Autor: DPP

Are we fit for cyberwar? (3 / 3)

Many cyberattacks of the recent years were related to the media industry.

4. Building Security

The Connectivity Paradox

As will be clear from our experts, the media industry is both vulnerable and difficult to corral. The very asset everyone is trying to protect is created, managed and moved between different environments throughout its lifecycle – from the field, to the facility, to the distributor. It will be handled by an almost bewildering range of individuals, with different skills and priorities, working in a highly distributed yetinterdependent supply chain.

“The moment data moves is when it’s at its weakest. When you’re on location, you may not have the infrastructure to be able to shift that data over a secure pipeline, so you just have to put it on a physical drive, and trust the courier or runner. When in post production you may be getting footage from all around the world; and you may be collaborating with several people internationally. So you need to be online. You can try and create air gaps, and separate sub networks, but – especially with tight deadlines – you just have to keep reassessing the risk in the security policies you put in place.”

There is a paradox. Production companies are sold the benefits of connected tools and services. And in the next breath they are told that to be online is to be at risk from cyber attack. It would be logical for them to conclude safety lies in being offline.

“We’ve had projects where somebody is working undercover with extremist groups. We had to secure that data and make sure nobody could look at it, so we literally put it on a hard drive and locked it in a room. It was the most secure way we could deal with it because putting it onto any kind of platform felt too risky.”

But although such solutions might feel like the safest option, it is almost impossible for any data, in any environment, entirely to escape from the risk of being stolen or disrupted. In a world of so many connected devices, nothing is ever truly offline.

“There’s a misconception that being disconnected from the world is by itself a security solution. We call it security by insecurity, because nowadays you’ve got data bearing devices – a smartphone, USB drive, laptop, tablet, that can be used to steal information, even if that information is disconnected. Indeed, someone could be just standing there on location taking production stills and they would be taking information off set.”

The lines between online and offline are becoming blurred. Online systems can be taken offline by attacking the systems that support them – such as cooling and power. Offline data can be brought online via a mobile capture device.

So in the face of so much complexity how can we begin to turn good security into a habit?

Passwords Policies and Processes

“If there was one single piece of best practice I would ask people to follow it would be to use a password manager. It’s that basic an issue. If we got the production community really thinking about not reusing passwords, it would make a dramatic difference.”

Others go further and see the very existence of passwords as a problem to beovercome.

“I think we need to get away from using passwords: passwords are dead. It would be far more effective to use pass phrases. For example, a pass phrase such as ‘I love IBC’ with spaces in the middle will take about three years to hack. But ‘IloveIBC’ as a password, even if it is made more complicated by special characters, but with no spaces, would probably take about 36 hours to hack.”

This frustration felt about passwords perfectly expresses the need for a common understanding of basic policies and processes – and of who has responsibility for them.

“There’s a lack of understanding in this industry about where lines of responsibility lie. The system particularly breaks down when content goes to be modified, or distributed. There’s a mentality that if I am using a major provider, they are taking care of all aspects of security for me, and I don’t have to do anything. But you do, because the accountability is shared with the customer. On top of the provider’s security foundation, there’s all kinds of things that you need to take into account in your environment, such as password security, encryption, access control and rights management.”

“It’s true. We get so focused on making programmes that we just assume that our suppliers are using best practice. Collaborating and working together is going to be absolutely crucial if we are to understand what we don’t need to worry about as well as what we absolutely should pay attention to.”

Part of such collaboration would be the emergence of some basic, commonly agreed policies that companies of all sizes can use to reduce their risk.

“Cybersecurity is very similar to any kind of risk assessment. There are going to be areas of high and low risk. The concept of being totally secure is pretty aspirational. But whether you are an organisation that spends millions on security or one that spends very little, the fundamentals are the same.”

“It’s a multi layered approach, depending on circumstances. You might have to go through a metal detector to prevent you from bringing your smartphone onto set. It may be that USB drives are not allowed; or that you can only use devices issued by the production company or studio. It’s all about eliminating those opportunities for a breach that in turn reduces your attack surface.”

“Whether you are a two person or five thousand person organisation, it’s all about having plans. It might be as simple as getting all your devices validated by an expert; or phoning a third party to get forensic understanding of what’s happened around an attack. It all speeds the ability to notify the supply chain if there’s a problem. “

Although the centrality of creativity makes the media industry inherently averse to process, it is also an industry based on deliverables. Ultimately companies will do what they are told – as long as the compulsion comes from a key customer.

“If we’re up for a tender and the tender asks us to have something in place, that’s when we start reacting. So we’ve now got cyber insurance in place because a broadcaster has specifically insisted that we put it in. But then of course you look at the cyber insurance policy and you work backwards from the list of conditions and then you start putting them in.”

Perhaps the simplest way of establishing some basic, non-negotiable security processes is by building them into compulsory cybersecurity insurance cover. Unfortunately the insurance industry and media industry have been equally slow in understanding cybersecurity risks.

“Ten years ago the key risks for insurance brokers were fire and theft, because media kit was expensive. But the cost of the kit has come down so the theft issue has largely gone away. Now fire and cyber are overwhelmingly the two risks for the sector. Clients get the fire bit. The cyber bit they also get, but they don’t buy it.”

“I talked to an insurance company yesterday and their question to me was ‘how on earth do I price this?’ Cyber insurance is still a little immature. A car or house has a value. But the material impact of a security breach is very difficult to quantify. So currently cyber insurance is either priced prohibitively high, or so low that it’s commercially unviable. But I think this will start to level out in the next 12 to 18 months as insurance companies get a handle on the subject.”

“We tell the insurance industry to think of it like a percentage of body fat score. Your doctor can assess your health by saying you’re a 45 year old man, you should probably have a body fat score around 23%; 21% would be better; 30% would be a big problem. That’s how you assess cybersecurity. You say: do they have a strategy, do they have the staff, did they do a risk assessment, are they doing the basics? Then you take a holistic score.”

Once cyber insurance has matured, it could be a very effective means of ensuring the basics are in place – much like the need for door and window locks on a house.

“At the end of the day, there are huge areas of negligence within companies that are provable – such as the user getting compromised because they had a default password.”

But insurance providers will always struggle to price the true impact of a major attack; so it would be a mistake for any company to think insurance cover – never mind how substantial – provides all the protection they need.

“The real cost is reputational. Cyber insurance does not cover that. Look what happens inside a corporation when there’s a breach. You lose 15% off your market value overnight. Your executives are now sitting in a crisis management room rather than doing their real jobs. None of that is covered by cyber insurance.”

Strength in Numbers

This group of experts was universal in its view that openness and collaboration are the key characteristics of any industry that has gained a mature understanding of cybersecurity.

“The most important thing in establishing best practice is to break down the silos. Be very open; be willing to talk about security. The more the industry talks about it, the more likely it is that people will include security and how it’s approached as part of the wider conversation.”

“We’re all competitors; but we don’t compete at the level of security. We work together with our competitors, because we’re all seeing different parts of the same thing, and only by talking together and sharing information do we get the full picture. So it’s important to look at the more mature security organisations and their models and how they communicate with other groups. Don’t be afraid, don’t be shy.”

A failure to collaborate only gives the criminals an unfair advantage – because they don’t hesitate to work together.

“The bad guys share. If you go on the dark web, you find forums where people say ‘I’m attacking company X, Y, Z; this is what I’m doing, give me some advice; what have you seen?’ If you look at ransomware, it’s now actually software as a service on the dark web, with a profit sharing arrangement. The financial services sector has the level of sharing we need to get to in media. They analyse the information they receive and then share it out.”

As yet the media industry has not developed standard protocols for sharing threat intelligence. The largest companies represented among our experts operate across a number of industry verticals; for them the sharing of threat intelligence is standard practice. Such practice in the media industry will be the inevitable next step once the industry has established a common currency of security fundamentals.

Committed to Security

Such common currency is of course the purpose of the DPP’s Committed to Security Programme.

“For us the DPP Committed to Security Programme means quite a bit. We have some suppliers who come to us and say ‘I have one of the formal security accreditations so you can do business with me,’ and I say, ‘great, so what’s your scope, which controls apply to you, what’s your risk appetite?’ With the DPP coming to security best practice, a very nice baseline is established for what I want all my suppliers to attain. It makes it simple – around twenty requirements. It doesn’t need people to go into rooms with hoodies and capes! It’s just very simple and straightforward. After all, around 70 percent of attacks are thought to be because the basics haven’t been followed.”


The View from the Frontline

For all that the media industry might increase its awareness, establish clearer lines of responsibility and clarify best practice, the question still remains what the ultimate purpose is of trying to keep the industry secure. Are security breaches merely an annoyance – or potentially something far more serious? What is it ultimately that the industry is trying to prevent?

“Look at what is going on in the United States today. In trying to influence the US election the Russians did not necessarily want Trump or Clinton to win. What they said was: we have an objective to disrupt the democratic process; we are going to hack everybody; we’re going to do a massive data grab, and see what we have that helps us achieve our objective. So, similarly, could there be bigger objectives in attempting to destroy the media industry?”

It’s certainly the case that interference in media has caused many citizens to begin to doubt the reliability of even well established news outlets. There have already been instances where hackers have gained control of channels; and such an event happening on a major network in primetime could have a devastating impact on both that network and the reputation of the news media. But even an event such as a hijack of a channel might not represent the greatest threat. The greatest threat, and the reason why the media industry cannot view its security in isolation, comes from the very fact that media is now connected: connected media services could be a route to other connected services.

“Our biggest risk is that a nation state compromises our network to turn off the gas to millions of homes. We had an incident a few years ago which actually impacted the safety of an oil rig. It becomes crucial for us to design networks so that there is trust, shared threat intelligence and clear areas of demarcation.”

There is actually a two stage process to achieving greater maturity around security in the media sector. The first stage is to accept that everyone is vulnerable, and that everyone has to play their part in keeping everyone else safe. This change in attitude is challenging for an industry that historically has been both highly siloed and highly competitive. But having said that, there is increasing acceptance among media companies that openness and collaboration with competitors is a smart way of doing business at a time of rapid change, constrained budgets, and high degrees of interdependence.

The second stage is to accept that the ubiquity of media means the boundaries between the media industry and other industries have been blurred. Cyber criminals don’t operate in neat industry verticals. They will look for the route of least resistance that gets them to their objective – and that objective could be far more profound than simply stealing a series, or taking a broadcaster off air.

“Audio visual content is now not merely a commodity; it’s a utility. It’s possible to imagine in the near future that a request to a voice interface for a particular piece of media could take out your whole house. Imagine if a virus had been introduced which meant certain voice requests took out millions and millions of homes. The very search mechanism for media could become an attack interface.”

“That’s the type of threat that drives cultural change. Getting people to accept a change in attitude towards security in the media industry will happen when it becomes intrinsic to national security”

Related Articles: