"Quantum Leap" was the name of a popular TV show from the early nineties about a quantum physicist who jumps through time inhabiting different bodies with each leap. It is also the name the US Special Operations Command's DC-area branch gave to an unusual project investigating how to combat crime by exploiting social media. An unclassified document, dated September 2012 obtained by Steven Aftergood's Secrecy News, reveals that this special ops division met with at least a dozen data mining companies in the last year in an effort to utilize sophisticated tech tools to the exploit the personal information Americans publicly post on the web. The US Special Operations Command now claims that the project has been disbanded—but the report describes QUANTUM LEAP as a success.
The goal of QUANTUM LEAP, according to the report, was to conduct multiple experiments over a period of six months to explore how open source applications could be used to combat a range of crimes, including human and drug trafficking and terrorism. The first experiment, assisting with a money laundering case, involved approximately 50 government and industry participants. "Overall the experiment was successful in identifying strategies and techniques for exploiting open sources of information, particularly social media," the report notes.
The most heavily used tool in this experiment, according to the report, was Raptor X—which included a plugin called "Social Bubble" that allowed special ops to summon "data via the Twitter API to display Twitter users, their geographic location, posted Tweets and related metadata in the Raptor X geospatial display." Other tools created by industry partners included one that could "index the internet...as well as collect large quantities of data from the deep web," and another that performed "real time and automated analysis of publicly available data in all media channels, especially the social media, in many languages." All in all, during the financial crime scenario alone, the the DC special ops divisions identified more than 200 open-source tools that could be useful.
"This report suggests that a lot can be accomplished...before even taking advantage of clandestine collection capabilities," says Aftergood, director of the Federation of American Scientists' Project on Government Secrecy. "And the prominent role played by industry is striking. Private firms are the ones providing the tools and tactics to the military for data mining open sources."
Ken McGraw, a spokesman for U.S. Special Operations Command, said in a statement that "We cannot confirm the validity of any of the information listed in the After Action Report. The only information we have received so far is the program is no longer in existence and the people who worked on the program are no longer there."
But Aftergood notes that based on the report, "the initial results were promising. They produced useful leads. So either the initial results did not pan out, or else the subsequent work was moved elsewhere."
Kyle Wilhoit, a 29-year-old Missourian working for a cybersecurity company called Trend Micro, has spent the last year building fake water plant control systems that mimic the online control systems used by real American utilities. Dubbed "honeypots," these sorts of decoys are deployed to draw in the ill-mannered beasts of the internet—malicious hackers.
Wilhoit's traps appear to be working. Hackers employing a software tool used by the Chinese army—as well as hackers that appear to originate from Russia, Palestine, Germany, and other countries—have been breaking into Trend Micro's phony US water systems. In some cases, they have gone so far as to steal files so they can access the systems again. They also have gained access to imaginary pumps, which in a real scenario would allow them to modify water pressure, temperature, purification level, and even shut off the flow entirely.
"What would the Chinese army want? Do they want to contaminate US water plants?"
"Everyone has talked of [these systems] getting attacked, but I wanted true numbers to prove the attacks were occurring," says Wilhoit, who presented the report of his company's findings at the Black Hat conference in Las Vegas last week. "I was expecting typical drive-by automated attacks, but never dreamed of having a true targeted attack."
Matthew Rhoades, a cybersecurity expert and director of legislative affairs for the Truman National Security Project, told Mother Jones that he's "not totally surprised" by the report, given the past allegations of foreign entities attempting to infiltrate America's critical infrastructure. (In May, for example, the Wall Street Journal reported that Iran was hacking into our oil, gas, and power firms.) "The question is," Rhoades says, "what would the Chinese army want? Do they want to contaminate US water plants? Are they mapping it out as a contingency for some sort of future conflict? The latter seems like it's a potential, and that wouldn't surprise me either."
Since late last year, Wilhoit and Trend Micro have deployed 12 honeypots in eight countries, mimicking servers that control water pumps. (Earlier this year, a study supported by the Department of Homeland Security found that more than 7,000 industrial control systems—a broad term encompassing water, gas, and electrical systems—were connected to the internet in the United States.) The traps feature control toggles for temperature, on/off functionality, and other password-protected settings. Water systems are easy to imitate since their cybersecurity is "typically very lax," Wilhoit explains. "Attempting to mimic a nuclear plant would be very difficult."
Trend Micro set up the decoys to draw attention to the state of critical infrastructure cybersecurity. After the honeypots were deployed in November 2012, it took only 18 hours for the first hacker to visit. In December, using HACKSFASE—the same tool used by the Chinese army to attack US government agencies, according to the New York Times and a security company called Mandiant—a Chinese-based hacker infiltrated one of the US honeypots and tried to access multiple pages. The person also made a successful spearphishing attempt, sending a fake email to the owner's account in order to automatically collect login information. Richard Bejtlich, chief security officer for Mandiant, says that claiming the Chinese army is attacking water plants because a hacker is using HACKSFASE is "weak attribution." However, he wasn't aware of other countries using the tool.
Trend Micro also saw attacks of US origin targeting honeypots in Russia and China.
Trend Micro has also traced cyberattacks in the US coming from Russia, Germany, France, the United Kingdom, and Palestine—and attacks originating in the United States that targeted honeypots in Russia and China. Ten of the cyberattacks, including the Chinese attack, were deemed "critical"—meaning that, in a real-life scenario, a hacker could have altered or turned off a city's water supply. (None of the attacks originating from the United States fell into that category.)
Trend Micro also reported that some American water control systems could be found online using a simple Google search. The cities I contacted were cagey about whether their systems had online controls and what steps they took to defend them against hackers. But they all promised that their supplies were secure. For instance, Pamela Mooring, a spokeswoman for the DC Water and Sewer Authority, writes in an email: "DC Water staff attend briefings on cyberattacks and other threats to utilities, and the Authority has a Cyber Response Plan."
Alan Roberson, director of federal relations at the American Water Works Association, says most American utility companies "are aware that they need to separate their control systems from the internet…but we still don't know how many have done that, and how many vulnerabilities are left." He adds however, that if a utility company knew it was under cyberattack, it could manually take control of the system and easily block intruders.
Last week, the Senate Committee on Commerce, Science & Transportation cleared the Cybersecurity Act of 2013 (introduced in the wake of President Obama's corresponding executive order), which addresses vulnerabilities in American infrastructure by encouraging companies to follow set cybersecurity standards. If it passes, Roberson says, it will help safeguard water supplies by giving utility companies a way to justify the added cost of security to their boards and customers.
Wilhoit also supports the bill, although he'd like to see the federal government test the specific software and hardware that utility companies are using. "If my system is a realistic depiction of a real water pumping system," he says, then "compromising a real water system would be very easy."
New Yorkers are living with the fear that their city's breakdown-prone emergency dispatch system could fail them when they need it most. It's a fear that other major American cities have lived with for years.
New York City's system has been under public scrutiny since June, when emergency responders were delayed by four minutes in responding to the scene where a four-year-old girl was killed after being struck by a car while walking to school with her grandmother. A watchdog agency has launched an official investigation into the system, which cost $88 million and has only been operational since May. In July, theNew York Post reported that the system had crashed at least nine times in a single week. It's also drawn blame for leaving a crash victim unaided on a highway for almost two hours, and marooning a paramedic with a dead body.
Made by a company called Intergraph Government Solutions—whose board is well stocked with former security officials from the George W. Bush administration—the software will soon be coming to Boston, which plans to spend $15 million on its contract.
When 911 systems break, experts say it's often because undertrained municipal technicians can't troubleshoot failures in the Computer Aided Dispatch (CAD) software they rely on. Most malfunctions don't hamper the collection of callers' automatically traced location data—instead, the failures affect what happens to the caller's information after it's given to a 911 operator. CAD systems power databases that track locations' call histories, and show where available police, fire, or EMS units are. Breakdowns can leave operators without this crucial information, delaying the speed and accuracy of responses. Many systems are also made to dispatch units with the click of a mouse, instantly transferring CAD reports to mobile computers inside emergency response centers or vehicles—without requiring an operator to use a phone or radio. These functions can fail independently, or as part of a wider system breakdown.
Paul Linnee, who has 40 years of experience designing and managing public safety communications systems and helped run one of the first CADs in the country—in Minneapolis in 1977—says that in the early years dispatch workers "put our blood, sweat, and tears into figuring out the technology." Now he warns that most technical knowledge is outsourced to expensive contractors, and some contractors are better than others at helping cities figure out how to run their programs successfully.
Linnee says when CAD software is used straight out of the box, it tends to work. But cities' systems are endlessly customized, which Linnee notes requires time-consuming and expensive training. "If you're a company working in a big city like New York, and you know you're going to have a nightmarish installation, you need to put a team of 15 really smart developers in Brooklyn, and keep them there for two years, and hold the city's hand until they get it right," he says. "But that could cost the company $3 million, and that scenario is not going to happen. Until cities will pay for that, four-year-old girls are going to get killed, buildings will burn, and ambulances won't be dispatched."
New York isn't the only city grappling with 911 computer system troubles—in just the last two years, Los Angeles, Chicago, San Francisco, and other local governments have had similar issues. Here are seven more cities and counties that have seen their software go down in the last few years:
Dates of Crashes: Multiple incidents in March 2012; July 5, 2013
What happened? The Los Angeles Fire Department's CAD system crashed at least twice in March, preventing dispatchers from communicating with fire stations and paramedics from reaching gravely injured people, according to an investigation by the Los Angeles Times. On March 2, a malfunctioning alarm system caused firefighters to arrive a couple of minutes late to a burning house; two people died. Firefighters said it was impossible to know for sure, but the delay may have contributed to the fatalities.
On March 7, an elderly man was having trouble breathing, but responders couldn't find him because the computer didn't transfer the address correctly. And on that same day, a woman was working in a printing factory when a machine severed her finger. It took paramedics 45 minutes to arrive and, because too much time had elapsed, doctors were unable to reattach the woman's finger. (Fire chief Brian Cummings told the Times that during that day's crash, just two calls out of 1,000 were missed.) But a veteran dispatcher told the paper that the crashes had become so prevalent, he was tracking available emergency vehicles with a peg board and golf tees. A grand jury was called to investigate and a report issued in late June—less than one week before a July 5 tweet from the Los Angeles Fire Department admitting that its computer system had crashed again—recommended that Los Angeles' 30-year-old CAD system be "brought up to current technology levels."
Seattle Date of Crash: July 4, 2012; other unknown dates What happened? King 5 News reported that on the Fourth of July, the CAD system Seattle police used crashed, forcing dispatchers to write down calls by hand. This reportedly didn't affect dispatch time, as the mobile computers inside individual police cars were still working. The television station reported that the system "does occasionally go down."
Chicago Date of Crash: July 2-3, 2012 What happened? The Chicago Sun-Timesreported last July that Chicago's CAD system went down for four hours. Without a working backup system, dispatchers resorted to taking calls manually and paging emergency responders through radio, rather than using their software. A spokeswoman for Chicago's emergency services told the paper that the system has gone down before, but she didn't know when.
Bethlehem, Pennsylvania Date of Crashes: Multiple incidents since 2008 What happened? In January 2012, theMorning Call reported that the $770,000 CAD system used by Bethlehem had crashed "often" since it was installed in 2008. Police told the paper that reports went missing from the system, and that every time the system broke down dispatchers had to take notes by hand. In June and July of 2011, operators had to restart the CAD system 58 times, and in 10 cases, they weren't able to revise call logs with new information. In January, Bethlehem launched an investigation and filed formal notice that it was considering suing CODY Systems, the company that makes the system, for breach of contract.
PORTLAND AND MULTNOMAH COUNTY, OREGON Date of Crash: Spring 2011 What happened? Just one month after the $14.5 million CAD system serving Portland and Multnomah County was installed in April 2011, the Oregonian found that there had already been more than "400 safety concerns," including losing track of the whereabouts of officers and failing to provide appropriate safety alerts. Later that spring, the city's police union reported recording around "1,000 defects" in the system's first few months of operation. An officer told the Oregonian that the system repeatedly dispatched him to random addresses that had the number "215" in the street name—because he was in police unit 215. The system also incorrectly reported when an officer had left an incident. Fairview Police Chief Ken Johnsontold the paper, "We're risking people's lives." The Portland Bureau of Emergency Communications finally released an audit on July 15, 2013, finding that 911 dispatchers had been insufficiently trained.
san francisco Date of Crash: May 13, 2011 What happened? San Francisco's CAD system went down for more than 24 hours because of server problems. Dispatchers had to call emergency responders by radio, and officers had to write down pertinent information using a pen and paper, instead of having it automatically appear on patrol car laptops. Emergency responders told KGO-TV there was "no disruption" to 911 calls.
AUSTIN, TEXAS Date of Crash: Multiple incidents from 2008 to 2010 What happened? Austin's CAD software, which is made by a company called Versaterm, was found by KXAN News in November 2010 to have failed multiple times, sometimes forcing operators to take down information manually. The television station published a cringe-worthy exchange between a 911 operator and a man who was robbed by gunpoint (911: "Okay, so you said you were robbed by gunpoint?" Man: "Yes, by gunpoint." 911: "One second, let me get this thing started. You said it just happened right now?"). Help was never sent, and the man had to call 911 again—30 minutes later.
Patricia Fraga, a spokeswoman for the city of Austin, tells Mother Jones that due to a beefed-up backup system and other updates "made in the last year" dispatchers won't have to rely on pen and paper anymore. "The technology folks have been dedicated, their response has been good," she says. But when asked whether Austin's system has crashed again since 2010, she said, "I don't know."
One of China's largest and most prominent media companies—12 percent of which is owned by a subsidiary of Rupert Murdoch's 21st Century Fox—has been rocked by a major sexual harassment and assault scandal. A lawsuit filed on July 19 in federal court against Phoenix Satellite Television contains a series of jaw-dropping allegations concerning its onetime Washington, DC, bureau chief, Zhengzhu Liu. The Chinese journalist is accused of a litany of offenses, including encouraging job applicants to meet him in hotel rooms for interviews and then groping them, attempting to coerce the wife of a cameraman to have sex with him to preserve her husband's job, telling a job candidate about the "gigantic and powerful penis" of his black friend, and attempting to rape a reporter.
The plaintiffs, two of whom are US citizens, claim at least one high-ranking Phoenix executive knew about this conduct for years before the company fired Liu last December. They also say that after Phoenix ousted Liu, the media conglomerate installed a new bureau chief who proceeded to retaliate against employees who had complained about the alleged abuses.
Four of the five plaintiffs—Meixing Ren, Ching-Yi Chang, Taofeng Wang, and Haipei Shue—are men who say that Tao Lu, the current bureau chief, punished them for speaking out about his predecessor's alleged conduct by downsizing their job duties and firing one of them. The fifth plaintiff is a former Phoenix intern who alleges that Liu repeatedly groped her. Another former Phoenix intern filed a separate lawsuit in New York earlier this year making similar allegations. Mother Jones interviewed three of the male plaintiffs and four of Liu's alleged female victims.
Phoenix Television, which is based in Hong Kong, is one of few private broadcasters permitted by the Chinese government to operate in mainland China. The multimedia empire maintains bureaus around the world, covers more than 150 countries, and is worth about $1.9 billion. In 2008, the company's current CEO, Liu Changle, won an International Emmy for being "one of Asia's leading broadcast entrepreneurs."
The lawsuit is "full of inaccuracies and false statements about the Company," Wu Xiaoyong, the CEO of Phoenix's American subsidiary, told Mother Jones in a statement. "We have retained counsel to defend the Company's interests, and we will have no further comment regarding this case." Mother Jones left messages at several phone numbers associated with Liu; he did not respond to these repeated requests for comment. Both Xiaoyong and the law firm representing the plaintiffs said they do not know the ex-bureau chief's whereabouts. Murdoch's 21st Century Fox declined to comment.
A judge has slammed the book shut on a two-year legal battle between Indiana and Planned Parenthood, ruling that the state cannot prohibit family planning clinics from accepting Medicaid funds. Former GOP Governor Mitch Daniels signed a law in 2011 that prevented Medicaid enrollees from using funds for routine procedures such as breast exams and STD testing at Planned Parenthood, which also performs abortions. Tuesday's ruling means that Indiana has no more legal options to appeal—the Supreme Court has refused to hear the case. But if the high court agrees to hear a challenge to a similar law in another state, Indiana's zombie law could come back to life.
"Over and over again, courts have said that states cannot block people from getting preventive health care at Planned Parenthood, and the vast majority of the American public agrees," said Cecile Richards, President of Planned Parenthood Action Fund in a statement. "All women, no matter where they live, should be able to get quality, affordable health care from the health care provider they know and trust."
When the law was passed in 2011, it exempted hospitals and surgical facilities, making it pretty clear that the goal of the law was to shut down Planned Parenthood. Unfortunately for Indiana's Republican lawmakers, the effort only rallied pro-choice activists. The Associated Press reports that the interruption in Medicaid funds encouraged 1,600 donors from around the world to give about $500,000 to Planned Parenthood so that it could continue to provide services to Medicaid recipients in Indiana. Additionally, in May, after the Supreme Court refused to hear the case, the US federal agency that administers Medicare and Medicaid sided with Planned Parenthood.
Indiana was the first state to attempt to shut down Planned Parenthood by denying the organization Medicaid funds. But since then, lawmakers in other states—including Texas, Tennessee, Arizona, Kansas, and North Carolina—have also tried to use this tactic. According to the AP, if the Supreme Court decides to hear one of these other laws, Indiana could submit an amicus brief to revive its legal argument. To see what happens when a state successfully defunds family planning clinics, look no further than Texas, where the ever-enterprising Republican Governor Rick Perry is squeezing Planned Parenthood out of the state. He's doing so not just by trying to prevent family planning clinics from receiving Medicaid, but by flat-out refusing to accept $30 million a year in federal Medicaid money. As my colleague Jaeah Lee—who made these awesome charts, including the one below—notes, since Perry had denied this funding, "nearly 200,000 Texas women have lost or could lose access to contraception, cancer screenings, and basic preventive care, especially in low-income, rural parts of the state." Indiana women, be glad this isn't you: