There’s an obsession nowadays. Everything needs to be connected. You don’t even need to go outside to see it – I bet your house is all linked up. The device you’re reading this on, of course, but also so many others. A little device that you give commands to while it listens to what you do. Maybe you’ve got those lightbulbs connected to an app on your phone. A coffee maker set to turn on when your alarm goes off. Or maybe, god forbid, you’re one of those idiots with a digital lock on their house. But that’s what I’m trying to say – this obsession with linking everything together on a network that, frankly, no one really understands? Bad idea. I mean, this is just your home – but imagine if you applied it to something big. Something important.
[LEXINGTON] – This morning, Federal Bureau of Investigation officials released their statement and timeline of events this past week at Davis Hill Hospital in the small town of Morgan, Virginia. The extended crisis at Davis Hill Hospital came to an abrupt and horrifying end on Saturday morning, when local police and FBI were unable to retake the hospital’s systems from the hackers who had taken control on Thursday night with 344 patients and staff still inside. Per the hackers’ demands, authorities were given 36 hours to produce four million dollars in cryptocurrency and send it to a digital address, or risk the lives of all the hostages. Any attempt to gain entry into the hospital would be responded to “with lethal force – for you and the patients”.
Connection is good, but it comes with risks. It’s like… building a puzzle. Think of your surface area as your ability to do things, and your perimeter as your risk factor. The bigger the puzzle gets, the more things you can do – make your cars smarter and safer, control crime, offer lower prices. Become more efficient at everything. But as it grows, as you add more fancy bells and whistles, so too does your risk factor. The desire for efficiency isn’t bad in and of itself, but it is when you don’t even realize the openings you’re leaving for anyone with the right knowledge and no moral scruples. People like you don’t even stop to think about the opportunities and the access you’re handing to people like me.
Within hours, the FBI Hostage Rescue Team had arrived and taken command of the situation from the Morgan Police Department. Despite the warnings not to approach the building (which had been transmitted, like all of the hackers’ demands, through the hospital’s outdoor LED sign), FBI teams attempted to ascertain whether they could safely enter and evacuate the hostages from the ground level. In response, the FBI now believed the hackers malfunctioned the hospital’s MESA Segregated Airlock System, an emergency system intended to curtail the spread of highly-contagious airborne diseases. Through the large windows, teams watched as the oxygen was sucked out of rooms the system had been fooled into believing were empty, suffocating several administrative staff and nurses. Upon FBI HRT’s retreat, oxygen was released back into the rooms.
In 2013, a highly-organized group of men with machine guns drove a pickup truck into a transformer station in the Bay Area. Over the next twenty minutes, they systematically riddled 17 transformers full of bullets before leaving without a trace. The only reason the entire Bay Area didn’t black out is because the energy companies diverted power from their Silicon Valley stations. What I mean to illustrate is that if you’re planning a domestic terror attack, the smart money doesn’t go for big dramatic symbols. Smart money goes for the Achilles’ heel: out-of-date, unprotected and critical infrastructure. The highways and power grids that hold this collective building together. Seize those, and you lock everyone out of their usual tools: you set the playbook now.
Despite the initial setback and significant public pressure, attempts to gain access into the hospital or its computer systems continued throughout the night and the next day as the FBI Cybercrime Task Force also arrived as support. An initial attempt to land a team on the roof of the hospital using a helicopter was warded away by the threat of plastic explosives planted around the hospital, including on key infrastructure, being detonated. As proof, a small shaped charge on the helipad was detonated, collapsing it. Flyarounds by news helicopters confirmed that the magnetic locks on almost all of the hospital’s doors had been remotely activated, sealing patients and doctors in. Davis Hill Hospital officials have since claimed that this system was put in place as a security measure after a mass shooting event in 2014 in which five people died of their wounds, including the gunman. This design, popular in high-risk facilities such as hospitals, schools, and government buildings, has since come under harsh criticism.
Another thing – and you’ll forgive me if I get a little philosophical, right? The digital revolution has already removed a lot of the human element from our lives. And that’s not always a bad thing. Sure, you don’t always want to know your pizza delivery guy on a first-name basis. That’s fine. But there are times when the system doesn’t work. Times when you need to talk to a person to sort something out, and that’s no longer an option. So you’re trapped in this Kafkaesque maze of webpages and contact emails and e-forms that don’t help you a bit. And that’s not even mentioning how much of our social interaction is through screens these days. All I’m saying is that computers have robbed us of a lot of the face-to-face interaction that so many of our systems are built and predicated upon. So what happens when it’s suddenly and totally snatched away?
By Friday evening, officials were under the added pressure of ensuring that patients in need of daily treatment received their medications. However, a key failure in FBI negotiation process quickly became apparent: that there was no one to negotiate with. The lack of a human actor or any way to contact them meant it was impossible to offer concessions or exchanges, much less employ the complex behavioral reading and conflict deescalation that FBI hostage negotiators are trained for. Officials could only watch helplessly as the tally of infection and diabetic patients who were believed dead without access to their medication grew. In the days since, sources within the FBI have said that they believe the subsequently large death toll was partially due to this; in traditional hostage situations, the perpetrators seeing and hearing their victims made actively executing them more difficult and psychologically traumatic. In what has come to be called the Davis Hill Incident, the hackers’ physical distance from the hostages may have created a psychological detachment of the kind observed in drone operators: killings are easier to commit and process as dots or numbers on a screen.
The point of what I’m trying to say is that information is the world’s biggest double-edged blade. It can be used to do great things. Make our lives easier, more convenient, more efficient. Empower us to achieve things that would have been in the realm of pure fantasy only a decade or two ago. But it also complicates things. It’s not a panacea; it’s simply powerful, without judgment or morality. How good or bad it is depends on the person using it. And for everything great it can do, you can use data to do some truly terrible things, in part because no one stops to think about what they’re using and why. In that chaos, in that heat of the moment, they don’t stop to question their senses. Tell them anything and they’ll believe anything.
It is yet unclear who gave the order for tactical units to breach into the hospital despite the threat of explosives, but shortly after dawn on Friday, with only four and a half hours remaining for the ransom to be paid, FBI Hostage Rescue Teams made their move. Using rubber bullets, snipers shattered as many windows as possible to counter the MESA system while SWAT teams breached the doors and moved in, evacuating civilians before moving to the next floor. At this point, the FBI believes the hackers blew shaped charges in electrical lines, cutting the power to the facility. The hostage rescue teams were unable to save the lives of 29 patients who died when their life support systems lost power; 8 others suffered permanent hypoxic brain damage. By the time all patients were evacuated from the hospital and bomb squads moved in to sweep the building, 52 people had been declared dead. In the end, no explosive devices were discovered in the hospital.
First responders and rescued hospital staff immediately began administering first aid to patients who had gone several hours without critical treatment or medication, but almost immediately noticed adverse reactions. Nursing staff were the first to note they had no memory of certain patients requiring the treatments and drugs that the hospital’s database reported they did. At this point, the parting gift from the hackers’ became clear: prior to cutting the power, they had shuffled and scrambled the patient database, swapping medications between patients. In the chaos of triage, it was not immediately noticed. Misapplied first aid resulted in dozens of additional casualties, and at least 6 more fatalities. FBI officials have stated that they believe this act was meant purely to slow down and stretch thin law enforcement resources while hackers exfiltrated from the system.
As the matter continues receiving national attention, there is significant reconsideration on the continued value of the government’s stance of not negotiating with terrorists. The FBI’s official statement affirms their commitment to finding the perpetrators of the ransomware attack, who are still unknown and at large.
But hey, that’s just a hypothetical, right?