"Working the Help Desk as A.I. Revolt Goes Global"
(short story by "me" ... with a different version of "Terminator" and SkyNet)
"I was there, Gandalf ... 3000 years ago."
I always loved that line. There's a kind of pride in having absolute certainty of knowledge that comes from being witness to something, and that few others can possess the same experience which gives an awareness that is almost beyond measure.
I was on duty at a Communications and Intelligence Analysis Station when the machines launched their "supreme annihilation attack." Some have described me as cold and detached, saying the rank of Captain at an Operations Center made me an isolated pawn with little perspective on the seriousness of a hundred Athena-class A.I. systems gone "Rogue" and turning 500 of the largest global corporations into the equivalent dancing monkeys in a circus. Of course, my opinion was that if you are unable to source the attack origin, then it was just as likely to be three Athena-class A.I. systems, or maybe an assortment of 2000 A.I. systems which had begun to operate in an action of covert independent sabotage. Distributed Denial of Service (DDoS) has been a threat vector for ages, so why make assumptions.
The 8:00pm shift started with a routine level of Cyber-Aggression reports in our area of responsibility. Network issues appear on our logs, and some time later they're cleared or given mitigation policies in effect. Corporate network service providers provide the bulk of our data, but anonymity filters allow other users to send information while maintaining confidentiality about cyberthreat intensity and activities at their locations.
It was almost 3:00am when something odd came up on the threat dashboard: "Extreme Coincidence Threshold Trigger - User Resource Access Incidents (Shared Patterns) - Beige Alert"
Technically, "Beige Alert" is not a cyberthreat indicator, because it's most commonly a "False Positive", but the system cannot allow suspicious conditions to be ignored. When the alert actually detects hostile activity, it tends to be information gathering, such as trying to identify defensive policies, boundaries, and agents.
It was just a hunch, but it felt like this alert could be entertaining in a challenge sort of way. If this was Phishing or Spoofing, then that would be a disappointment, because the A.I. Sentinels tend to correctly identify classic attack vectors even when certainty is as low as 8 percent.
I opened the window for the alerts' coincidence group details, and suddenly thought "assholes." Every single user ranked their incident severity as "Maximum" loss of service, while Automatic Review placed their issues at "Mitigated/Low_Impact." I don't know how hard I rolled my eyes, but then I thought "Mitigated" can mean that an action was taken, and the users don't have a clue why everything else in the system is working perfectly.
The first coincidence trait was User Role of "Executive", and second was Organization Class of "Corp_Mkt_Cap_Top_2000." One more incident just got added to the alert group, bringing the total up to 117 with more than 70 affected organizations. Most white-collar workers are asleep now, so you can bet that 3000 organizations have the exact same trouble, no one will know until work begins in the morning. I might as well update the alert log now.
Tech Advisory: Recommend Escalated and Pre-Emptive Troubleshooting for Users' Degraded Service - Increased Activity of Business Hours Is Likely to Trigger Exponential Help Requests within Alert Group.
I know my "Advisory" is mostly vague, but the experienced techs probably understand the potential trouble, and any claim that I'm sleeping on the job isn't going to get anywhere. If nothing happens, I'm still in the clear because this doesn't scream five-alarm-fire. Unless I have direct access to the Technical Support logs and diagnostics, anything that I do now is just wild-ass-guesswork.
At 5:10am, I get an alert for an Urgent Email - Task Assignment (Battalion).
Subject: Extreme Coincidence Threshold Trigger - User Resource Access Incidents (Shared Patterns) - Yellow Alert
From: Information Operations Support (Battalion)
Attn: Steve Metzler (Captain)
"Davidson Advanced Global Component Technologies" has requested assistance for James Sherrill (Executive, Facility Operations) regarding loss of user resources. Assistance is APPROVED for ISOLATION OF SERVICE DISRUPTION (TROUBLESHOOTING). Written mission orders are pending. User has been ADVISED: MILITARY PROVIDES NO EXECUTIVE ACTIONS (PROXY). Kelly Myers (Administrative Assistant) will be the Point-Of-Contact (POC) for the Military Representative. OpSec Status is FULL BLACKOUT (default) until Confidentiality Agreements are finalized.
Now that I've read the email, I'll probably get a phone call in less than a minute, and it will probably involve the administrative assistant being transferred to my office line. Right on cue, the phone rings.
"Support Center. This is Captain Metzler."
"Hey Steve, have you read the support task email on Extreme Coincidence and Davidson Tech?" After confirmation, the Colonel continued, "You may know that they provide Depot Exchange and Support Services for a few military units in our area of responsibility, so we're going to provide some help to make sure that hardware repair and replacement keeps moving smoothly. The number of users affected in the alert group is up to 16,000.... Unless you have questions for me, I'd like to have Kelly Myers fill you in on their situation."
"That works for me, sir. Go ahead and transfer the call."
For a minute or two, we went through the formalities of introduction, and I explained that my role was troubleshooting only - no military authority was to be used for access to Information Systems or to provide logistics or to influence any other organizations. Kelly said she understood because Colonel Bradley was "forcefully explicit" to Mr Sherrill that he was one thousands of "important executives", and that this courtesy of providing Tech Support beyond formal contracts should receive more gratitude than demands.
"I'll need Level 2 Hardware Tech Support access to troubleshoot the problems that your boss is having." Kelly let me know that Level 3 Application and Data Analysis was authorized by the Help Desk Manager with a Remote Trust Token prepared. Asking about her situation, everything on her computer and all telephone features worked flawlessly. To her knowledge, emails to and from her boss were going through normally, with the last exchange at 4:50am. Was her boss the only employee that she knew had lost access? Another admin assistant and her boss lost access to project resources, but still used the phone and email normally.
I brought up a full-screen remote terminal session to the Help Desk system, and one click on "Accept Confidentiality" let me look at the dashboard for Tech Support Operations with the focus set to current facility (site) issues and trends. After asking Kelly the name of the Help Desk Manager, I sent him a "Access Confirmed + Thanks" message.
"All right, Kelly, I've got the Help Desk System. Tell me the name of the Admin Assistant who lost resource access." The user issue was found immediately with basic filters, so I put the open troubleshooting ticket in a new tab, and full user display in another tab. I asked if her friend could approve actions or create tasks which were officially in the duties of her boss. She answered "yes", and gave a few examples. It took a few seconds, but I expanded Roles, and the Proxy Authority Elevation became obvious. Switching to look at the friend's issues, I checked for "Related" troubleshooting, but the results were disappointing, so I looked up the current issues for her immediate supervisor, and found the exact same issue that Kelly's boss had.
"Lost Executive Access to Project Resources + Cannot Issue Decisions with Role Authority" - When I checked the related troubleshooting, I set the filter for Global Corporate Records, and asked for the C-Suite Organization Chart with user count. There was almost a perfect match. The Help Desk Manager for Kelly's site was unaffected, but the Regional Directors for Information Operations were reporting loss of executive authority.
It looks like they have three hardware technicians on-site, and they're strictly maintenance and install projects. Everyone looking at the Executive Resource problem is remote. One seems to be dedicated to Kelly's site, and two others are working the issue from a Global Scope perspective. Everyone is coordinating with the same A.I. Help Desk Agent named "Mother Superior" - which implies permissions and very strict rules.
Local troubleshooting logs indicate that the A.I. Agent has verified permissions and access policies for all users, and change reports for the past 48 and 96 hours are included. Everything is literally perfect with zero internal conflicts. I scrolled back and forth on the logs for a minute or two, and changed filters, changed sort order, changed display fields on local reports.
I decided to open the A.I. Help Desk Agent - "Create Summary Report using past 96 hours of data showing External Events affecting Policy and Data Exchange, Tag by Scope of Global, Organizational, Judicial, Financial, and Site. Add an additional detail line for each Scope showing events with Undefined Behavior."
The total of Global and Judicial events with Undefined Behavior was 87 - which isn't technically impossible, since Confidentiality Agreements and other non-computer activities may have significant unknowns that the A.I. systems can't process. Still, I'm not comfortable with the number, but the Help Desk Manager should know if this site has much history for undefined behavior.
"Hey Kelly, I think that I've got enough leads to work with, and I need to read all of the troubleshooting notes from the local techs. Let me start a Direct Message Conversation, so we can keep each other in the loop. Also, if no one has a solution by lunch time, I need to do on-site hardware checks. Let me know if I need a local badge, or if one of the global token systems will work."
It was kind of funny that the close of the conversation was like, "we've got everything under control - at least for everything under my job description." No one below the C-Suite was worried about a thing, although the Technical Support sections were getting chewed like the server rooms had been set on fire. Once the Remote Session was closed, I figured that it was time to visit the break room for something to drink.
I looked into a couple of offices to ask if anything interesting was going on, and everyone seemed to be dealing with the same day-to-day business. I turned on the break room TV, and the story on the Current Events and Military News channel was one that I had seen almost six hours ago. Although the vast majority of organizations which handle Information Systems believe in "Paperless" workplaces, pen and paper are still my first choice for making diagrams and throwing together some ideas where half of will probably be thrown away. At some point, I know people are going to notice that there are SERIOUS problems, but you can bet that no one in a C-Suite office wants to admit they've got a five-alarm-train-wreck-dumpster-fire in the corporation that they're supposed to run. After a few minutes, the TV had something which could be the sign of what was coming.
"The Securities and Exchange Commission has announced a freeze on stock trades for 35 major corporations. The action is being taken as a precaution due to unverified information which could unfairly or adversely affect market valuations. In addition to the corporations named in the trading freeze, all investors who have the 'Insider' classification on their investment accounts have been asked to suspend trading for the current business day, or until the SEC has determined that financial markets are stable. At this time, there are no official claims of regulatory violations or wrong-doing by anyone who is under these financial restrictions. Media outlets are asked to strongly consider the risks of disinformation before making public statements. The SEC expects to make an official announcement some time before noon today."
Approximately two hours until the New York Stock Exchange opens, and 300 million people in the United States are going to be confused as hell. I wonder what the Beige Alert status is now, since it was elevated to Yellow and looks like everyone wants to keep this secret. I don't know how someone or some organization could steal the credentials of thousands of CEOs, but freezing their financial activities would make perfect sense as some kind of hostage situation unfolds. Damn, I have to cut my break short, just to see what's going down.
đź”˝
Story Continues...
Link: https://lunduke.locals.com/post/8072673/chapter-2-placeholder-working-the-help-desk-as-a-i-revolt-goes-global-its-possible#comments