Project Maven Data Breach Alleged in Civil Suit

Cybersecurity

There has been a good deal of controversy, of late, surrounding Project Maven, the artificial intelligence project associated with drone warfare. Google recently announced they were withdrawing from the project. The rational was that project creep had occurred allowing Project Maven to even efficiently search captured hard drives.

Until last week, another company’s participation in the project had been rather low-key. That is until Wired reported on the claim from a former employee of Clarifai. The former employee announced in a civil matter that the company had been breached by Russian hackers and that information associated with Clarifai’s contract work with the Pentagon’s Project Maven had been compromised. The former employee, identified as Amy Liu, alleges that she was wrongfully terminated because she was too insistent within the company that the breach be reported to the Pentagon.

If true, Clarifia will find themselves in a kettle of hot water for failure to timely report the breach in accordance with current contractor mandates.  According to an excerpt from 32 CFR 236.4 –

When a contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein or that affects the contractor’s ability to provide operationally critical support, the contractor shall:

(1) Conduct a review for evidence of compromise of covered defense information including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the contractor’s ability to provide operationally critical support; and

(2) Rapidly report cyber incidents to DoD

But, according to Clarifia’s CEO, Matthew Zeiler, things may not be as they seem, or as has been reported. In a rather lengthy missive issued on June 13, Zeiler notes that the company intends to remain a part of Project Maven, as it aligns perfectly with company values and goals which are “to save the lives of soldiers and civilians alike.”

Zeiler continues his denial that the company suffered a breach at the hands of the Russians, as has been widely reported.  Zeiler tells us:

… we did not have a security incident putting government or other customer information at risk. Last fall, an untargeted bot was identified on an isolated research server located in a Clarifai datacenter. We quickly contained the situation and, with the services of an independent security firm, determined the bot did not access any data, algorithms or code.

… we were forthcoming with our customers about the incident. We voluntarily notified customers following a full assessment, including an external audit and report by a security firm. We notified the relevant team at the Department of Defense. Our customers and their information are our absolute top commitment, and it is a commitment we take very seriously. That is why we informed customers. We stand ready to address any remaining questions or concerns they may have

And there you have it.

Was there an event or a not?

The Pentagon will be making that decision, no doubt, in concert with Clarifia.  For now, all may not be as it appears in a civil wrongful termination lawsuit.  If something along these lines happens to you or your company, report the matter immediately to the contracting office at the Pentagon. There may be a bit of finger pointing when media learns of the breach, but as detailed in the recent incident; “China Steals U.S. Submarine Information”  reporting a breach or suspected breach is always the right course of action.

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).

More in Cybersecurity