Posted on June 13, 2018 at 4:13 PM
A Manhattan-based startup that was hired by the Pentagon to work on a new project regarding the combination of drones and AI got hacked. Additionally, the company avoided to report the incident to the Pentagon for weeks and has fired one of its employees for repeatedly bringing up the need to disclose the information regarding the breach to the military.
The top-secret project got hacked
A group or employees of Clarifai, a startup from Manhattan, got hired a while ago by Pentagon to work on a somewhat controversial project. Their task was to try and combine machine-learning algorithms with the modern technology regarding the drone surveillance. The members of the team were not allowed to discuss the nature of their work, nor their progress with anyone, including the other employees at the firm.
However, it would seem that the danger did not come from those working on the project, but, in fact, from the outside. Or, more precisely, from Russia.
A former employee of the company, Amy Liu, has filed a lawsuit earlier this month. In the lawsuit, Liu claims that the company’s systems were hacked by cybercriminals with ties to Russia, and that it is highly possible that this country’s government now has the details regarding the technology belonging to the US military.
According to the lawsuit, the breach seems to have been noticed all the way back in November of the last year. However, the company’s executives, as well as the CEO, decided not to report the hack to the Pentagon. Liu, on the other hand, argued that the Pentagon needs to be informed about the breach immediately, which led to her getting fired from the position of marketing director within the company. She also doesn’t seem to be the only one, and another employer decided to leave the company of his own free will, due to various concerns regarding the way that the executives were handling the current situation.
According to reports, the project that Clarifai was hired to work on is called Project Maven, and its goal was to combine the US military technology with AI. Google attempted a similar project but has run into a large opposition within the company itself, with over 4,500 of its employees being against it. The employees did not want to work on something that would then be responsible for taking countless lives, which finally forced Google to give up on the project, after issuing ethical guidelines that would govern its future use of AI.
So far, Clarifai refused to comment regarding their involvement with this project, and instead, their spokesperson stated that the incident involved a so-called ‘untargeted bot’. The statement continues to claim that the bot was responsible for infecting the server and that the whole incident had ended there, without any unauthorized access to the code or the project’s data. Finally, as part of the official statement, the spokesperson said that the company’s customers were notified of the incident. However, it is unknown whether or not that includes the Pentagon.
Clarifai and Project Maven
Liu’s statement says that she is aware of the need for the military to tap into AI technology and that she understands it. However, according to her, Clarifai’s security leaves much to be desired, and the company is also followed by a serious lack of transparency, which doesn’t make it the best choice for developing such technology. She also said that the use of companies like Clarifai is ‘sad and scary’, especially now that Google seems to be giving up on developing this kind of tech.
The company, on the other hand, claims that it is driven by a desire to help speed up humanity’s progress and that they are doing so by working hard on improving the AI. This is one of the reasons why Liu, who was previously an Air Force captain, decided to join the company in the first place. She helped with designing a draft for Clarifai’s contract for the Maven Project a year ago and was under the impression that this tech can be adapted to serve a different purpose too. Things like car-counting or people-tracking through the drone imagery might be incredibly helpful if the project is done right.
Winning this contract was a big thing for Clarifai, especially considering that the company’s previous deals mostly included projects worth less than $100,000. When the company decided to start working for the military, the decision was justified by the fact that their technology might help save lives. However, this is where some of the first signs of the mentioned lack of transparency have appeared. Some even claimed that they were not aware that the surveillance technology that they were developing was being done for the military.
The project itself only had around 10 people working on it, and most of the work was done in a windowless room that the employees started calling ‘The Chamber of Secrets’. The purpose of the project finally became clear after a month of working on it, when the military had visited the company’s office to check on the system’s development.
Then, in November of 2017, the company’s ISP, Cogent, informed Clarifai that their server was being used for attacking the Indiana University. Unfortunately, the compromised server also had the company’s code, as well as credentials of its account on Amazon Web Services. According to the ISP, it is possible that this information is compromised as well, and that the attackers seem to be located in Russia. However, Clarifai claims that none of the data, or the code itself, were not compromised during the attack.
Clarifai broke the rules
Liu claims to have heard about the attack only a day after it had happened, and was then called to a meeting by Caroline McCaffery, the company’s general counsel. McCaffery wanted Liu to help with creating the plans regarding internal messaging involving the incident, which is when Liu expressed her concerns and stated that the Pentagon should be informed. McCaffery’s answer was that it was not necessary, at least until the investigation of the incident has been concluded.
A new announcement from McCaffery came later that day, and it stated that no employee should write about the attack. Liu then decided to try and talk to her manager about informing the Pentagon and other clients of the company, which led to her termination only days later.
After this, the company still took several more weeks before it informed the Pentagon of the incident. However, Liu claims that the Pentagon originally learned about the situation through some other means, which she decided not to elaborate. As for the reason for her termination within the company, she was informed that her work did not align with the work of the company’s sales team. She, on the other hand, believes that she was fired because she repeatedly brought up the necessity of informing the government of the incident.
In another part of her lawsuit, she claims that Clarifai broke one of the Pentagon’s biggest rules, which was the need to inform them about the breach in 72 hours from the moment of its detection. They also broke the law imposed by the military, since they terminated her for trying to reveal the breach to the military. Clarifai claims that the company did nothing wrong, and that firing Liu was a justified decision.
As for the Maven Project’s contract, it was extended earlier this year, and the company got two additional months, only because the Pentagon was impressed by the company’s technology, as well as its employees’ familiarity with the project. However, multiple employees that were working on the project already left the company by then or were transferred to another project as per their own requests.