laws and regulations that censor content available through our products and services and we may be forced to significantly change or discontinue our operations in such markets if we were to be found in violation of any new or existing law or regulation. If access to our products and services is restricted, in whole or in part, in one or more countries or our competitors can successfully penetrate geographic markets that we cannot access, our ability to retain or increase our contributor and customer base may be adversely affected, we may not be able to maintain or grow our revenue as anticipated, and our financial results could Be adversely affected.Thus the rub: market access means compromising the very values that a content purveyor like Shutterstock relies on to operate as a business. The stock image company is hardly unique to find itself in this position; it’s a situation that the NBA has certainly had to confront in the last few weeks:
It’s great to see Shutterstock’s employees standing up for freedom and democracy, and if not finding purchase internally with their values, at least walking with their feet to other companies who value freedom more reliably.
Unfortunately, far too many companies — and far too many tech companies — blindly chase the dollars and yuans, without considering the erosion in the values at the heart of their own business. That erosion ultimately adds up — without guiding principles to handle business challenges, decisions get made ad hoc with an eye to revenues, intensifying the risk of crises like the one facing Shutterstock.
The complexity of the Chinese market has only expanded with the country’s prodigious growth. The sharpness, intensity, and self-reflection of values required for Western companies to operate on the mainland has reached new highs. And yet, executives have vastly under-communicated the values and constraints they face, both to their own employees but also to their shareholders as well.
As I wrote earlier this year when the Google China search controversy broke out, it’s not enough to just be militant about values. Values have to be cultivated, and everyone from software engineers to CEOs need to understand a company’s objectives and the values that constrain them.
As I wrote at the time:
The internet as independence movement is 100% dead.I ultimately was in favor of Google’s engagement with China, if only because I felt that the company does understand its values better than most (after all, it abandoned the China market in the first place, and one would hope the company would make the same choice again if it needed to). Google has certainly not been perfect on a whole host of fronts, but it seems to have had far more self-reflection about the values it intends to purvey than most tech companies.
That makes the ethical terrain for Silicon Valley workers much more challenging to navigate. Everything is a compromise, in one way or another. Even the very act of creating value — arguably the most important feature of Silicon Valley’s startup ecosystem — has driven mass inequality, as we explored on Extra Crunch this weekend in an in-depth interview.
It’s well past time for all American companies though to double down on the American values that underly their business. Ultimately, if you compromise on everything, you stand for nothing — and what sort of business would anyone want to join or back like that?
China can’t be ignored, but neither should companies ignore their own duties to commit to open, democratic values. If Tank Man can stand in front of a line of tanks, American execs can stand before a line of their colleagues and find an ethical framework and a set of values that can work.
|RecommendKeepReplyMark as Last Read|
|From: Glenn Petersen||12/17/2019 8:49:19 PM|
|'They’ve been blindsided’: Silicon Valley wakes up to Sacramento |
By KATY MURPHY
12/16/2019 07:16 PM EST
SACRAMENTO — The powerful tech giants of Silicon Valley may wield some of the biggest lobbying budgets in Washington, but they have been comparatively absent in their home state’s capital — where they are now on the defensive.
California caught the world by surprise last year when it passed the nation’s strongest data privacy law, instantly making Sacramento one of the most important regulators of global tech. As members of the California legislature forged the deal on a defining challenge of the digital age, the internet companies were slow to awaken to the threat, and brought few of their considerable resources to bear.
The combined lobbying firepower of Google, Facebook and two major tech trade associations amounted to just $235,000 in the three months leading up to the vote, compared with $3 million from the four biggest oil interests. Facebook, then mired in the Cambridge Analytica scandal, spent less than $18,000 that quarter, according to disclosure records.
The business community’s recent attempts to roll back parts of the privacy law, which takes effect in January and will give consumers more control over personal data, hasn’t gone much better, further underscoring the disconnect between Silicon Valley and its powerful neighbors a two hours' drive away.
The Washington travails of Mark Zuckerberg and other Silicon Valley czars are well-known, and tech companies have been grappling with aggressive European regulators eager to rein them in for years now — the European Union has the world’s most stringent privacy law. But the companies’ reluctance to plunge into California politics has hurt them, strategists say, as they grapple with proposals from state lawmakers and a ballot initiative system that has produced two data-privacy campaigns in less than three years.
“You just get the sense that they feel that Sacramento is on the other side of the moon,” said Andrew Acosta, a Democratic strategist.
That light touch looks to be changing as California dives deeper into data-privacy regulation. Facebook, Google and the trade groups TechNet and the Internet Association are on track to boost their combined lobbying spending by more than 80 percent this year and next, compared to the last two-year legislative session. Those four groups spent a combined $1.3 million to influence policymakers in the first nine months of the year. And Facebook has just hired a well-connected Sacramento insider, Mona Pasquil Rogers, to run its California policy shop.
But is it too late? Souring public sentiment about tech’s role in society and daily life may undermine companies’ efforts to shape policy in Sacramento, where even business-friendly Republicans have raised alarms. California’s ballot initiative process adds another layer of unpredictability.
This year’s tech lobbying blitz, to the surprise of many, did not yield major carveouts in the new Privacy Act. What’s more, the consumer privacy advocate behind the law, Alastair Mactaggart, said he was so concerned by such efforts to water it down that he decided to advance a second ballot initiative for 2020. The new version would add new consumer protections — and prevent the Legislature from making any changes that would weaken the Privacy Act.
That could explain why tech companies who don’t like California’s new privacy rules are leaning on Washington for regulations that would supersede state laws — an end-run on Sacramento. Last month, a tech and telecom-funded foundation helped send a delegation of California lawmakers to Washington. In meetings with their counterparts in Congress, the tech-friendly caucus discussed the flaws in California’s law and the merits of federal preemption, one of the organizers told POLITICO.
One might assume state politicians facing reelection would shiver at the thought of alienating a company worth the GDP of Argentina or Saudi Arabia. And to be sure, the sector does have friends in the Legislature. But a closer look at campaign finance records shows that Big Tech has not been a big player in candidate races.
Facebook is by far the sector’s biggest spender, with $1.7 million in contributions since 2009 (excluding those made by a former company executive to his own campaign for attorney general in 2010). Google has spent $959,000, state records show, while Apple has given just $256,000.
Compare that to $5.3 million that AT&T funneled into candidates’ coffers during that period, and $6.2 million from labor powerhouse SEIU.
In fact, strategists say, some progressive lawmakers might even welcome opposition from companies like Facebook. “If Facebook did a big independent expenditure against Buffy Wicks,” Acosta said, pointing to a first-term assemblywoman who has championed privacy rights, “Buffy Wicks would say, 'Bring it on!’”
“It’s telling that candidates running for president are now using Mark Zuckerberg in their ads and highlighting him as a negative,” he added. “Facebook’s on the ground and everyone’s kicking them.”
Facebook and Google declined to comment.
Amazon’s foray into local politics offers a cautionary tale. The company suffered a public relations backlash and electoral defeat in November after pouring nearly $1.5 million into a PAC backing business-friendly candidates for Seattle City Council.
But another veteran Sacramento strategist thinks it is even riskier for tech to remain on the sidelines. Steve Maviglio, a ballot initiative consultant, believes the industry’s ambivalence about publicly opposing the 2018 data-privacy initiative created an opening for California’s privacy law.
Maviglio was hired by a tech and telecom coalition to fight the initiative. But rather than pledge millions to defeat it, he said, the companies took a wait-and-see approach, not wanting to be the first to jump. The first contribution didn’t come until February 2018, four months after the initiative was filed, campaign records show. That April, reeling from the Cambridge Analytica fallout, Facebook announced it would no longer fight the privacy measure.
The initiative had strong polling, and in June the Legislature unanimously passed the Privacy Act as part of a deal to get it off the ballot. By passing it in the Capitol, lawmakers regained the power to make changes without going back to the voters.
“There was a fundamental misunderstanding of how the initiative system worked and what they had to do,” Maviglio said. “It was painful to try to get them engaged, and frankly, that’s one of the reasons the Privacy Act passed last year. They simply didn’t know how to engage and head it off.”
Roger Salazar, another veteran Democratic consultant, drew a contrast between the tech startups of today and the hardware and software giants like Hewlett Packard and Apple that ruled Silicon Valley in the 1980s. The valley’s first generation companies tended to hire “old school” executives, he recalled, “types of corporate managers who understood how to deal with government.”
Newer tech businesses don’t tend to have the same kinds of safeguards or relationships, he said, possibly because they’ve grown at such a dizzying rate.
“I think they’ve been blindsided,” Salazar said, “because they didn’t understand the process, they didn’t understand the environment they were operating in, they didn’t understand the political system in California.”
The tipping point for Facebook’s image — in Sacramento and just about everywhere else — was the Cambridge Analytica scandal that exploded in early 2018. The British consulting firm hired by the Trump campaign acquired data from millions of the social network’s users that had been gathered without their knowledge and used it to try to manipulate likely voters with political ads before the 2016 election.
Google’s data-gathering practices and market dominance has also been under the microscope, especially as the company expands into the personal health realm and tries to acquire Fitbit.
In early November, California Attorney General Xavier Becerra revealed an ongoing probe into Facebook’s handling of personal data stemming from Cambridge Analytica. Becerra, a former Southern California congressman, also announced he was suing the company for allegedly stonewalling his investigation.
In a sign of the company’s fall from grace, Becerra’s reelection campaign used the news as fundraising fodder.
“Xavier sued Facebook,” read the email blast. “Big Tech is no longer an infant. These corporations are running at Olympic speed. It’s time for the industry to be treated as an adult.”
|RecommendKeepReplyMark as Last Read|
|From: Glenn Petersen||12/22/2019 10:04:39 AM|
|Triton is the world’s most murderous malware, and it’s spreading|
The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.
by Martin Giles
MIT Technology Review
Mar 5, 2019
As an experienced cyber first responder, Julian Gutmanis had been called plenty of times before to help companies deal with the fallout from cyberattacks. But when the Australian security consultant was summoned to a petrochemical plant in Saudi Arabia in the summer of 2017, what he found made his blood run cold.
The hackers had deployed malicious software, or malware, that let them take over the plant’s safety instrumented systems. These physical controllers and their associated software are the last line of defense against life-threatening disasters. They are supposed to kick in if they detect dangerous conditions, returning processes to safe levels or shutting them down altogether by triggering things like shutoff valves and pressure-release mechanisms.
The malware made it possible to take over these systems remotely. Had the intruders disabled or tampered with them, and then used other software to make equipment at the plant malfunction, the consequences could have been catastrophic. Fortunately, a flaw in the code gave the hackers away before they could do any harm. It triggered a response from a safety system in June 2017, which brought the plant to a halt. Then in August, several more systems were tripped, causing another shutdown.
The first outage was mistakenly attributed to a mechanical glitch; after the second, the plant's owners called in investigators. The sleuths found the malware, which has since been dubbed “Triton” (or sometimes “Trisis”) for the Triconex safety controller model that it targeted, which is made by Schneider Electric, a French company.
In a worst-case scenario, the rogue code could have led to the release of toxic hydrogen sulfide gas or caused explosions, putting lives at risk both at the facility and in the surrounding area.
Gutmanis recalls that dealing with the malware at the petrochemical plant, which had been restarted after the second incident, was a nerve-racking experience. “We knew that we couldn’t rely on the integrity of the safety systems,” he says. “It was about as bad as it could get.”
In attacking the plant, the hackers crossed a terrifying Rubicon. This was the first time the cybersecurity world had seen code deliberately designed to put lives at risk. Safety instrumented systems aren’t just found in petrochemical plants; they’re also the last line of defense in everything from transportation systems to water treatment facilities to nuclear power stations.
Triton’s discovery raises questions about how the hackers were able to get into these critical systems. It also comes at a time when industrial facilities are embedding connectivity in all kinds of equipment—a phenomenon known as the industrial internet of things. This connectivity lets workers remotely monitor equipment and rapidly gather data so they can make operations more efficient, but it also gives hackers more potential targets.
Those behind Triton are now on the hunt for new victims. Dragos, a firm that specializes in industrial cybersecurity, and where Gutmanis now works, says it’s seen evidence over the past year or so that the hacking group that built the malware and inserted it into the Saudi plant is using some of the same digital tradecraft to research targets in places outside the Middle East, including North America. And it’s creating new strains of the code in order to compromise a broader range of safety instrumented systems.
News of Triton’s existence was revealed in December 2017, though the identity of the plant’s owner has been kept secret. (Gutmanis and other experts involved in the initial investigation decline to name the company because they fear doing so might dissuade future targets from sharing information about cyberattacks privately with security researchers.)
Some notable cyber-physical threats2010 ?? StuxnetDeveloped by America’s National Security Agency, working in conjunction with Israeli intelligence, the malware was a computer worm, or code that replicates itself from computer to computer without human intervention. Most likely smuggled in on a USB stick, it targeted programmable logic controllers which govern automated processes, and caused the destruction of centrifuges used in the enrichment of uranium at a facility in Iran.2013 ?????? HavexHavex was designed to snoop on systems controlling industrial equipment, presumably so that hackers could work out how to mount attacks on the gear. The code was a remote access Trojan, or RAT, which is cyber-speak for software that lets hackers take control of computers remotely. Havex targeted thousands of US, European, and Canadian businesses, and especially ones in the energy and petrochemical industries.2015 ?? BlackEnergyBlackEnergy, which is another Trojan, had been circulating in the criminal underworld for a while before it was adapted by Russian hackers to launch an attack in December 2015 on several Ukranian power companies that helped trigger blackouts. The malware was used to gather intelligence about the power companies’ systems, and to steal log-in credentials from employees.2016 ?? CrashOverrideAlso known as Industroyer, this was developed by Russian cyber warriors too, who used it to mount an attack on a part of Ukraine’s electrical grid in December 2016. The malware replicated the protocols, or communications languages, that different elements of a grid used to talk to one another. This let it do things like show that a circuit breaker is closed when it’s really open. The code was used to strike an electrical transmission substation in Kiev, blacking out part of the city for a short time.Over the past couple of years, cybersecurity firms have been racing to deconstruct the malware—and to work out who’s behind it. Their research paints a worrying picture of a sophisticated cyberweapon built and deployed by a determined and patient hacking group whose identity has yet to be established with certainty.
The hackers appear to have been inside the petrochemical company’s corporate IT network since 2014. From there, they eventually found a way into the plant’s own network, most likely through a hole in a poorly configured digital firewall that was supposed to stop unauthorized access. They then got into an engineering workstation, either by exploiting an unpatched flaw in its Windows code or by intercepting an employee’s login credentials.
Since the workstation communicated with the plant’s safety instrumented systems, the hackers were able to learn the make and model of the systems’ hardware controllers, as well as the versions of their firmware—software that’s embedded in a device’s memory and governs how it communicates with other things.
It’s likely they next acquired an identical Schneider machine and used it to test the malware they developed. This made it possible to mimic the protocol, or set of digital rules, that the engineering workstation used to communicate with the safety systems. The hackers also found a “zero-day vulnerability”, or previously unknown bug, in the Triconex model’s firmware. This let them inject code into the safety systems’ memories that ensured they could access the controllers whenever they wanted to.
Thus, the intruders could have ordered the safety instrumented systems to disable themselves and then used other malware to trigger an unsafe situation at the plant.
The results could have been horrific. The world’s worst industrial disaster to date also involved a leak of poisonous gases. In December 1984 a Union Carbide pesticide plant in Bhopal, India, released a vast cloud of toxic fumes, killing thousands and causing severe injuries to many more. The cause that time was poor maintenance and human error. But malfunctioning and inoperable safety systems at the plant meant that its last line of defense failed.
More red alerts
There have been only a few previous examples of hackers using cyberspace to try to disrupt the physical world. They include Stuxnet, which caused hundreds of centrifuges at an Iranian nuclear plant to spin out of control and destroy themselves in 2010, and CrashOverride, which Russian hackers used in 2016 to strike at Ukraine’s power grid. (Our sidebar provides a summary of these and other notable cyber-physical attacks.)
However, not even the most pessimistic of cyber-Cassandras saw malware like Triton coming. “Targeting safety systems just seemed to be off limits morally and really hard to do technically,” explains Joe Slowik, a former information warfare officer in the US Navy, who also works at Dragos.
Other experts were also shocked when they saw news of the killer code. “Even with Stuxnet and other malware, there was never a blatant, flat-out intent to hurt people,” says Bradford Hegrat, a consultant at Accenture who specializes in industrial cybersecurity.
It’s almost certainly no coincidence that the malware appeared just as hackers from countries like Russia, Iran, and North Korea stepped up their probing of “critical infrastructure” sectors vital to the smooth running of modern economies, such as oil and gas companies, electrical utilities, and transport networks.
In a speech last year, Dan Coats, the US director of national intelligence, warned that the danger of a crippling cyberattack on critical American infrastructure was growing. He drew a parallel with the increased cyber chatter US intelligence agencies detected among terrorist groups before the World Trade Center attack in 2001. “Here we are nearly two decades later, and I’m here to say the warning lights are blinking red again,” said Coats. “Today, the digital infrastructure that serves this country is literally under attack.”
At first, Triton was widely thought to be the work of Iran, given that it and Saudi Arabia are archenemies. But cyber-whodunnits are rarely straightforward. In a report published last October, FireEye, a cybersecurity firm that was called in at the very beginning of the Triton investigation, fingered a different culprit: Russia.
The hackers behind Triton had tested elements of the code used during the intrusion to make it harder for antivirus programs to detect. FireEye’s researchers found a digital file they had left behind on the petrochemical company’s network, and they were then able to track down other files from the same test bed. These contained several names in Cyrillic characters, as well as an IP address that had been used to launch operations linked to the malware.
That address was registered to the Central Scientific Research Institute of Chemistry and Mechanics in Moscow, a government-owned organization with divisions that focus on critical infrastructure and industrial safety. FireEye also said it had found evidence that pointed to the involvement of a professor at the institute, though it didn’t name the person. Nevertheless, the report noted that FireEye hadn’t found specific evidence proving definitively that the institute had developed Triton.
Researchers are still digging into the malware’s origins, so more theories about who’s behind it may yet emerge. Gutmanis, meanwhile, is keen to help companies learn important lessons from his experience at the Saudi plant. In a presentation at the S4X19 industrial security conference in January, he outlined a number of them. They included the fact that the victim of the Triton attack had ignored multiple antivirus alarms triggered by the malware, and that it had failed to spot some unusual traffic across its networks. Workers at the plant had also left physical keys that control settings on Triconex systems in a position that allowed the machines’ software to be accessed remotely.
Triton: a timeline2014Hackers gain access to network of Saudi plantJune 2017First plant shutdown August 2017Second plant shutdownDecember 2017Cyberattack made publicOctober 2018Fireeye says Triton most likely built in Russian labJanuary 2019More details emerge of Triton incident responseIf that makes the Saudi business sound like a security basket case, Gutmanis says it isn’t. “I’ve been into a lot of plants in the US that were nowhere near as mature [in their approach to cybersecurity] as this organization was,” he explains.
Other experts note that Triton shows government hackers are now willing to go after even relatively obscure and hard-to-crack targets in industrial facilities. Safety instrumented systems are highly tailored to safeguard different kinds of processes, so crafting malware to control them involves a great deal of time and painstaking effort. Schneider Electric’s Triconex controller, for instance, comes in dozens of different models, and each of these could be loaded with different versions of firmware.
That hackers went to such great lengths to develop Triton has been a wake-up call for Schneider and other makers of safety instrumented systems—companies like Emerson in the US and Yokogawa in Japan. Schneider has drawn praise for publicly sharing details of how the hackers targeted its Triconex model at the Saudi plant, including highlighting the zero-day bug that has since been patched. But during his January presentation, Gutmanis criticized the firm for failing to communicate enough with investigators in the immediate aftermath of the attack.
Schneider responded by saying it had cooperated fully with the company whose plant was targeted, as well as with the US Department of Homeland Security and other agencies involved in investigating Triton. It has hired more people since the event to help it respond to future incidents, and has also beefed up the security of the firmware and protocols used in its devices.
Andrew Kling, a Schneider executive, says an important lesson from Triton’s discovery is that industrial companies and equipment manufacturers need to focus even more on areas that may seem like highly unlikely targets for hackers but could cause disaster if compromised. These include things like software applications that are rarely used and older protocols that govern machine-to-machine communication. “You may think nobody’s ever going to bother breaking [an] obscure protocol that’s not even documented,” Kling says, “but you need to ask, what are the consequences if they do?”
An analog future?
Over the past decade or so, companies have been adding internet connectivity and sensors to all kinds of industrial equipment. The data captured is being used for everything from predictive maintenance—which means using machine-learning models to better anticipate when equipment needs servicing—to fine-tuning production processes. There’s also been a big push to control processes remotely through things like smartphones and tablets.
All this can make businesses much more efficient and productive, which explains why they are expected to spend around $42 billion this year on industrial internet gear such as smart sensors and automated control systems, according to the ARC Group, which tracks the market. But the risks are also clear: the more connected equipment there is, the more targets hackers have to aim at.
To keep attackers out, industrial companies typically rely on a strategy known as “defense in depth.” This means creating multiple layers of security, starting with firewalls to separate corporate networks from the internet. Other layers are intended to prevent hackers who do get in from accessing plant networks and then industrial control systems.
These defenses also include things like antivirus tools to spot malware and, increasingly, artificial-intelligence software that tries to spot anomalous behavior inside IT systems. Then, as the ultimate backstop, there are the safety instrumented systems and physical fail-safes. The most critical systems typically have multiple physical backups to guard against the failure of any one element.
The strategy has proved robust. But the rise of nation-state hackers with the time, money, and motivation to target critical infrastructure, as well as the increasing use of internet-connected systems, means the past may well not be a reliable guide to the future.
Russia, in particular, has shown that it’s willing to weaponize software and deploy it against physical targets in Ukraine, which it has used as a testing ground for its cyber arms kit. And Triton’s deployment in Saudi Arabia shows that determined hackers will spend years of prodding and probing to find ways to drill through all those defensive layers.
Fortunately, the Saudi plant’s attackers were intercepted, and we now know a great deal more about how they worked. But it’s a sobering reminder that, just like other developers, hackers make mistakes too. What if the bug they inadvertently introduced, instead of triggering a safe shutdown, had disabled the plant’s safety systems just when a human error or other mistake had caused one of the critical processes in the plant to go haywire? The result could have been a catastrophe even if the hackers hadn’t intended to cause it.
Experts at places like the US’s Idaho National Laboratory are urging companies to revisit all their operations in the light of Triton and other cyber-physical threats, and to radically reduce, or eliminate, the digital pathways hackers could use to get to critical processes.
Businesses may chafe at the costs of doing that, but Triton is a reminder that the risks are increasing. Gutmanis thinks more attacks using the world’s most murderous malware are all but inevitable. “While this was the first,” he says, “I’d be surprised if it turns out to be the last.”
|RecommendKeepReplyMark as Last Read|