Cyber security quotes: Lessons we can learn from the movies – Episode 1
After the popularity of our last post on whether cyber security is like a box of chocolates it was noted that there are other movie quotes – more closely related to security – that can be used as lessons or to make points about cyber security and why it is important.
You don’t have to choose from cyber security-based films like Swordfish, Enemy of the State, WarGames, Hackers or The Net. These are all excellent movies but are too easy and obvious to draw parallels from in a blog post on cyber security. We can find more interesting lessons in less IT centric movies.
In this first part of a two-part post we will look at the first batch of movies that have pointers to good cyber security hidden within them.
Cyber Security Quotes: Episode 1
Lots of films have coverage of thefts, cyber attacks, or break-ins of some sort. It is a common and frequently exploited plot mechanism.
How does the bad guy (or good guy) get hold of the information they need? They hack into something to get hold of it! Cue tense keyboard scene and “rapid typing.mp3” sound effect… But this is not the sum total of what the world of movies can offer us in lessons to learn around cyber security and network defence.
In fact, even quite old films provide coverage and exposure of risks that are perceived as quite modern threats. Threats that we are now only just beginning to think about addressing in the technology we are designing and building today. For example, who would have thought Benny Hill would be a pioneer of cyber attacks on smart cities as long ago as 1969?
Starwars Episode 4: A New Hope (1977)
A long time ago, in a galaxy far, far away… the Empire suffered a data breach of the worse and most catastrophic kind possible.
At the very start of the original Starwars movie (or the end of the newer “Starwars: Rogue One” if you prefer) the Empire had designed, and almost finished building, the famous Death Star.
Then the designs for the battle station are stolen by the Rebels and loaded onto a droid (the equivalent of a USB memory stick, but with personality, in this context that escapes with the stolen data.
It is arguable whether it is truly a cyber security incident or a more traditional physical security lapse; but either way we now know that sensitive IP and removable storage media don’t mix. Allowing sensitive data to be accessed in an unauthorised way – either physically or logically – is a problem.
Starwars is littered with security failures – stolen Death Star plans are only the start. R2-D2 routinely accesses computer systems and physical access controls with the Empire equivalent of a USB cable, as one example that highlights the need for physical security, controls on removable media, terminating accounts at the end of employment etc.
BEST QUOTE: “It’s an old code, Sir, but it checks out”
LESSON: If it is an old code it has either expired (in which case it doesn’t “check out”) or it’s a valid code in which case the age is largely irrelevant.
Superman III (1983)
This starts as an insider threat/heist movie – where Richard Pryor’s character (Gus Gorman) goes from being down-and-out to an employed computer programmer.
He is able to use his programming skills to syphon off tiny slices of money from multiple accounts, amounting to a huge sum. However, then he comes to the attention of Ross Webster (Robert Vaughn), Webster Industries CEO, (mainly because he turns up for work in a gleaming red Ferrari 308, a fairly obvious clue – a “behavioural anomaly”, if you like).
Webster enlists Gorman’s help for a suitably elaborate, megalomaniac crime spree, which is where the film’s hero comes in. There are missiles and kryptonite etc.
It is an early lesson about staff vetting, insider access, rogue developers and the need for monitoring system and user activity. Also don’t let someone choose “Override all security” and for that to actually work.
So, this is another (early) apocryphal tale about controls on privileged accounts, development practices and change controls.
BEST QUOTE: “Computers rule the world today. And the fellow that can fool the computers, can rule the world himself.”
LESSON: This is fine if the computers are under the control of the owner, not so great if a hacker has taken control of them.
Italian Job (1969)
For all the talk today about smart cities and the security vulnerabilities in industrial control systems, the 1969 film “The Italian Job”, a Michael Caine classic and British classic, got there first.
The gold bullion heist is audacious enough but then the gang escape (famously) through the Turin traffic which is brought to a standstill as a result of Benny Hill who plays Professor Peach. In the cyber attack, Peach is able to introduce a computer program/tape into the traffic control systems that makes the lights cause gridlock across the city – causing the gold convoy to get snarled up so it can be robbed, and with a single route for the getaway by the plucky gold thieves in their Mini Coopers.
BEST QUOTE: “You were only supposed to blow the bloody doors off.”
LESSON: This quote has nothing to do with cyber security per se – but it was impossible not to use. However, it is useful if you are doing physical security tests – it reiterates the importance of getting the scope right in any testing process.
Home Alone (1990)
With the childlike charms of Macaulay Culkin, Home Alone is a great example of someone taking a more innovative and active defence against intrusions, albeit in the physical domestic setting of a family home at Christmas.
Culkin’s character in the film uses several techniques that have parallels in computer network defence:
- Surveillance / intelligence on attackers
- Use of distractions (or honey pots) to slow down attack progress
- Obfuscation of information to conceal potential targets
- Automated responses (there are a wide range of booby traps in the film)
Culkin’s goal is to keep the bad guys out, especially when the attackers realise he is home alone. So this is a clear parallel to our objective in cyber security.
As a parable for the importance of creativity and ingenuity in security teams that are faced with determined and perhaps stronger adversaries, it makes some good points.
BEST QUOTE: “This is my house, I have to defend it.”
LESSON: Defending against an attacker who will try anything means thinking on your feet, planning, ingenuity and intelligence to avoid being overwhelmed; but it is possible – even if they do eventually get in – if you know who your friends are.
Top Gun (1986)
In the archetypal 80’s cold war movie about pilots at the Top Gun training school – and in between the flight sequences, the demise of Goose and the chemistry between Maverick and Charlie – there is a good example of the value of intelligence in dealing with attacks.
In the case of Top Gun, an encounter between the navy pilots and a brand new Russian MiG fighter prior to their arrival at the flight school means that Maverick (Tom Cruise) has specific intelligence on the flight characteristics of the new MiG. In the cyber security world we also see repeated exchanges of threat information or indicators of compromise relating to new attacks or vulnerabilities.
In both situations we see the challenges of sharing this information. In Top Gun, having blurted out the details Cruise’s character then tells his love interest, school instructor Charlie (Kelly McGillis), that the location is classified and if he told her he would have to kill her.
In cyber security we see a similar need for intelligence and attack sharing, but only in recent years has this been seen as more acceptable and mainstream. Prior to that there was an ethos of keeping security information “classified” lest it reveal vulnerabilities, aid attackers, put off customers or give ammunition to competitors.
See the UK government CiSP programme.
BEST QUOTE: “I feel the need, the need for speed.”
LESSON: In a separate exchange to the discussion about the MiG, the film provides good advice on the rapid detection and response to threats; whether in the traditional theatres of land/sea/air or the more recent “cyber” realm.
Cyber Security Quotes vs. Movie Quotes
There is no shortage of films where cyber security features, and many of these provide some useful lessons – but also commonly have a degree of hyperbole in them that often distracts those of us who work in security from the subtle nuances of the Hollywood plotlines.
Some become cult classics and are lauded for their semi-accurate portrayal of the way computer security works, but many more are scoffed at by those of us who know that “the firewall is holding” is nonsense.
Cast the net (sic) wider though and you can find lots and lots of movies where there are lessons about heists, protective strategies, small defenders overcoming larger attackers and various other plots that highlight valuable (or at the very least interesting) lessons.
There are some quandaries: often the person trying to get into the systems or to get the information is the good guy rather than the bad guy.
We all cheer when the Death Star gets blown up rather than rueing the fact that it had a single vulnerability that could be so damaging; and nobody complains at the bad example Cook County hospital sets in The Fugitive.
If you do happen to suffer a security breach it is unlikely anyone is going to make a movie out of it (unless you are the NSA) – but you never know. It is better to stay out of the limelight when it comes to cyber security breaches. Defend your network as much as possible, monitor closely and when a problem occurs detect it quickly and respond intelligently.
Look out for the second post in this series (register to receive updates!) and when that hits the screen you’ll be in the front row.