To guard against cyber attacks, the industry needs to work together and adopt some common best practice, says Mark Harrison.
I’ve got a confession to make. I’ve never written a line of code in my life. Consequently I haven’t the faintest idea how hacking works. So on that basis I’m surely the last person who could come up with a cyber security presentation.
Not necessarily, because the typical cyber security presentation goes something like this:
There are more threats than ever. There are those who have been hacked, and those who don’t know they’ve been hacked. And your people are the weakest link. Cue some stories about password idiocy. Move on to conclude that security is very difficult, but we all have to try harder.
This may sound cynical, but that isn’t the intention. All the above is true, and needs saying. But its repetition sometimes feels as if it marks a more uncomfortable truth: as we look around at such conferences, the real threat sits between us.
”The media supply chain is as weak as its least secure company; but we are struggling to find a way to help each other become more secure” - Mark Harrison
In many ways this difficulty is hardly surprising. No one wants to admit to vulnerability in their processes or products.
Making operations or products more secure may not make them easier to work with. And, for all that it is now digital and connected, the media industry remains a peculiar mix of the highly technical and the highly personal: if media production was reduced to a set of automated, encrypted processes, creativity would be killed stone dead.
At a DPP event at IBC2016, BBC Chief Technology and Product Officer, Matthew Postgate observed: “The good guys need to work together - because you can be sure the bad guys are.
“The banks have already learnt this lesson. It’s very important that suppliers and customers are clear and honest in sharing information. The best thing the BBC did was admit to ourselves and our supplier base where we really were on security. We all need to be explicit.”
Matthew Postgate’s comments resonated with the lead already taken by the North American Broadcasters Association (NABA).
They had drawn up a set of basic cyber security requirements for all suppliers working with broadcasters. The list was published at IBC 2016 in partnership with the DPP.
And a couple of months later, NABA brought the industry together in New York for a ground breaking international cyber security symposium. That symposium surfaced the reality: that the media industry is now a prime target for increasingly sophisticated cyber attacks, but we lack a coordinated means of response. We need to find a way of getting the good guys together.
So earlier this year the DPP gathered subject matter experts in security from across its membership.
There was unanimous agreement that the industry needed to create some common best practice. At the request of its members, the DPP took the NABA/DPP Broadcaster Cyber Security Requirements for Suppliers, and turned it into a more formal checklist against which any supplier in the broadcast and distribution chain can comply themselves.
The intention is to introduce this checklist into the UK in the first instance. It is hoped that with time the DPP can use its international reach to spread this approach beyond the UK, and that a community of like minded broadcasters, distributors and suppliers can help cascade best practice in a way that is manageable and affordable.
What’s innovative about the Broadcaster Cyber Security Requirements document is that it isn’t a simple pass/fail. It is designed to enable suppliers to document their current activity around security – even if that means acknowledging areas where they have issues.
Those issues might even be created by their broadcaster customers! The intention is to acknowledge that vulnerabilities shift on a day by day basic, but demonstrate a commitment to security – one that shows it is front of mind, pro-active and ambitious for excellence. Ultimately no one can ask for more.
The DPP Broadcaster Cyber Security checklist builds on a similar one created for the production and post production community, which also enables them and their suppliers to self-assess against a number of key security criteria – while respecting the reality that the needs and challenges of every production vary.
At IBC2017 the first companies will be announcing their adoption of the DPP checklist approach.
And in a special session in the IBC conference I will be exploring this collaborative approach to security further, with colleagues from across the whole supply chain. And that’s the paradox of security: our expert colleagues who understand hacking can fight off the bad guys; but they’ll only be effective if we give them the means to work together.
Mark Harrison is the Managing Director of the Digital Production Partnership (DPP)
IBC2017 Mark will chair the conference session: Safety in numbers - collaborating against cyber attacks, Friday 15 September