Why CSI: Cyber Matters

CSI: Cyber is getting beat-up by the information security community and at first we went along for the ride.  You have to admit it is fun to play cyber bingo, live tweet during the show, or critique the technical inconsistencies, but there is something more here, something very important.  The security community has long fought an uphill and losing battle to recruit new talent and educate users about the risks of information security.  CSI: Cyber offers the potential to do just that, and on a massive scale.  It also has the potential to spread Fear, Uncertainty and Doubt (FUD) and scare the masses, and our lawmakers, into reactions that would be counterproductive.

 

CSI: Cyber offers the infosec community a tremendous opportunity to raise public awareness, educate, and inspire the next generation of information security professionals.

 

If you use number of Twitter followers as a rough metric for influence, the leading minds of the information security community average between two thousand and ten thousand followers, a few outliers approach about forty thousand.  As a point of comparison, guess how many Twitter followers CSI: Cyber cast member Shad Moss has… more than three million.  That’s right, Shad Moss (AKA rapper Bow Wow) and his reformed black hat hacker character, has more followers than the entire top one thousand information security professionals, and Shad Moss is just one cast member.

Children all over the country have been inspired to be law enforcement agents by shows like Criminal Minds, NCIS, Bones, and CSI.  Summer camps have sprung up catering to those seeking to learn more, even if the reality is a little more pedestrian than the hipper depictions on the screen.  I’m confident that the country won’t face a shortage of crime scene lab techs and associated law enforcement agents any time soon.

With this type of influence comes responsibility.  Fear, Uncertainty, and Doubt, long the enemy of the infosec community makes for good television.  No movie or television program is immune.  We all remember the “fire sale” antics of Live Free or Die Hard.  The trick then is to walk the fine line between technically grounded reality and compelling FUD-laced entertainment.

We shouldn’t forget either that many in the information community today were inspired by War Games.  Imagine if the infosec professionals of 1983 could have live tweeted during the movie.  I’m sure they would have had a coronary.  Get off my lawn, there is no way a teenage hacker could have broken into a DoD computer and started a nuclear crisis.  As a teenager, we found War Games compelling, even if we didn’t know what we didn’t know.  Today War Games and WOPR are enshrined in our lore.

 

csi_tweet

CSI: Cyber’s Hayley Kiyoko reminds her 200,000+ Twitter followers to secure their wifi.

 

Done correctly, shows like CSI: Cyber can both educate the populace and inspire the next generation of information security professionals.  Even if the reality isn’t quite as easy as what might appear on the screen, these shows can help raise the bar on what young people aspire to be.  They may even inspire people to lock down their wifi.

When thinking about CSI: Cyber, it may be useful to compare it against House. House ran for eight seasons, racking up 51 awards (including two Golden Globes) and 112 nominations. The show employed a prominent physician (Lisa Sanders, author of the column “Diagnosis” from New York Times Magazine) as an advisor and importantly, according to Dr. Sanders, “three different doctors… check everything we do.” This level of medical realism provided a rich backdrop for stories that ultimately revolved around very real, complex human characters.

CSI: Cyber offers an opportunity for partnership between the infosec community and Hollywood.  We can help make the show better culturally and technically, while the actors and the production team ply their craft.  There are many talented infosec professionals, I’m sure some would be willing to help.  Enabling CSI: Cyber and similar efforts represents a win for both sides.  Perhaps even a few of our favorite hackers could get cameo appearances, if not in person, at least their code or some of their music.

We’d like to add that the idea of working with Hollywood to help educate the public on information security is not new, we first heard it suggested as a potential strategy in 2009 by Melissa Hathaway who had just led a 60-day national-level cyber security review.  At the time the idea was a valuable insight and we believe this even more today.

With CSI: Cyber the information security community has a rare opportunity, where our discipline is at the forefront of national attention.  Despite its flaws when viewed through the eyes of an information security expert, CSI: Cyber is a serious, professional grade effort addressing critical information security issues in front of a global audience.  There is no doubt that the recent Sony wake-up call has gotten the media industry’s attention.  Ultimately, the final answer may not be CSI:  Cyber, but we as a community of researchers and practitioners should learn to partner with those producing movies and television.

This article examined how we could use the current focus of a television show like CSI: Cyber and the momentum behind it to help people care about information security, consider pursuing a career in security, and work towards a more secure Internet.  By figuring out how to reinforce and inform the work of the media industry we all benefit.  Yes, the shows must entertain to succeed and with that comes the risk of FUD, but it can also inspire and intelligently educate.  Properly done, we shouldn’t be jeering at CSI: Cyber and its kin, we should be cheering them on.

 

About the Authors

contiGregory Conti is an Associate Professor and Director of the Army Cyber Institute at West Point. He is the author of two books as well as over 60 articles and papers covering online privacy, usable security, cyber conflict, and security data visualization. He has spoken at numerous security conferences, including Black Hat, DEF CON, CyCon, HOPE, Interz0ne, ShmooCon, and RSA. His work can be found at www.gregconti.com and @cyberbgone

 

maymiFernando Maymi is an Assistant Professor and Deputy Director of the Army Cyber Institute at West Point. He has taught 18 different undergraduate courses in Computer Science and Information Technology. He has also taught several hacking seminars to high school and undergraduate students, as well as professional security certification prep courses.

 

 

The views expressed in this article are those of the authors and do not reflect the official policy or position of West Point, the Department of the Army, the Department of Defense, or the US Government.

10 Comments

  1. A lot of these comments are speaking as if you’re looking out for the regular user. When in fact the comments are belittling the common user. The idea that you are able to recognize the FUD but the common user wont be able to tell because they are too stupid. Now with the internet, google and wikipedia more users are more knowledgable than you might think. The reality is also, like it or not, that if a show was made to be realistic I doubt it would make it past the first season because very little if anyone would watch it. So what is the alternative then? not to even bother trying that is what I’m reading from the tone of the responses I’ve seen. I’m in the IT field and I had never heard of juicejacking before I watched an episode. After I watched the episode I looked it up and found out all about it. I sent the information to my corporate users who travel and would be suceptible to it. Although there were no cases in the wild that I had heard about I wasn’t waiting for it to happen before warning users. I do think there is information that can be taken away from the show. I don’t think it’s an all or nothing scenario where if all users aren’t able to get useful information it’s not worth it.

    Reply
  2. The main character (the blond lady) sucks. … great idea for a show, supporting actor’s and actresses are okay so far but she has to improve ASAP or she has to Go !!!!

    A true fan of television, John Wilder 🙂

    Reply
  3. I only watch it for Hayley.
    #lemonademouth

    Reply
  4. This article has generated important debate, which was its purpose, and we’ve received a great deal of excellent feedback. In particular, we have had some interesting sidebar discussions on the 1000:1 ratio of infosec experts to CSI: Cyber star Shad Moss. Of course, there is no canonical list of the top 1000, so we used sampling to generate a rough estimate. This number was a back of the envelope calculation that took into account a relatively small number of very well known experts @ 40K each and estimated 25 of these, that’s 1M. Then we looked up people who we considered to be high end folks and saw numbers ranging from 2K to 10K. Say 100 of these, that’s another 1M. Assume 875 experts @ 1000 followers and you are approaching parity with Shad Moss. Some argued, with justification, that the 1000:1 ratio should be lower, perhaps much lower. Attempting to do an estimate such as this depends a great deal on underlying assumptions. Does one count high end researchers who don’t use Twitter at all? Do we chose lesser known or younger, but still technically top-tier experts? Do you include academics, practitioners, and students? What about those that work inside classified labs? Are infosec professionals’ Twitter followers largely an echo chamber composed of other infosec professionals? Should you include the press which covers the infosec community? What about national vs. international experts? Importantly, as this notional list gets smaller, it becomes increasingly more selective. Is there a correlation between number of followers and a professional’s placement on the list? How one answers these questions sets up the foundation to widely varying results. Using the intent and technique of our initial back of the envelope approach, a revised number is probably more like 100:1, maybe lower, but the ultimate point being that Shad Moss and the other stars of CSI: Cyber have tremendous influence. Exploring the above questions with scientific rigor would make for an excellent research project and security conference talk unto itself. In the meantime, we’d like to suggest rather than the 1000:1 ratio, considering the following alternative suggested by a reader, “Even the most famous reformed hackers have only 5% of the followers that a fictitious reformed hacker has.”

    Reply
  5. No. While there are an occasional useful lesson, the shows uses toxic tropes that are detrimental to infosec, such as describing firewalls as a magic pill that will keep everyone out, or that hackers use “sophisticated” means to break in. The reality is that hackers are horribly unsophisticated, even in big hacks like Sony, and that what keeps them out is defenders doing the basics, not deploying magic pills. Every show spreads fear, from the opening sequence “it can happen to you”, to a moral soliloquy from the boss about how evil/dangerous something is (social media, Uber, baby monitors, etc.).

    Lessons for decision makers come from pointing out the fallacies in the show, and mocking it, not from pretending that it’s “good” or “real” infosec.

    Reply
    • Thanks Rob. Very good points. I’ve always felt that, beyond pointing out fallacies in such shows by experts, _identifying_ fallacies can be a useful test for decision makers. For example, pull 10-20 examples from TV, some realistic, some techno-babble, and then ask the audience to identify the truth from the fiction.

      Reply
      • Wow, what an awesome idea. I’m going to have to put together a preso that does just that.

  6. No. This is entirely wrong, in every way. This show could be everything you say it is AND get the infosec correct. Instead its absolutely useless for teaching people anything about computer/info security. It is in fact detrimental, it teaches people that certain things are possible when in reality they are impossible.

    How about we teach the general public that being a super hero with a cape is actually similar to reality and its what being a cop is? It’s the same thing.

    Reply
    • Dude… your right but ” as the show is”, it has some educational value for the layman.
      J.w.

      Reply
      • Educational value for the layman?
        The layman won’t be able to distinguish between what’s actually “valuable information” and what’s just made up FUD to scaremonger people.

        And because there’s a lot of FUD and barely any “valuable information” people get the completely wrong ideas while watching this.

Submit a Comment

Your email address will not be published. Required fields are marked *