Cybersecurity Awareness for the Masses, Part III

For the third and final installment looking at the New America Cybersecurity Fellows’ favorite pop culture references, we look at cautionary tales. Having looked at inspirational references in Part I and specifically at examples of strong representation in Part II, we now turn to examples that either highlight risks, including through science fiction, or highlight the dangers of bad cybersecurity. Once again, let us know your favorite cybersecurity related pop references at @NewAmCyber.

David Forscey - Senior Policy Analyst at National Governors Association Center

Tomorrow Never Dies

On December 16, 1997, director Roger Spottiswoode introduced the world to Tomorrow Never Dies, a highly underrated James Bond film centered around a megalomaniac mogul, Elliot Carver (Jonathan Pryce), bent on dominating global media markets. As a popular depiction of cybersecurity challenges, this film deserves credit for its prescience and imagination. Carver’s plan involves manipulating GPS signals to send a British warship off course into Chinese territorial waters (fans know these waters really belong to Vietnam), triggering a dangerous slide toward World War III. The cyberattack at issue does not use exotic remote exploits. Instead, it employs an insider attack to make subtle changes to ordinary timing mechanisms. The attackers’ purpose is not to steal information or destroy systems, but rather to use disinformation to shape human action and alter global outcomes. As attack methods evolve and politics merge with cyberspace, we would do well to remember Elliot Carver.

Peter Singer - Strategist at New America

Independence Day

While I would like to reference "the worst hack in science fiction," I'll go with the laughable way that humans win Independence Day. The Aliens have a dominant military, the likes of which the world has never seen. And yet they have not put into place the most basic cybersecurity measures, which allows their defeat. That, of course, could never happen in the real world (he writes while leafing through a copy of the latest GAO report on how "nearly all" of US military systems built between 2012 and 2017, from the F-35 to missile launch systems, lacked basic measures all the way down to default passwords and proved "easy to hack").

Graham Webster - Editor at New America’s DigiChina Project

Liu Cixin’s "Three-Body" trilogy

In the Chinese context, especially observing from the United States, so much of cybersecurity is tied up with an epochal struggle to develop the most secure, advanced, and autonomous techno-industrial base possible. This is especially so given that, in the ZTE sanctions case, the U.S. government threatened to cut off a key Chinese firm’s access to crucial semiconductors or other products. When ZTE was really on the ropes, as our DigiChina project reported, Chinese leader Xi Jinping called for China to “cast aside illusions and rely on ourselves.” But what if an adversary prevents you from relying on yourself?

Humanity’s interstellar antagonists in Liu Cixin’s "Three-Body" trilogy are able to do just that through the “sophon lock.” Sophons are Liu’s invented physical phenomenon that allows communication, undetectable surveillance, and sabotage at a great distance and without the limitation of light speed. These capabilities combine to impose the sophon lock, which essentially freezes Earth's progress in physics and what Chinese leaders might call “core technologies” so that, as the story comes to a head, humanity’s enemies maintain an important technological edge. This physics-based IT asymmetry echoes the uncertain but not-totally-outlandish potential for disruptive asymmetry in quantum technologies in the mid-term future.

Natasha Cohen - Cybersecurity Fellow at New America’s Cybersecurity Initiative

Battlestar Galactica - 2003 Reboot

In Battlestar Galactica, the cybernetic antagonists of humanity, the Cylons, launch a surprise nuclear attack, wiping out most of the population of the Twelve Colonies. They also render most of the military ineffective by introducing malware into the military computer network. The Battlestar Galactica, which was in the process of being decommissioned and turned into a museum when the attack occurred, was never networked, so remains unaffected… a Ghost Fleet of sorts. There is a line in the first episode as a public affairs officer is giving a tour that describes how the Galactica is different than the rest of the modern fleet: “You will see things that look antiquated, even strange. Like phones with cords, awkward manual valves... it was all designed to operate against an enemy who could infiltrate and disrupt even the most basic of computer systems ... we looked backward for protection.”

This event brings up a number of prescient themes, such as the dangers of over-networking and linking systems together, as well as the conflict between security and convenience. It also sets up a terrific TV show plot.

Camille Stewart - Manager at Deloitte & Touche LLP

Grey’s Anatomy

I am a long-time Grey’s Anatomy fan so when a ransomware attack hit Grey Sloan Memorial last season, I was very interested to see if it would be true to life.

During this two episode storyline, the hacker used ransomware to lock the doctors out of their patients' electronic records, shut down systems, demand the ransom paid in bitcoin, sealed the blood bank doors, and tortured the hospital's inhabitants by cranking up the thermostat. While some of it was sensationalized for TV, the show highlighted the effect such an attack could have on patients, equipment, facilities, and staff. The connected nature of hospital systems, the inability to view medical charts, the vulnerability of necessary medical devices like CT scanners, and the difficulty in getting data back, if not backed up, all highlighted realistic effects of a ransomware attack on a hospital. Also, the FBI’s warning not to pay a ransomware demand unless it’s the last resort is real although much of the rest of that plotline is not. Overall, this depiction of the effects of a ransomware attack was a good introduction for a mainstream audience.

Here is some more detailed commentary on the accuracy of Episode 1 & Episode 2.

Robert Morgus - Sr. Policy Analyst at New America’s Cybersecurity Initiative

A Fire Upon the Deep

In Vernor Vinge's book A Fire Upon the Deep (1994), the galaxy is divided into four Zones of Thought: Unthinking Depths—innermost zone at the galactic core, the Slow Zone—where “Old Earth” resides, the Beyond, and the Transcend. Distance from the galactic core equates to greater the technological potential for civilizations and traveling between zones results in a real-time loss of capability.

Our heros, Pham and Ravna—human descendents in the Beyond—flee from a superintelligence: the Blight, beings from the Transcend. During their flight, a natural phenomenon sends a Slow Zone tsunami cascading into the Beyond, suddenly depriving groups of Beyond-level technology. In a desperate attempt to restore automation, the Blight conduct a digital attack via the “Net of a Million Lies” (a galactic internet… how fitting) co-opting the computing power of civilizations and things around them.

I love this depiction for two modern phenomena it foreshadows: First, the “Net of a Million Lies” is a hilarious/sad foreshadow of what our internet has become, where false, mis-, and dis-information seem as prevalent as valid info. Second, the Blight’s co-option of computing power mirrors the action of modern threat actors, who often coopt neutral computers to bolster computing power and/or obfuscate the source of attacks.

Dani Charles - CEO and Co-Founder of Charles Bernard Ventures

Parks & Recreation

To many, the internet is quickly becoming a scary place. Take, for example, the intro scene for Parks and Recreation Season 4 Episode 9. When Ron Swanson (Nick Offerman) discovers cookies are tracking him across the internet and that his home is viewable on Google Earth, he responds by throwing away his computer. This epitomizes a false choice that many people feel—use the internet and be constantly vulnerable, or don't use it at all (which isn't really an option at all). This feeling is further exacerbated by the constant stream of new risks/threats, shared via news stories, reports put out by security companies, and amplified by movies/shows that portray the internet as an ominous, ever-threatening environment. This is why Cybersecurity Awareness Month is so critical—it is a great time to remind people that all is not lost and that there are meaningful best practices they can leverage to allow them to enjoy their devices, the internet AND a better cybersecurity posture.

Nicholas Wright - Consultant, Intelligent Biology

Yes, Minister

Perhaps the most insightful fictional TV series about political decision-making in the last four decades is a wonderful 1980s BBC comedy: Yes Minister. Then Prime Minister Margaret Thatcher made a Yes Minister sketch, and PMs from Tony Blair to David Cameron note its veracity. It contains a lot related to current debates in cyber—and illustrates that many cyber or AI challenges, and their solutions, are not new at all.

Consider Episode 4, entitled "Big Brother", which first aired in 1980. Featuring the introduction of a new national integrated database, sectional bureaucratic interests block the introduction of privacy safeguards. They aren’t overcome by cogent argument. The Minister’s old-fashioned political tactics win the day on behalf of privacy—although as any viewer knows it could easily have gone the other way, and the Minister loses as many (or more) such battles than he wins.

Political and bureaucratic forces engage in eternal tussles, and not just in the US or UK. One may read Chinese AI policy and perceive a coherent—perhaps even threatening—strategy. But they are no more free of bureaucratic politics and clashing Ministries than the rest of us. Indeed, China has a good claim to the invention bureaucracy itself.

Ido Kilovaty - Law Professor, University of Tulsa College of Law

Black Mirror

I am personally a big fan of the “Hated in the Nation” episode of Black Mirror (S03E06). In that episode, detective Karin Parke (Kelly Macdonald) is summoned to investigate the death of different online personas. Parke discovers that the victims had been targeted with the Twitter hashtag #DeathTo, used against people who become public hate figures. One victim’s autopsy reveals an Autonomous Drone Insect (ADI), created to replace the now-extinct bee population, burrowed in her brain. Parke links the deaths to a website promoting a "game" where Twitter users can vote to kill a hated public figure, with the victim selected via the #DeathTo hashtag. The investigation leads to the conclusion that the ADIs find their targets using advanced facial recognition software, and this can only be possible if the company who developed these ADIs had access to government records. As a result, the government is forced to admit that it is covertly using ADIs for mass public surveillance, as this was the only incentive to back the project with the funds necessary to make it successful.

This is an example that demonstrates the growing cybersecurity threat of autonomous drones, facial recognition, and the risks associated with bulk government surveillance.

Justin Sherman - Student at Duke University

Veep

In season 5, episode 3 of HBO’s Veep, President Selina Meyer (Julia Louis-Dreyfus) is dealing with the fallout of a tweet she should not have sent—for what she thought was a private message ends up broadcasted from the POTUS Twitter account. (In the name of full transparency, this episode ran back in 2016 before Donald Trump was himself POTUS. Props for good writing!) This questionable tweet happens to coincide with a Chinese breach of several government systems, which Selina decides to publicly announce and then attribute as the cause of the tweet. “Can I really blame another country for something they didn’t do?” she asks one of her advisers of the cyber incident. Of course, replies her chief of staff. “It’s been the cornerstone of American foreign policy since the Spanish-American War.”

What I love about this bit—included, of all things, in a political satire—is that it communicates several important aspects of cybersecurity at the national level: The public was not aware of the data breach, which meant the discloser could control the narrative. It was too soon after the incident for any private or third-party entity to reasonably pin down attribution, which meant the government could again point fingers with little challenge. But that still didn’t mean others wouldn’t know—indeed, the Chinese President later confronts Selina about her false accusations during a private meeting (leveraging her lie back against her). It’s all useful commentary buried in an otherwise over-the-top show! And with this episode, of course, you also learn to always be careful of what you tweet.

Sharon Bradford Franklin - Co-Director at New America’s Cybersecurity Initiative

Her

The movie Her won the Academy Award for the best original screenplay in 2014. It portrays a man, Theodore, who falls in love with his operating system (OS), for whom he picks a female voice, and she names herself Samantha. Samantha embodies so many of the hopes and fears that we all have for artificial intelligence. Her capabilities are highly impressive and continually improving at exponential speed. On the other hand, when Samantha begins to take over Theodore's work as a writer as well as his emotions, she embodies the fears of many that AI could take over our lives, surpass our abilities, and control us. Hopefully, we will all learn how to take advantage of AI's benefits, craft AI systems with appropriate safeguards, and maintain a healthy balance in our lives.