Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
USA Network television show and 2016 Golden Globe Best Drama “Mr. Robot” chronicles cybersecurity engineer Elliot Alderson, portrayed by Rami Malek, as he and a hacker consortium, called fsociety, try to take down the fictional Evil Corp. “Mr. Robot,” written by Sam Esmail, uses cybersecurity advisers and writers with technical backgrounds to bring real-world incidents into the fictional universe.
Bloomberg BNA Privacy & Data Security News Senior Legal Editor Daniel R. Stoller posed a series of questions to Kor Adana writer and tech consultant for “Mr. Robot” on how television show writers highlight and expose cybersecurity issues in their programs and whether law enforcement should be able to access encrypted information on a mobile device.
Are the hacks and other cyberattacks carried out by your fictional Elliot Alderson actually achievable in real life?
From a technical perspective, everything you see Elliot—and the other members of fsociety—do on the show is achievable in the real world. Conceptually, if the hack isn’t feasible, it doesn’t make it into our scripts.
While we’re discussing ideas in the writers’ room, I do the research necessary to ensure the hack in question is possible in real life. When we get to production, I work with our props, set decoration, legal and video/animation departments in an effort to recreate the correct steps on screen.
From the software/hardware that’s used to the commands that Elliot types, I want every little detail to be perfect. The cyberattack carried out on Evil Corp in season one isn’t technically achievable because there isn’t a real conglomerate that is in control of 70 percent of the word’s consumer debt. However, if one were so inclined to take down a huge corporation the network infrastructure, the targets and the attack vectors would be similar to what we showcased in season one. There would probably be a U.S. datacenter with local diskless backups. There might be another datacenter overseas used for redundancy or disaster recovery. There would be backups made on tape media and sent to an off-site facility like Steel Mountain. By structuring Evil Corp’s network in a realistic way, it enabled us to plan and carry out real attacks on each of those targets.
How does the show handle controversial issues that reach the public consciousness, such as the Apple Inc.-FBI encryption battle (15 PVLR 419, 2/29/16), and do you try to teach the directors, producers and other writers about technical intricacies of thee issues?
We do our best to incorporate technical issues that potentially affect the public, but we prefer to do it in a subtle way.
Encryption is a major tool at fsociety’s disposal and it’s something they use as a weapon in an effort to cripple Evil Corp. We won’t have a character wax poetic about the usage of encryption, but through our characters’ actions, and the consequences of those actions, hopefully we provide enough context for a viewer to make an informed decision on it.
Our showrunner/creator, Sam Esmail, is pretty knowledgeable about the repercussions of these issues, so while we have the discussions, I wouldn’t say that need to do any “teaching” on the subject. We’ve had many discussions in the writers’ room where I do need to explain how some of the technology functions, though. I don’t think one can speak about the Apple-FBI encryption battle without understanding how device encryption works.
Have you reached any conclusions about whether companies should be required to include backdoors to allow government access to encrypted devices?
I think a backdoor/sidedoor allowing government access to encrypted devices would set a dangerous precedent. The message communicated to the public is one of trading a little privacy for more security, but there isn’t anything secure about giving the FBI a backdoor.
When people talk to me about this issue, they often bring up the following analogy, “The authorities are allowed to obtain a search warrant and break down the door to your house if they need to, so how is this backdoor for device encryption any different?” It’s an absurd analogy. You are allowed to invest as much time and money into securing your household, your belongings and your data as you see fit. The government isn’t provided with a master key for every single lock, safe, and vault that’s on the market. That’s a more apt analogy for what the FBI is asking for. Even with a search warrant, if you aren't there, the authorities need to find a way to break into your place. They need to find a way to break into your safe to access your belongings. Let the government find their own way in (which is what they eventually did).
Forcing Apple to give them a sidedoor just opens the floodgates to weaken encryption, all while creating a level of access whose sole use by the FBI would be impossible to ensure.
Should consumers rely on passcodes and PINS or other data security measures offered by companies or should they be considering other options?
I guess it depends on what you mean by “other options,” but consumers should use and set device passcodes insofar as mobile device encryption hinges on them. It’s also usually regarded as the “first line of defense.” Of course, if your passcodes are too short or too obvious, they won’t be much help. It’s also important to consider where you store your data and if/how it’s encrypted. People should also be mindful of cached passwords stored within apps on their phones. What services and accounts become automatically breached once someone bypasses the PIN on your phone?
Are there any examples from your time working as an enterprise network analyst that have made it into the show?
I touched on this a little in the first question, but the design of Evil Corp’s network, the usage of offsite tape storage and some of the corporate policies/procedures/lingo used in the show come directly from my experience in enterprise network security.
My past experience also came in handy while staging a sequence where Allsafe gets hacked in episode 8. Most television producers/directors preparing for that would try to create a scene where everyone is panicked and the computer screens have threatening, 3D imagery flying around. I was able to advise our team on how employees of a corporation would react to network failure, what would be on the screens, and how soon things would be up and running again.
With your background working for Toyota Motor Corp., what are your insights into connected cars' cybersecurity issues and what should car companies do to protect themselves from car hacks?
In episode 4, we show how easy it is to hack into a car’s ECU through the CANbus. Many automobile hacks require physical access to the car, but it’s possible to install trojans on some models that grant remote access to the vehicle.
The security of these digitally connected cars should be tested and regulated as seriously as the car’s safety features. Many hackers have demonstrated how easy it is to hack into a car’s infotainment system and in some cases, the infotainment system was linked to the car’s drive system, enabling the attacker to have complete control over the engine, steering, and brakes. As more and more devices get “connected” in our internet of things age, we should be wary of quickly adopting these products without the proper testing and hardening of these systems.
How did you get your start in cybersecurity and was it a seamless transition from an enterprise network security analyst to a drama series writer and tech expert?
When I was younger, I was a quick learner when it came to software and hardware. This resulted in me dabbling a bit into the world of hacking. I knew that I always wanted to be a writer/director, though. After I graduated high school, I wanted to study film at NYU. My dad didn’t believe in me pursing a degree in the arts and was worried that I wouldn’t be able to support myself. He insisted that I get a computing degree and I could do my writing and filmmaking on the side as a hobby. I reluctantly agreed and ended up easily landing an internship on a network security team at the Toyota Technical Center in Ann Arbor, Michigan.
That internship opened the door for my cyber security job at the Toyota Motor Sales headquarters in Torrance, CA. When that opportunity presented itself, the decision was a no-brainer. I could move myself to California, save up enough money to live comfortably without an income for a while, and eventually pursue writing full time. When I wasn’t at work, I was at home writing, or at a writing seminar, or reading books about the craft.
After five years, I made the jump and got an unpaid internship at a production company. My IT background proved to be a very valuable skill-set wherever I went. As an intern or an assistant, your job is to make your boss’s life easier and more efficient. With a deep understanding of e-mail systems, phones, and spreadsheets, I was able to make myself indispensable to anyone I worked for in the entertainment industry. The only challenge for me was networking. By nature, I’m an introvert, so I had to force myself to get out there and meet other people in the industry. When I finally met Sam and realized that he had created a show that I’d be perfect for, it clicked for me just how valuable my IT experience was. I was able to leverage it in a way that landed me my dream job.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)