Probably everybody with a background in computer science has already seen a hollywood blockbuster or read a critically acclaimed book which alluded IT-security. It is a popular topic which allows to play with the expectations and fears of the audience. Government agencies are hacked within seconds, security failures happen everywhere, destructive malware infects machines on a global scale and nobody is safe if you are a master hacker. At least this is the general picture that different authors paint in their scenarios.
If you are a bit familiar with the context of computer science and IT-security you often find yourself smiling at these mostly catastrophic stories and the lacking background knowledge of the people in charge. Of course this is not exclusively a problem of IT-security, the same probably goes for archeologists that watch Jurassic Park. In the context of the module IT-Security we wanted to pursue our enthusiasm for fiction and investigate if there actually are authors that get the details right and might even portrayed a scenario which happened in reality.
As we are highly competent graduate students and have a somewhat scientific claim, we had two initial guiding questions for our research which we wanted to examine in reference to different books and movies.
1) How similar are fiction and reality regarding IT-Security?
2) Can fiction raise awareness regarding IT-Security?
We looked at the concrete IT-security threat described in the book or movie and discussed whether we think it was realistic and if so, if there was a similar scenario in reality. We also evaluated questions that ensued from the scenario.
After going through every scenario we noticed certain topics that repeatedly came up, which lead us to believe that these topic currently need most evaluation in society in general. The central topics we identified in fiction are: Surveillance, Hacktivism and Cyberwar. Surveillance is a widely discussed topic since whistleblower Edward Snowden uncovered the mode of operation of the NSA. The topic of Hacktivism is about a single person or a group of highly skilled hackers using their skills for good or bad. And fiction in the area of Cyberwar describes cyber attacks initiated by terrorists or governments, which target critical infrastructure, for example power plants. These attacks lead to the collapse of cities, regions or whole countries. In the following we will present the scenarios we looked at and sum up our results.
Evaluation
For the area of Surveillance we evaluated the books ZERO by Marc Elsberg from 2014 and Digital Fortress by Dan Brown, which was published in 1996. ZERO follows a journalist as she uncovers the truth behind a malicious social network that promises its users a better life in exchange for all their data. In Digital Fortress the NSA that usually has it’s eyes on everyone else’s secrets, is attacked itself by an algorithm that threatens to reveal their critical observation results to hackers all around the world.
In our opinion the scenarios presented in these books are very realistic as the NSA-affair and Wikileaks show. Also services like Facebook, Google and Amazon track, analyse and profile their users on a daily basis in order to monetize their information through advertisements. With the future adoption of technologies like smart glasses, smart wearables and ubiquitous computing the privacy of data will become an even bigger concern.
As an example for the topic of Hacktivism in fiction we examined the movie Who am I by Baran bo Odar from 2014. It follows a group of hackers in Germany which seek recognition by the public and compete with other hackers. Although the movie exaggerates with a few stereotypes regarding the lonely and socially awkward hacker, it gets the gist right when it comes to organised groups who pursue illegal activities in the internet just because they can. Hacktivism is a global phenomenon as the collective Anonymous or other groups show. They attack governments or organisations which, as they see it, violate their morals and they seek attention from the public. Another example would be the Arab Spring, where individuals formed a huge community and started protests all organised through social networking services.
As to the topic of Cyberwar, we looked at War Games from John Bradham (1983), Hackers by Ian Softly (1995), Blackout by Marc Elsberg (2013), #pwned by Holger Junker (2015) and Cyber Storm by Matthew Maher (2013).All these books have in common that the critical infrastructure of companies or states is targeted by individuals, hacker groups or other governments. They emphasize the dependence of modern society to technology and show how vulnerable we really are, especially when it comes to the security of Supervisory Control and Data Acquisition (SCADA) Systems. These scenarios seem exaggerated, but during our research we found similar real incidents of governments or groups using technology as a modern way of warfare. The Iranian nuclear program was sabotaged by a malware called Stuxnet in 2010, which caused turbines to spin out of control. Experts assume Stuxnet was created by American and Israeli specialists, although neither governments have confirmed this openly. Big banks and companies are attacked daily. In 2015 there was an attack on the power grid of the western Ukraine, which led to power outages. It would be naive to believe that governmental defense experts have not evaluated and played through how to digitally attack certain countries. So in our opinion these scenarios hit very close to home and in the future cyber warfare will become even more unexceptional.
Conclusion
After reading through all these stories and comparing them to the reality, we got the same feeling we had after every Secure Systems lecture in this semester: Nothing is safe, the future is dark, everything will be compromised. This of course is an instrument of authors to tell thrilling stories. Most of the described scenarios, especially the ones in regards to the topic of cyber warfare, were quite realistic. Of course not every author gets the details or even the general concepts right – looking at you CSI:Cyber. But the ones that actually have done their research and describe potentially real scenarios serve an important purpose.
This unpleasantness may be exactly the right thing to cultivate an understanding for IT-Security not only amongst a technically accomplished audience but also average society. For example, students of the University of Washington who participated in an IT-Security lecture usually were taught about all the common security scenarios and how to counter attacks. The lecturers had the impression their students would benefit from a broader societal approach, so every student had to pick a technology and write a short story describing the best and worst scenarios they could imagine regarding their technology. It was considered a fun and creative task by the students, which actually helped to put IT-Security in a more general context. This is something we would love to see in our own Secure Systems module, as we believe both students and the associate professor would greatly profit from telling their own stories in the context of IT-Security.
And maybe we should stop believing the government, the secret services and critical infrastructure companies when they tell us that there is nothing to be afraid of. Instead we should start asking questions, as the writers and directors did, such as:
- Who supervises the supervisors?
- Is national security really more important than the protection of privacy?
- How far do we trust those who have the informations about us and our lives?
- How do the warfare and criminalism of the future look like?
- How can we protect ourselves and protest against cyber attacks?
- How much do we rely on our infrastructure? And how do we react if the situation escalates and the basic needs are no longer satisfied?
- Can machines really make decisions better than us, even though a mistake can lead to terrible consequences?
Blogpost by Merle Hiort (mh266) and Jörg Einfeldt (je051)
Leave a Reply
You must be logged in to post a comment.