The multiple aspects of cybersecurity (attacks, investigations, defence, disloyal employees, negligence, etc.) have been part of the plot of countless movies and TV series for years. In today’s society, with a part of the population born with mobile phones in their hands and universal Wifi, talk of “hackers”, “malware” or “cyber-attacks” is commonplace and no one is surprised. Both the one (the evil villains or those who help them) and the other (the victims, not always passive) are often caught in the middle of a cyber-epic struggle of good versus evil in the form of investigative agencies, elite police forces and other groups of “do-gooders” who save us from all evil (or try with all their might).
As with other technologies (particularly robotics and artificial intelligence), the film/TV production industry is not going to risk a big hit with audiences by being overly purist in the more technical details. As a result, we constantly see the most creative interpretations of the possibilities of technology and of each other’s abilities on the big screen.
We will use 10 films or TV/Streaming series to illustrate, in this article, how reality and fiction, when it comes to cyber security, can be separated by abysmal distances. The end justifies the means, as we all know.
- Not everyone is a script kiddie: Ever since going online was a matter of knowing the right phone number and having a modem set up, the archetype of the solitary, tech-savvy young techie who compulsively consumes knowledge and challenges himself by trying out new techniques of intrusion and compromise, often for the sheer pleasure of it, has been cultivated.
- Although this profile of malicious actor exists and is common in today’s society (who hasn’t looked on Youtube for a tutorial on something?) it is not representative when it comes to drawing a map of really dangerous actors where we will have as leaders the professionals of organised crime, intelligence agencies, digital mercenaries, etc.
- These people that we witnessed being born as icons in the classic film “WarGames” (1983) are a constant in our immediate surroundings, but beyond the pranks (some try to change their class grades as in the famous film) and hacktivism, they do not usually go beyond attempts at fraud, small scams on the Internet, etc. So, they are not really representative of the cybercrime sector.
- Lone wolves and other profile features: In order to increase the drama of the script, we can all agree that “lone hacker in our film wolves” (regardless of their age and gender) are very suitable characters. Former members of intelligence agencies, elite hackers with a desire for revenge and a long etcetera, make up a huge pool of candidates to be the perfect script.
- As with the first point, it is obvious to say that, while both profiles exist in the team of malicious actors, most of today’s organised cybercrime is made up of thousands of mercenaries of all ages and types whose only goal is to make money and prosper in the organisation. Lone wolves (for revenge or on a mission) do exist, but they certainly do not represent this group.
- The film “Sneakers” (1992) is a nice example of how in “reality” these teams of experts (in this case, a charming team of ethical hackers) are put together. The same applies to police units and other groups: more experienced professionals combined with younger people (and in some cases, redeemed cybercriminals), all united with a common goal: to attack or defend (the famous metaphor of the red and blue teams).
- Type fast, type better: One of the most comical effects, perhaps, in today’s cinema and in terms of cybersecurity, is that all the experts in the field must type at full speed, stringing together very long commands, with complex instructions, etc. Without respite or error. Whether you’re wearing gloves, injured, at a cash machine keyboard, or the world is collapsing around you.
- Immediacy of access: It is easy to remember scenes in recent productions where the protagonist has to enter a remote system (or a personal computer in front of him) that he does not know and of which he has no prior knowledge (the script has already given us this information to increase the complexity) and he succeeds without hesitation and in a few moments.
- While it is true that, in many cases, it may be relatively easy for a trained and prepared person (both conditions are necessary) to perform an intrusion, it seems unlikely that in general it will be done in a few seconds, without errors, without downloading (almost never happens) any supporting tools, without checking existing vulnerabilities, etc.
- That sort of magic universal password (no two-factor authentication or address-locking) is often the result of some prior work (e.g., sending a malware email that includes a password-capturing tool) or at least known vulnerability checks or a couple of trivial password tries.
- The latest instalment of the “Jason Bourne” saga is littered with such scenes where the viewer must assume that the CIA bypasses all sorts of legal delays and ethical dilemmas in the relentless pursuit of its target as one after another, all systems are accessed with enviable comfort.
- Prior knowledge of all types of systems and platforms: Another recurring theme in the film is the attacker’s universal knowledge of all types of systems and platforms that the victims use on a regular basis and the obvious simplicity of their use: industrial control systems, air traffic control, nuclear weapons, electric lighting or autonomous cars.
- However professional we may believe the attackers to be (almost always elite hackers, three-letter agencies, etc.) it does not seem very convincing that whatever the system, the actor moves with total agility (it always seems that they are connecting for the first time) through the console (ignoring that these systems have multiple access security measures that disappear and that the actor would have installed the necessary software on their computer) and that even overcoming the language barrier (Mandarin, Arabic, Russian, etc.) the attacker does not hesitate to choose the perfect option to (without further checking) turn off the power in half of the state of California.
- The cute fourth part of the “Live Free or Die Hard” saga, is full of all kinds of poetic licences in terms of industrial control (lighting in the tunnel, the power plant, the federal reserve, etc.)
- Information connected between some systems and others: Another great reality in current information systems is that the format in which the information is treated is not standardised beyond the obvious, the clearest case being that of car number plates, telephone numbers or identification numbers (such as ID numbers).
- It is therefore surprising that when our elite team (from the “good guys” team) gets the first piece of information (a blurred car number plate at a tollbooth), they get within seconds the position of the car, the mobile phone, the subject’s high school grades and his military record (as they were almost always members of the special forces before they became serial killers or mercenaries.
- Considering the current population of the USA and that a combination of a first name and a single surname will almost always give thousands of results, it seems curious that the first face that appears on the screen when typing the name “John X. Smith” is exactly that of the villain (the photo will be recent, of course).
- Series in which individuals are constantly located, often abuse these resources as in the case of the NCIS series, being surprising that we never have problems with the format of the data, telephone prefixes, postcodes, initials in proper names, etc.
- With their bare hands: Those of us who watched the TV series in the 0s (“McGyver“, we had a remake a few years ago, for the new generations) smile every time a cybersecurity expert gets to work on our favourite film production, without having any initial resources.
- In the scenes we see on the screen, our protagonist will have only a portable video game console (wireless connection, we assume, of course), an old mobile phone or the old PC of a library in some town in North Dakota. However, within minutes, he will have gained access to the federal reserve or the air traffic control centre at Washington airport (Dulles, D.C).
- Some scenes in films such as “The Net” (1995) can be framed in this way, when the bad guys or the protagonist do all kinds of cybernetic balancing on computers used randomly anywhere.
- Ubiquitous collateral information: Any “cyber” scene in today’s cinema usually involves infiltration of some remote system (bank, military environment, industrial control, etc.) to perform a necessary action (stealing money or cryptocurrencies, perhaps from the bad guys’ team) for a specific purpose (launching the missiles without human control).
- To carry out these actions, our hero or heroine (or diverse team of people with multiple skills, all complementary to each other) will make clear to us their extensive knowledge of technology and use advanced penetration techniques (not always shown, but always intuited) until they achieve their goal and smilingly shout out the timeless classic “We’re in!”!”.
- On the way to a successful connection and subsequent actions, we will be able to see on the screen, surprisingly, countless drawings of parts, architectural diagrams of buildings, sewerage plans, power lines, private security systems, modules of a factory or power plant, etc.
- No matter how old the building or environment and how private and protected the information on the screen is, the plans will show us all these pieces of information in an accelerated way to make us understand that despite the hacker’s skills, the collateral information shown covers the most “miraculous” part of the exploit. In the interesting “Enemy of the state” (1998), the bad guys’ team (the NSA misdirected by an unscrupulous and unsupervised manager) makes use, time and again, of these miraculous resources to try to destroy the poor protagonist’s life.
- We have our system perfectly prepared: Another of the great poetic licences of productions is that of the perfectly prepared “actor”. It doesn’t matter if the protagonist is in the middle of the desert armed only with a Swiss Army knife (see myth number 7) or if he is in his “lair” with his super laptop (let’s not forget the stickers, the low light and the hood) moving with total agility from one system to another, from one technology to another, while his fingers dance on a geek keyboard full of LED lights or stickers with emoticons.
- Logically, everything would lose its magic, if the actor had to change tools many times, download a new utility, search in Github for some software of interest, etc.
- In some blockbusters such as “Blackhat” we can see this kind of compulsive actions where it doesn’t matter the environment where we move, the attacker always has everything ready, the software installed, etc. Everything works perfectly, then we can see our star typing at full speed while things happen suddenly (without intermediate errors, of course).
- Constant violation of legal requirements. Although we can all understand that some police operations in cyberspace are especially critical and urgent (perhaps trying to prevent a terrorist attack at the last moment), all intelligence agencies, police units, etc., have to strictly follow the regulations that apply in that region and scenario (as well as a basic code of ethics) and therefore court orders, permissions from users, service providers, groups, etc., have to be requested.
- Of course, it is not usually convenient for the agility of the script to have to “stop the action” every few steps, waiting for the “paperwork” and the presumed slowness of the corresponding judicial system.
- The vast majority of cases in series such as “Criminal Minds” or “FBI” where the analyst jumps from flight reservations to credit card payments after seeing what they had for dinner at the nearby restaurant, seem hardly credible (from a legal perspective) considering the sequence of steps required in most countries that protect civil rights and privacy of citizens.
So, the next time we watch a streaming series, or a big movie premiere and a guy comes out typing fast in the dark, hiding his face with a hood while the world succumbs… you know what you must do: enjoy the show (which should always go on) and forget the level of realism used.
By the way, using the term hacker always for the case we all imagine is as inaccurate as it is unfair, but we’d better look at that in another post. 😊