Spring Valley, Illinois is a city of 5,582 located 100 miles southwest of Chicago in rural Bureau County. Its hospital, St. Margaret’s, had the distinction this month of becoming the first healthcare facility in the US to close as the result of a ransomware attack. The closure reveals the real-life impact of digital threats. According to Spring Valley’s mayor, Melanie Malooley-Thompson, some residents will now have to travel about a half to reach the nearest emergency room and obstetrics services. That’s a long time to travel in an emergency.

A ransomware attack on a hospital can result in rerouting of ambulances, delays in treatment and patients receiving incorrect doses of medication.

A ransomware attack on a hospital can result in rerouting of ambulances, delays in treatment and patients receiving incorrect doses of medication. Indeed, such delays can be fatal.  Numerous studies have linked hospital downtime due to ransomware attacks and increased mortality rates. For instance, a ransomware attack on a hospital in Dusseldorf, Germany in 2020 contributed to the death of a woman who needed urgent treatment for an aortic aneurism.

Malooley-Thompson said, “The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare.”

The attack that put Saint Margaret’s out of business actually occurred two years ago. And, it had no impact on the delivery of care. Rather, it prevented the hospital from submitting claims to Medicare, Medicaid and private health insurers—but it was too much for the hospital, reeling from COVID-19, to handle. Sister Suzanne Stahl, char of SMP Health, the hospital’s parent organization, said, “Due to a number of factors, such as the Covid-19 pandemic, the cyberattack on the computer system of St. Margaret’s Health, and a shortage of staff, it has become impossible to sustain our ministry. This saddens us greatly.”

The shuttering of Saint Margaret’s also made an impression on David Anderson, Chief Information Security Officer at Ensemble Health Partners, a healthcare revenue cycle management company. Anderson, who is a nurse by training, spent 27 years in cybersecurity roles in the US military and intelligence community.

David Anderson, CISO of Ensemble Health Partners

Anderson grew up in a rural area, so he understands the devastating consequences of a hospital closure. To him, the challenges facing Saint Margaret’s are common throughout the industry, but particularly difficult for facilities located outside of urban areas. He said, “We have a massive shortage in staffing. It’s very difficult to find and maintain qualified staff. And, when you’ve got the tight budgets that these smaller hospitals have, they have to make a choice between security and care.”

As he put it, “If it comes down to it, are you going to buy another CT scanner so you can provide care or are you going to put your money in something that still might be a little bit more nebulous, and you’re not certain what kind of impact you’re going to have?”

Anderson thinks the reality of Saint Margaret’s may change that calculus for other healthcare providers. As he said, “It comes down to a question of what’s our what’s our primary mission is patient care? Security is often viewed as a cost center rather than essentially insurance against an existential threat.” Now, the existential nature of the threat is manifest.

One relatively easy step for small, rural hospitals to take, according to Anderson, is to join the Health Information Sharing and Analysis Center (H-ISAC). This non-profit organization offers healthcare organizations a community and forum for coordinating physical and cyber threat intelligence. It costs $2,400, but that’s a tiny investment considering the potential benefits. “Joining H-ISAC can bring smaller facilities up to speed on the latest incident response playbooks,” Anderson added.

If it comes down to it, are you going to buy another CT scanner so you can provide care or are you going to put your money in something that still might be a little bit more nebulous, and you’re not certain what kind of impact you’re going to have? – David Anderson, CISO of Ensemble Health Partners

The staffing problem will not solve itself, however. For this, Anderson, and others, are pleased that the federal government is starting to focus on the issue. Last month, Missouri Senator Josh Hawley introduced legislation, S.1560, the Rural Hospital Cybersecurity Enhancement Act, which proposes to have the Cybersecurity and Infrastructure Security Agency (CISA) help rural hospitals with cyber workforce development. It’s hard to tell, based on the language of the bill, how this will actually work, but the underlying idea is a good one.

Senator Hawley is right to pay attention to this issue. The healthcare sector is at risk, with research in 2020 revealing that a third of healthcare organizations worldwide were victims of ransomware attacks. The pace of attacks does not appear to have let up.

It’s also probably time to factor in the bigger picture in these attacks. The identity of the attackers is not a complete mystery. They are predominantly criminal gangs, three quarters of whom come from Russia, according to the U.S .Department of the Treasury.

Only the naivest observer would wonder why gangs in Russia, which operate with the permission, or at the direction of the Putin regime, would target American healthcare providers. Yes, there’s money in it, but as the closure of Saint Margaret’s shows, the attacks also destabilize American communities. Given the proxy conflict in Ukraine, it would appear logical that Russia would attempt to attack the United States in any way it could. These are arguably acts of cyber terrorism, so it might be wise to consider responses and countermeasures that align with this interpretation of events.

We’re far enough along in the artificial intelligence hype cycle that it’s tempting to blow off warnings about new AI threats. And, most cybersecurity professionals understand that AI is not new, and has in fact been an ingredient in attack vectors for many years. However, complacency about AI is dangerous. We’re in the middle of a leap forward in AI capabilities, one that bestows new and frightening powers on hackers and fraudsters.

We’re in the middle of a leap forward in AI capabilities, one that bestows new and frightening powers on hackers and fraudsters.

Synthetic fraud, in particular, should be an area of concern as new advances in AI permeate the criminal world. Synthetic fraud involves creating fake human identities for the purpose of theft or account takeover. According to research from the US Federal Reserve, synthetic fraud accounted for losses of $20 billion in 2020. As AI becomes more sophisticated, that number is likely to grow significantly in the coming years.

I spoke about this issue recently with Nir Stern, VP of Product at AU10TIX, a forensic identity intelligence software company. Synthetic fraud is Stern’s day-to-day obsession. (What’s yours?) For him, AI is a dangerous accelerant for existing patterns of synthetic fraud.

He cites the potential for voice impersonation in social engineering attacks as one example. With the new generation of AI, a fraudster can grab a sample of a person’s voice from a brief phone call and then use that voice to trick even the best anti-fraud voice detection software. What’s particularly troubling for Stern is the potential scale of a problem like this. “It’s one thing to fool a single call center,” he said. “Now, with automation and AI, a criminal gang can fool a hundred thousand call centers at the same time.”

“We’re facing off against major criminal organizations. You have to assume they will get the technology they want.” – Nir Stern, VP of Product at AU1oTIX

As Stern likes to remind people, the adversary here is not a guy in a hoodie. “We’re facing off against major criminal organizations, often with thousands of people on their payrolls and hundreds of millions of dollars to spend ripping off some the biggest brands in the world. You have to assume they will get the technology they want.”

Nir Stern

Mass production of synthetic identities leads directly to mass attacks. This can take several different forms, according to Stern. A fraudster organization might create a million synthetic IDs and use them open a million accounts, e.g., at crypto services that offer a coin as a bonus for signing up. “By the time anyone notices, you might have millions in untraceable cryptocurrency out the door to users who don’t exist.”

Alternatively, fraudsters can copy a real person’s ID and use it to open accounts, steal merchandise, or launder money. One driver’s license, in his experience, can be duplicated in this kind of serial attack. Even if anti-fraud measures require the customer to submit a selfie to authenticate the driver’s license, deep fake photos generated with AI can outsmart the controls.

What can be done about this? “You have to bring a gun to this gunfight, so to speak,” Stern explained. “If AI is powering the attack, then AI needs to power the defense.” For example, as AU10TIX has found, it’s easier to spot synthetic IDs when technology is looking for them simultaneously across multiple fraud targets. “If you find the same driver’s license photo being submitted for verification at five different banks at the same time, each with a different name attached, you know you’ve got a serial synthetic fraud going on.”

“You have to bring a gun to this gunfight, so to speak…”

Making this happen requires specialized tooling, as well as agreements to cooperate by multiple companies. The key to success, as Stern relates, is to use AI and machine learning to fight on the same level as the fraudster.

Practical controls also help. For instance, Stern suggests that any kind of selfie verification require digital proof that an in-phone camera is being used, live, for the selfie. That way, it becomes a great deal more difficult for the fraudster to inject a deep fake photo into the process.

As we learn more about Jack Teixeira, the Air National Guard enlisted man accused of leaking sensitive intelligence documents over the Discord platform, the more ominous the story gets. New disturbing allegations include Teixeira planning assassinations and other shocking revelations about a young man who should never have had access to national security secrets, but did.

Color me not surprised. This episode reminds me of one of my most unpleasant experiences as a business owner. The IT support person at a web design agency I co-owned in the 1990s was a former Marine who had served with an ultra-elite Force Recon unit in Desert Storm. He was a friendly, clean cut young man to whom I imputed a great deal of honor and trust. This was an error on my part. Consumed with a false fear that he was about to lose his job, this dishonorable veteran took it upon himself to hack our files and email the company’s complete salary list to all our employees—causing irreparable damage to our business.

Military service does not (or should not) imply honor or trustworthiness. 

Military service does not (or should not) imply honor or trustworthiness. I realize this is heresy in this mind-numbing era of “support the troops,” but events show that misplaced trust is deadly. The military and intelligence communities trusted Chelsea Manning and Edward Snowden. How did that work out? Now, here we are, a decade later facing a nearly identical scenario.

What went wrong? David Ignatius offers some ideas in a Washington Post article titled “To stop intelligence leaks, assume there will be bad actors.” Yes, that’s a good idea, and not a moment too soon. David Greenglass, an Army Sergeant, stole nuclear secrets from the Manhattan Project nearly 80 years ago. Since then, we’ve had catastrophic insider attacks from Aldrich Ames, Robert Hanssen and many others.

It would be grossly unfair to say that the military and intelligence establishments do not put effort into stopping malicious insiders, but the results plainly show that their controls are not working. Ignatius cites James R. Clapper Jr., the former director of national intelligence who led the Pentagon’s post-Manning investigation, who said that new rules were established by the DoD after the Manning incident, but, as he put it, “Enforcement was uneven across the Defense Department, and control eroded over time because the restrictions were seen as onerous and inefficient.”

Zero Trust is not a bad idea, but it presents several serious problems.

Ignatius offers a solution, likely whispered in his ear by a defense contractor, which is to implement a “Zero Trust” architecture across the DoD and other areas of the government where secrets lurk. As it happens, Zero Trust is already on the agenda, at least based on the 2021 Biden administration’s Executive Order on Improving the Nation’s Cybersecurity, which stated, “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture.”

Zero Trust is not a bad idea, but it presents several serious problems. One is simply a matter of implementation. Military and intelligence IT infrastructure is complex and layered with ossified and opaque legacy systems. Any changes to them are challenging, and organizational obstacles can cripple even the most well-intentioned efforts.

Indeed, five months after the Biden order on Zero Trust, Nicolas M. Chaillan, the first person ever to be appointed chief software officer of the US Air Force, noisily resigned from his post in exasperation. He was fed up with the fool’s errand he had been sent on to get Air Force software teams to implement DevSecOps, which would embed better security countermeasures into Air Force applications.

Five months after the Biden order on Zero Trust, Nicolas M. Chaillan, the first person ever to be appointed chief software officer of the US Air Force, noisily resigned from his post in exasperation.

Then, there’s the matter of trust itself. Zero Trust architecture assumes that an organization knows whom it can trust. Done right, it can verify the identity of a user seeking access and block untrusted individuals or devices. That’s fine, but Jack Teixeira would have sailed right through a Zero Trust access control layer. Zero Trust should include policies and procedures that avoid having to trust the zeros.

Clappers seem to understand this, because he’s later quoted in the article as saying, “’There needs to be a comprehensive system for monitoring electronic behavior’ at work by people with high security clearances.” It’s impossible to implement controls that will catch every suspicious attempt to access or exfiltrate sensitive data. However, it is possible to deploy AI-driven solutions that can scour internal networks and the worldwide internet itself, for evidence of intelligence leaks.

Zero Trust should include policies and procedures that avoid having to trust the zeros.

If such a system was in operation, it missed Teixeira’s alleged activities. This is an unacceptable failure of controls. What’s needed is more defense in depth, a layering of active controls over access, such as Zero Trust, augmented by passive controls that flag potential leaks before they spread. The Teixeira affair reveals the need for more, better countermeasures of these types.

A year ago, I wrote about El Al’s and American Airlines’ epic failures in rules-based systems and digital transformation. My point then was that digital transformation must involve deep thinking about the total customer experience, not just a narrow focus on systems and code. I am back on this beat to discuss a comparable set of failures on the part of Honda, maker of my 2022 Civic.

I am generally forgiving of lapses in service from major corporations. I’ve worked in large enterprises, so I empathize with the challenges of getting a lot of big moving parts to align. A mistake is a mistake. Forgive and move on. However, with Honda, the failures in product design and accompanying support are so pervasive that it reveals an underlying organizational rot—a rot that shows how difficult it can be to execute a digital product strategy.

Having attended business school in the early 1990s, I was raised to believe that Honda and its fellow Japanese manufacturers were working at a higher level of design and product marketing than their American counterparts. They could do no wrong, as they swept up market share with superior products at competitive prices. Every aspect of a car’s design was carefully thought through and executed with consumer-facing perfection.

How the mighty have fallen. My first brush with the peculiarities of a too-digital car occurred when I had to have my Honda towed. (I’d lost my key fob, a digital convenience that turned into a hassle when it disappeared.) There was no mechanical parking brake release in this electronics-heavy car. At least, none that I or the tow truck driver could find. Without the key fob, the car was anchored to the street. The tow truck had to drag the car up onto its bed to take it to the dealership, a time-consuming chore that could have damaged the car.

Then, my battery ran down when it was -7 degrees outside (-20 with wind chill). The electronic key fob did not work because there was no power. The hole for the backup key was not visible, so as my fingers froze, I finally realized the keyhole was hidden under the door handle. Whoever thought that up deserves a medal for absurdly bad design. It required three hands to manage, and even then, it took a good ten minutes to get the key to work. I risked frostbite to open my car door.

Then, because I’m not a car person, and it was pitch black outside, I could not find the hood release. I looked in the manual, but there was no reference in the index for how to release the hood. I finally found a YouTube video that explained it.

More recently, my son managed to lock himself out of the car while the engine was still running. For reasons that I cannot fathom, this switches off the car locks. We stood there watching the car run, unable to open the doors or the trunk. There is probably a security reason for this vehicular software design decision, but I cannot imagine what it is.

No problem. That’s what Honda Roadside Assistance is for, right? I called them and explained what was going on. I was sure they would have some simple fix, like click your heels together and say you want to be back in Kansas and the car will open. But no, the guy on the line had never heard of this problem. I suppose I was the first person in the history of this company to ever lock himself out of his car. He had nothing to offer other than sending a tow truck to give me a jump start. Sir, I said, my car is already running. I don’t need a jump start. He arranged for me to be towed to the dealership. I wasn’t sure what that would accomplish, but that was all he had on his rules-based system and its customer service scripts.

I called the dealership and asked if they could help me. They said they didn’t give mechanical advice over the phone. You’re welcome. They’d apparently never heard of this issue, either. Honda for the win, again.

A few minutes later, the car switched itself off and the doors unlocked. Why hadn’t the roadside assistance operator or dealership known about this? That would have required someone, or more likely some team of people, actually thinking through what happens when you drive a Honda civic in the real world. It would have required some coordination between the design team, the people who write the manuals and those who support the car once it’s been sold. None of that was happening.

Digital product transformation is a complex challenge in both technological and organizational terms. Cars now contain millions of lines of code. They are designed and manufactured through completely digital processes. The results can be impressive, but so can the unintended problems.

Each digital feature, like an electronic parking brake or an automated lock down if the motor is running, should be accompanied by some deep thinking about what can go wrong when these features cause unexpected difficulties. If the Honda of yore was still functioning, someone would have anticipated trouble and either changed the design or, at a minimum, made sure that roadside assistance had the information it needed to help customers solve the problem. Maybe it’s time for some analog transformation at Honda.

Photo by Liviu Gorincioi: https://www.pexels.com/photo/blue-car-parked-on-street-10339803/

I sat down recently with Neil Emeigh, CEO of Rayobyte, to discuss one of his favorite subjects: ethical scraping. According to Emeigh, Ethical scraping refers to the practice of collecting consumer data in a way that is respectful of users’ privacy and legal rights. He explained, “At Rayobyte, we believe that ethical data collection is a crucial part of the tech industry, and we’re proud to offer our products in a way that reflects this belief. When we source proxies, we always do so with the user’s knowledge and consent. We also ensure that the scraped data is used for legitimate purposes. Our goal is to provide each individual customer with a truly ethical and reliable experience and in return, we also require them to scrape within the legal boundaries of the United States. That legality often doesn’t permit the collection of consumer data that is protected by logins, and we also don’t allow such use cases ourselves.”

The rest of the conversation went like this:

Q:           How does the legality of web scraping affect the collection of consumer data?
A:            The legality of web scraping can have a significant impact on the collection of consumer data. In many cases, the collection of data through web scraping can be legal, as long as it is done in a way that respects users’ privacy and follows relevant laws and regulations. However, there are also cases where web scraping can be illegal, such as when it violates copyright, trademark, or other intellectual property laws, or when it violates anti-spam or anti-fraud laws.

At Rayobyte, we take the legality of web scraping very seriously, and we make sure that our customers follow all relevant laws and regulations when collecting consumer data. However, the legal landscape around web scraping is an evolving one, and we work closely with our customers to ensure that they are aware of any major legal changes.

Q:           What is the role of proxy services in ensuring ethical web scraping practices are followed?

A:            That’s a great question! I want to say proxy services play a crucial role in ensuring that ethical web scraping practices are followed by our customers. We can enforce ethical web scraping practices by providing our customers with clear guidelines and terms of service that outline what is considered ethical web scraping. This includes avoiding overloading a website with too many requests, respecting website terms of use, and making sure not to collect data outside publicly available sources.

What makes Rayobyte different is we go the extra mile to monitor our customers’ scraping activities and take appropriate actions if we detect any illegal behavior. This includes terminating service or blocking IP addresses if a customer is found to be engaging in illegal or unethical web scraping practices.

Overall, our role as a proxy service provider is to ensure that our customers can access data in a legal and ethical manner while protecting the privacy and security of internet users. We take pride in our commitment to ethical web scraping practices and strive to promote these practices within the industry.

Q:           In your experience, why do current methods of web scraping often fail to protect consumer data?

A:            Well, you know, the thing is, some web scrapers just don’t play by the rules, and that can put consumer data at risk. It’s important to follow ethical scraping practices and use trusted data sources to avoid collecting inaccurate or irrelevant data. Another reason could be the lack of clear guidelines and standards in the industry, which can make it challenging to ensure that user data is being protected. This is why we are also actively working to build an initiative called EWDCI – Ethical Web Data Collection Initiative, with fellow ethical proxy providers.

Q:           What steps can consumers take to safeguard their data when it is being collected through web scraping?

A:            Assuming by “consumers,” you mean people like you and me, the regular people, we go to the internet every day and interact with each other on social media, search for stuff we need, and so on~ I’m not sure we can continue living the way we are if we get too protective about keeping all our data to ourselves. Of course, we should be wary about sharing any sensitive information, but we also shouldn’t become too protected that we hamper our daily lives. We have to accept that we live in an era of free flow of information and acknowledge that to enjoy the perks of this era, we also have to participate in it. The important thing, in my opinion, is to decentralize the data, so that a few monopolistic entities can’t govern that. By offering the infrastructure to scrape, we give the power back to people in the sense that the utilization of data becomes democratic, and more use cases continue to benefit us without necessarily hampering the existence of that data in web.

Q:           How can companies and individuals conducting web scraping ensure their practices are compliant with privacy laws and regulations?

A:            So, if you’re a company or individual conducting web scraping, it’s essential to ensure you’re following the rules when it comes to privacy laws and regulations. That means doing your homework and understanding what’s required of you in terms of consent, data security, and transparency. It’s also crucial to use reputable proxy sources that you can trust, so you know that your effort to maintain ethics isn’t wasted. As I said that the legal landscape of web scraping is definitely an evolving scenario, so continue to keep yourself updated as well.

A:            How do proxy services factor into the equation when it comes to making web scraping more ethical and privacy-sensitive?

Q:           As a proxy provider, Rayobyte takes a proactive approach to promote ethical and legal web scraping practices. We require our customers to fill out a thorough “know your customer” form before allowing them to use our proxies, and we use various forms of monitoring & user authentication to enforce our ethical and legal policies.

While this approach may result in losing some potential customers, and we’ve had a fair share of them, we believe that it’s important to maintain a high level of accountability and responsibility to protect user privacy and promote responsible use of our services. I encourage other proxy services to start gatekeeping the same way if they’re not already.

Q:           In your opinion, what are the future of web scraping and data privacy, and how will these fields continue to evolve?

A:            The industry is rather new, and more & more people are becoming aware of how they can utilize data and enable their businesses to grow exponentially. When we continue to find more use cases, of course, more and more privacy concerns may also arise, which, by the way, is something we will always encourage.

I think the next big step for the scraping world would be to have a properly defined ethical use case that doesn’t vary state by state. And we can also contribute to the dialogue should the legislators ask to help shape how the ethical world of scraping looks like, for everyone involved. The use of data continues to benefit humanity, and I sincerely believe there is a win-win situation we can find involving all stakeholders.

An example of such a solution is Cash Raven. A product we’ve recently been working with that allows users to ‘rent out’ their IP addresses when they are not using and enables them to earn passive income that generates from the users who happens to lease the idle internet.

I reckon more innovative solutions like this will continue to surface.

Q:           Can you provide any examples of companies or organizations that have successfully implemented ethical web scraping practices and maintained consumer privacy?

A:            I am proud to say that so far that has been all our customers. We have a zero-tolerance policy for anything shady and we constantly monitor how our proxies are being used. So that’s all of our customers.