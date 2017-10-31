Every episode of Mission Impossible starts the same way, a shadowy figure enters a seemingly nondescript location and retrieves a secret message beginning with the famous words, "your mission, should you choose to accept it...." A seemingly impossible task with high stakes and dire consequences inevitably follows.

A series of fantastical stories has come out of Hollywood of late replete with shady characters, rogue nations, and ransom demands that, together, rival any of the most thrilling Mission Impossible plotlines. Yet these stories aren't from the pens of screen writers, but rather from the keystrokes of journalists reporting on cyberattacks at major studios.

Hacking Hollywood

Long accustomed to the role of spinning tales about covert action, Hollywood has recently found itself a public target for cyberattacks. This year alone, hackers attacked HBO and Netflix, stealing unreleased episodes of Game of Thrones and Orange is the New Black and demanding ransom in exchange for silence. These assaults brought back memories of the hit on Sony Pictures, not only for their brazenness, but also for the attack vector.

Targeted by criminals and State-sanctioned actors, Hollywood has been blackmailed, extorted, and received political retribution. Understanding why, and what come next for the industry is now the focus of Chief Executives and Board members. To begin with, let’s turn to why.

Cause célèbre

Hollywood sells more than film and movies, it sells a world of celebrities. Private conversations, ransomed and leaked, provide superb fodder for a voyeuristic view into the inner workings and opinions of executives, producers, and celebrities themselves. The flare and sensation of celebrities adds greater motive to keep internal communications private.

Moreover, time-sensitive content and multiple vendors included in all collaborations exposes the industry to ransomware vulnerabilities. Unpatched servers, lack of security knowledge, and distributed systems contribute to how events like the Netflix hack took place.

The entertainment industry is a collaborative one, with cross-talk between Hollywood studios and multiple third-party vendors. Many are small businesses. A failure at one point can cause a breach affecting everyone associated in the collaboration.

Kompromat and extortion

Action movies set in exotic locales sell well. When these movies touch a sensitive regime, or puts forward a narrative that runs counter to foreign politics, Hollywood becomes a target of foreign actors.

Hollywood is a politically important American institution, in the business of cultural expression with global reach. Cultural and artistic expression makes it an important target for regimes that feel slighted by their depiction. The asymmetric method of cyberattacks imbues hostile actors oversized power to strike against their targets.

So, who are the attackers?

Attribution

Attribution gets hyped up a lot in cyberattacks, but it has only specific usefulness. Simply put, knowing who attacked you may lead to nothing. Companies do not retaliate against foreign governments. State-sanctioned actors reside outside of the reach of U.S. law enforcement. Attribution, however, does inform us of the possible threat vectors a given particular industry faces.

Historically, Hollywood has faced two: ransom for monetary reasons, and punitive attacks to discredit and discourage. Both can be executed by criminals, hactivists, and state-sponsored actors.

For monetary gain, for example, HBO and Netflix intellectual property were held ransom. The pitch: pay us or have your shows get leaked on the Internet. In that circumstance, the studios chose not to pay, although the actual targets of the attacks did. The downside risk was a loss of revenue and prestige.

Punitive attacks are more specific. Examples include the leaking of internal Sony communications, alongside threats of future attacks, to prevent the release of material considered disadvantageous by a foreign power. When companies risk being embarrassed by a foreign government for their work, freedom of expression diminishes.

Militarizing the Internet

Whether Hollywood studios are the targets of nation state attacks, or follow on attacks based on methods revealed by them, the result is the same. Hollywood IT departments, like corporate IT departments everywhere, are struggling to defend themselves against these highly sophisticated attacks. The nation state funded development of cyber weapons is overwhelming the capabilities of the corporate funded development of cyber walls. As Brad Arken, Adobe's Head of Product Security, puts it, “the R&D of Cyber Attacks has moved from criminal organizations to Carrier Class Adversaries, those adversaries who are sophisticated enough to own air craft carriers.”

Knowing the vector, Hollywood can protect itself from cybercrimes committed for politically compromising reasons by adopting communications methods designed to defeat Carrier Class actors.

Which brings us full circle to the world depicted in Mission Impossible.

The Digital Triad

In an age of overwhelming interconnectedness, any target connected to the Internet is vulnerable. Taking cues from Cold War-era submarine tactics, the Defense and Intelligence communities now focus instead on shadow engagements. They rely on subterfuge, concealment, disguise, and constant movement. The credo is "you can't hit what you can't find."

In this nuclear age of cyber warfare, cutting edge civilian teams have begun taking the playbook of those Cold War fighters to cyberspace. They are concealing their networks and hiding their assets. They are spinning up and burning down whole networks on a moment notice. They are encrypting every message, and trusting no one.

Target Hollywood

In this new age of cyberwarfare, the way Hollywood does business with independent distributed teams working together on a project can be either a tremendous advantage or a huge vulnerability. If studios continue to try to defend against attack with the conventional methods of static networks, defined perimeters, and trusted insiders, they are simply building larger, more visible, and likely more porous target for criminals. If instead Hollywood adopts a distributed, dynamic nature, by building networks that constantly change, with assets disappearing and reappearing, teams segmented from each other and vital caches of data, Hollywood can drastically reduce the ability for hackers to attack, as well as the damage they can cause.

An impossible mission? Not for those who choose to accept it.

