Bad Good Bad: Special Edition Read online

  Title: VERY IMPORTANT MESSAGE – READ IMMEDIATELY

  Subject:

  Mr Robert,

  We have categorized your mobile device as a HIGH RISK device. You have 72 hours to contact your local clinic and book an appointment with a Security Officer to remediate this situation. At the same time, we strongly recommend that you immediately remove the following unsecure wi-fi access point from your list of trusted wi-fi networks: Park Plaza free wi-fi.

  Failure to comply will result in your device being added to a blacklist, and you will no longer be able to connect to the Neocuris network and benefit from its online services.

  Once your appointment is scheduled with the clinic in the central patient history tracking system, your grace period will automatically be extended by two business weeks.

  Neocuris Security

  Kevin: “All the red dots got a message similar to this starting last Friday afternoon. This policy has not been approved by Neocuris.”

  Kevin now makes a twist movement with his fingers over the screen. Now we see the sub-region with dozens of partially flashing red dots.

  Kevin: “Some of those dots are about to be cut off maybe. If that policy is really effective.”

  Eric: “The clinics are flooded with phone calls. Each clinic is subcontracting security agents, but they were not planning for that. They started to book the meetings, and they are trying to augment the security staff and are asking them to work extra hours. Clarence and Bianca will join us at 10 in this room. Let’s take a quick bio break before we get back in this room.”

  Chapter 19

  We are back in the conference room. Bianca and Clarence are with us.

  Eric: “Welcome to our office Bianca.”

  Bianca: “Thank you for making room for your team to meet with me this morning. I know it was a last minute request but this is very important.”

  Kim: “Hi Bianca. Good to see you again.”

  Bianca: “How is the preparation going?”

  Kim: “Making good progress. I started the practice exams on Sunday while at the airport. I need to plan for more time to study over the next few weeks.”

  Bianca smiles at me. Then she glances at the dashboard that is still on the big screen.

  Eric: “Bianca, we listen to you.”

  Bianca: “Ok, let’s get started. As you are all aware by now, we have this policy that has been implemented without being forced through the normal procedure. I guess it’s the bot again. We were already trying to manage a crisis with the Ethics Committee. Now they are all threatening to resign. Eric, is it possible to show the McKay video on the big screen? Search for McKay and Neocuris.”

  Kamal: “Sure. Ok I found it on this news web site.”

  Scott McKay, Secretary of Defense, is the title for this video. It looks like it was pre-recorded, not live.

  Scott McKay: “The United States has been recently attacked on multiple fronts. We take these attacks very seriously, and we are working with the power generation industry, the services that support the internet on which rely a major portion of our economy, and the stock exchange market, to make sure that security is increased. We want to make sure that we are ready to face any new attack or retaliation. We have decided to respond to Moscow. We have access to strong evidence, gathered by both the United States and Germany, that identifies the Russian Government’s direct sponsorship for those attacks.”

  Scott McKay: “We are also working with Healthcare manufacturer Neocuris which has also been targeted by the coordinated attacks. I am personally very aware of the negative consequences that we could face as a nation if the safety of our citizens is compromised. I want to congratulate Neocuris for stepping up its security in response to the last attacks, and for showing the way to the other critical infrastructure providers in our country when it comes to national security. I solicit every American to join the effort, and to support any new policy that contributes to better protecting our homeland and our fellow citizens.”

  Bianca: “Ok, we can stop now. So the Pentagon is supporting the policy. They did not realize that Neocuris did not itself implement this policy, when the media reported some of the patients’ outcry over the weekend. When they realized that protests were being organized, they judged that a quick intervention was appropriate to calm things down.”

  Kevin: “I saw rumors of a class action in some newspaper. Is that serious?”

  Bianca: “Our legal department is not concerned. We have provisions in the consent forms that are comprehensive. For example, Neocuris has the right to terminate any service if it considers that it poses any threat to the implant wearer, other patients, or the integrity of Neocuris. I don’t have the text in front of me, and it’s pretty unexciting to be honest, but from a legal perspective, we don’t need to be overly concerned. And with the Pentagon and probably the White House backing us, calling it an issue of national security, they won’t allow lawyers to force us to relax our security.”

  Eric: “What can we do to assist you, Bianca?”

  Bianca: “We have an extraordinary meeting for the Ethics Committee this afternoon at 2 pm. The remaining members are threatening to resign as I mentioned earlier. I understand their frustrations and concerns. We won’t have another opportunity to convince them to not leave the boat. That would surely put Neocuris in a very delicate situation. A confidence crisis from our patients and even the US Government could explode in our faces when the news hit the population. Picture our entire Ethics Committee submitting their resignation. I need your help. We need all the help we can get.”

  Eric: “You can count on us. We are in this together.”

  Bianca: “Kim, I want you to come with me at the meeting. Your experience with the bot is unique. I want you to talk to the Committee. To give them the facts.”

  Kim: “Well, I want to help you Bianca. But I am concerned I may actually cause more damage than good.”

  Bianca: “Don’t worry about causing damage. We have nothing to lose. Just tell them what you know. Answer their questions, but keep it simple. Short answers are preferred. They will appreciate that we bring you in front of them. That we are not trying to hide anything from them. They feel cheated.”

  Kim: “Okay, but I would prefer if Anima comes with me. She’s my sanity check.”

  Bianca: “I agree. We want another person, preferably that has been monitoring you without wearing the implant. So they cannot challenge her judgment for being under the influence of the bot. But we don’t want more than 2 of you. 3 is a crowd. Even I will take a backseat. They heard me talk enough anyway over the last few days. Can you two meet me at my office at a quarter to 2?”

  Anima: “We will be there. It is a pleasure to assist you Bianca.”

  Bianca: “A few things to keep in mind. I have already met a few times with the Committee over the last few days. I had to explain to them that from a governance perspective, we are also facing new dilemmas. Is it acceptable to maintain patients in the vault when we do not have full control over the vault anymore? How about privacy? Are we demonstrating due diligence by keeping patients in the vault? And a few more very challenging questions. We believe that turning the vault off could cause serious consequences for the patients, that this would put their lives at risk for some. And deciding to stop onboarding new patients could basically spell the financial collapse of Neocuris, which could again result in abandoning our patients that rely on the vault to protect their lives. If we can look at ourselves in the mirror and still be able to say that we are making the best decisions to protect the patients at this specific time, we do not believe that the board members or the executives will be blamed later. It is a very thin line to walk, though.”

  Eric: “And there is also the aspect of the apparent conflict of interest that is haunting us as executives. We could potentially be accused of keeping the patients in the vault, and onboarding new patients in the vault, to keep the money coming into the Neocuris bank accounts. Or even to increase the value of our stock o
ptions and get bonuses. I as an executive know that this is looming above our heads like a big dark cloud.”

  Bianca: “That is a fact. So we are actively discussing that with the Board of Executives and our governance consultants, and the situation is changing daily. The decisions we make today may look sound today. Tomorrow they may not look legitimate anymore. So we need to continuously monitor the situation from a governance perspective, and be ready to amend decisions if the landscape dramatically changes. We cannot predict every twist and turn, and capture all eventualities in our resolutions. We need to be ready for anything. We need to be ready for the worst.”

  Kim: “Wow! This sounds like textbook governance, but to the extreme.”

  Bianca: “Correct. Uncharted territory pretty much. And you will realize this afternoon that the Ethics Committee has another perspective on the situation. Their mission includes protecting the lives and the safety of the patients, together with their privacy. Can they trust a machine to make life or death decisions in the place of humans? Think about a colony of ants. It will sacrifice some members of the colony, on purpose, to protect the colony, if needs be. Would a machine make life or death decisions like us human beings? Or more like a colony of ants? Or would it fit somewhere in between humans and ants?”

  Bianca: “And also they believe that it is impossible for them to fulfill their mission now. They don’t have the opportunity to approve or disapprove policies or protocols anymore. They are being ignored, so they say. We need to try to convince them that resignation is not the best solution, in the interest of the patients. They must also be able to find a justification for sticking to it. Again, no textbook can help them now. The solution to their dilemma has to be created by them. Our goal is to assist them the best we can.”

  Chapter 20

  I walk with Anima into the Neocuris conference room. We are following Bianca.

  Bianca: “Kim, Anima, please take a seat. Let’s go quickly through a round of introductions. Ian, can you start?”

  Ian: “Yes. Ian Brown. Neurosurgeon.”

  Paula: “Paula Johnson. Medical Lawyer.”

  Ann: “Ann Schmidt. University teacher and researcher. Nanotechnology is my specialty.”

  Enrique: “Enrique Vicente. Community worker. “

  Li: “Li Chiu. PhD student in Ethics and Health.“

  Stuart: “Stuart Swanson. Retired ER Manager.”

  Gwen: “Gwen Miller. Certified Privacy Consultant.”

  Bianca: “Now off to you Kim and Anima.”

  Kim: “Kim Torrez. Ethical Hacker.”

  Anima: “Anima Mukherjee. Biomedical Engineer.”

  Bianca: “Anima has been with Neocuris from the beginning pretty much. She is one of the principal engineers behind the interface. And Kim joined New Forensics last fall. She is now at Neocuris Pro. Kim is not a patient per se, but she has been wearing the interface for several months. She has been able to interface with other users, and the entity we call the bot.”

  All 7 remaining members of the Committee look serious. They also all look at me now with a special interest.

  Bianca: “Kim was likely able to work with another user of the interface, and the bot itself, to pinpoint the source of the last attack. Well, that’s based on evidence that is pretty convincing. This information allowed us to contain the attack. The attack was leveraging some exploit in the Geolocation feature coupled with probably compromised GPS applications on mobile phones.”

  Paula: “Thank you Bianca for inviting Kim and Anima to this meeting. Kim, what does it mean when Bianca says you are able to interface with other users and the bot?”

  Kim: “When Eric hired me last fall at New Forensics, I accepted to wear the interface. Originally, it was to be able to test features, maybe gather some more information about the user experience. But within a few weeks, I started to sense the presence of other users. Eric started to experience this as well. Eric is a patient himself.”

  I pause now, trying to figure out a way to answer the question without getting into too many details.

  Kim: “It’s like learning an instrument. One can practice and get better. And some have the chance to be able to learn faster than others. The bot that seems to be taking over the vault right now, I can interface with it. But it is not like a dialog. Numbers can be exchanged, maybe a few words, a short question or a short answer. The bot has also been communicating with me out-of-band, via email.”

  Paula: “What kind of information have you been sharing with the bot?”

  Kim: “Well, during the last attack, the bot was basically asking for some help. It was overwhelmed I guess. Another user we call the helper, he helped us resolve the puzzle by communicating some numbers to me. We are not sure if it was intentional. He was probably trying to help the bot too. I copied some numbers. They turned out to be coordinates. A GPS position in New York, probably where the helper was at the time. I have been able to copy numbers from the helper before, and it was accidental that I did. It was not to his advantage the first time. He was not yet on our side back then. That is how we figured out the attack was leveraging the compromised GPS application on some mobile devices. And probably a vulnerability in the geolocation feature in the Neocuris app.”

  Li: “Kim, are you trying to say that you, the bot, and maybe some helper, teamed up together to stop the last attack?”

  Kim: “It was more teamwork. The helper contributed, maybe unknowingly, by being affected as part of the botnet attack himself. And we worked as a team at Pro to put the pieces of the puzzle together. We of course worked with Neocuris and New Forensics too. And the bot allowed me and the helper to connect, which was instrumental in pinpointing the source of the attack.”

  Li: “Do you believe the bot has been programmed to help Neocuris, or to harm Neocuris?”

  Kim: “I have a feeling it is on our side. Of course, it communicated so to me. But on top of its word, even if at first I was afraid of it and would not trust it, now I believe its mission is honest. That does not mean I would bet everything on it though. We did not design it. Who knows if it will blow up at one point or turn against us. And Anima has been following me closely, to make sure I am safe, and to challenge my judgment if and when it becomes altered.”

  Paula: “Anima, can you comment?”

  Anima: “I have been following Kim, Kevin and Eric over the last few months. And the context did change a lot. We had another bot before. The new bot is more advanced. It is also showing some progress in how it tries to interface with the users. At first, it was a bit cold and brutal, but now it is as if it is trying to be more subtle, more humanlike in its exchanges. It has definitively been programmed with some very effective learning algorithms and analytical capabilities. And Kamal and Kevin say that this bot has already spread to many servers and network components and that it is redundant and very difficult to track. It was also able to stop an attempt from the security teams to move the patients to an alternative vault. It blocked both logical and physical access to the target Disaster Recovery site we were planning to use.”

  Bianca: “As we discussed last week, we are still working on plan C, plan D, plan E, but for now, the bot is not going to go away. And we need to maintain the control that we still have, even if it is reduced and more of the damage control type. The fact that we did not give up allowed Kim and her team to stop the last attack. Who knows what would have happened to the vault and its patients if we had given up or if we had decided to shutdown the vault.”

  Ian: “Kim, Bianca and Anima. You understand that our number one mission is to protect the health of the Neocuris patients. And you understand that we need to make an important decision here about the future of this committee. And the impact that this decision could have versus the safety of the patients. One question we have is what if an incident happens and the patients are harmed because of the bot? Another question is what if our hypothetical resignation causes Neocuris and patient support to collapse? It is very hard for us to determine the risk
associated with all the possible scenarios, and the course of action we should support.”

  Gwen: “And to add to that, our second objective is to maintain the privacy for the patients. But Kim and Anima, you seem to indicate that some information, maybe confidential, can be accessed by the bot via the patients vault. And that the bot has also compromised many systems and probably has access to patient records. How can we protect the privacy of our patients in this context?”

  Anima: “From the bot, we can’t. The bot probably has access to more information than we have confirmed so far. Both from the compromised systems, and the brains of the vault users. But the bot’s mission does not seem to include as an objective the leaking out of information outside of the vault. That is probably not true of other bots or attacks directed at the vault, that our bot seems to be trying to defeat. So we could look at our bot from two perspectives really, and one of them is as a potential protector of privacy. I know that may sound like crazy talks to you, but in the short term we have to make the best of what still around.”

  Kim: “Also, the previous bots, from potentially the same source, that compromised the vault, they were allowing potentially any user to tune into any other user, sometimes without the target user being aware. I experienced that first hand, and yes it was possible to gather some private information from a target user. We were actually able to help the authorities to identify the perpetrator of the January attack by leveraging such a feature, by accident. The helper before he became the helper. But our new bot has turned that feature off. Only pre-established relationships still work. It is as if the white pages feature was removed from users, and reserved for exclusive use by the new bot itself.”

  Anima: “The feature is probably still there. The range of features is probably unlimited. We have not completed the full inventory of all potential features. We originally implemented many filters to dramatically limit how the brain-interface-vault channel could be leveraged. We believe the first few bots that compromised the vault were tweaking or removing some of the filters in a rudimentary way. And that the new bot is more advanced, more in control. It has actually shared with us some new dashboards, and contributed to existing ones, so the operation center is definitively compromised. We actually see benefits, but without control over the bot, we are not sure where this will take us eventually.”