As events last year demonstrated, cybersecurity in the media and entertainment industry is of very real concern. As the world gets ever more connected and still more vulnerabilities open up, how can broadcasters and suppliers work together to prepare for and combat threats?
On 27 June 2017, the NotPetya computer malware exploded round the world targeting computers running Microsoft Windows. Unlike previous ransomware viruses, its backend mechanisms to collect bitcoins from infected sites were rather malformed and seemed almost incidental, leaving experts to conclude that it was not built to extort money but simply to infect systems and cause the maximum amount of damage possible.
Whether the computers it took out globally were simply collateral damage in a cyber war between Russia and the Ukraine, as many suspect, is not confirmed. But it does illustrate the complexity of the modern threat landscape for broadcasters.
Robert Silvers, Partner, Litigation, Paul Hastings LLP, says: “The threat to broadcasters is blended with the whole phenomenon of information warfare right now, whether it’s Russian actors sowing discord, Islamic State making political points, or just teenage hackers trying to have fun. Either way, targeting broadcasters is a quick way of reaching a large number of people. If you can hijack that platform to show your own content you can score a notable propaganda win.”
Silvers points out that the cybersecurity problem broadcasters face is twofold. Adding to their justifiable worries about content extortion — Game of Thrones and Orange is the New Black were both high-profile casualties in 2017 — they also have to contend with the sort of malware attacks and business email compromise phishing scams that are part and parcel of everyday corporate life.
The latter in particular, where a fraudster ‘hijacks’ a legitimate business invoice and inserts fake wire information, might not be as headline grabbing as leaked episodes of mega-series, but nevertheless it is a huge problem in 2018.
“I was talking with the FBI senior official that oversees all business wire fraud investigations, and he estimates that in the US alone this year $9bn will be lost,” says Silvers.
The problem is that the threat level is changing all the time. In much the same way the attack surface is changing too, as broadcast and IT technologies collide. The fact that there have been no major, global-scale incidents for almost a year is not making anyone feel any more secure. If, as many suggest, the spike in cryptocurrency values that happened at the tail end of last year drew cybercriminal attention away from other industries, its subsequent crash — Bitcoin, as at the end of June 2018, is a third of the value of its December 2017 price — may well see it return again.
In February this year, the World Broadcasting Unions organisation released its WBU Cyber Security Recommendations for Media Vendors’ Systems, Software and Services. Building on work undertaken in the main by the EBU and NABA, it delivers a series of recommendations aimed at media companies and vendors that it divides into the categories of ‘critical’, ‘important’, and ‘best practice’.
Much of the work that resides under the ‘critical’ category involves updates and communications and is there to ensure that vulnerabilities are noticed and acted on swiftly. Multi-factor authentication must be supported for all internet-facing devices; encrypted network protocols (https, ftps, sftp) as well as certificates and PKI usage must be supported; the media vendor’s software, system and services must provide the capability to decouple the operating system from the software itself, to allow for the separate patching of both OS and runtime environments… The list goes on but can probably be summed up with recommendation 6.1: “There shall be no direct connection of control components with the internet’.
The internet is, of course, where the fracture lines were first drawn.
Adde Granberg, CTO at Sveriges Television (SVT) says: “With us it started with LiveU, which was the first transmission for us that used the internet or mobile to get files into the system. Before that we had a totally controlled system with satellite connections and so on. But this is not how things are now.”
Indeed, Granberg says that the most recent cyber intrusion SVT had to deal with came after login credentials were entered at an airport.
“The main risk is the employees,” he says. “We are in the business that everything should be very fast and very quick, and the journalists are doing everything to get the material though. They will hook up to WiFi, hook up to an AirPort, hook up to whatever they can to get the material through.
“If Sweden scores a fantastic goal in the World Cup you want to report on it: you don’t care about IT security while you’re doing that.”
So, when it comes to assessing the best practice in broadcasters addressing cybersecurity questions, education and training is undeniably one of the key factors. Granberg mentions common sense a lot. “As a CTO I need to make good, workable technologies to handle security,” he says. “It has to be user-friendly. We need common sense on the part of the production crew and the journalists. And the third thing we need is to balance risk with budget: to do that in a way that is respectful to the company and, where appropriate, the people that are paying the licence fee.”
Buy-in is important though not only at the employee level; it also has to extend all the way to the top of the company. Happily, an unintended consequence of the GDPR rollout has been to ensure that issues surrounding digital governance have been front and centre at board level for several years now. And 2017’s perfect and very visible storm of cybercrime only helped to concentrate matters further.
‘If Sweden scores a fantastic goal in the World Cup you want to report on it: you don’t care about IT security while you’re doing that’ – Adde Granberg, SVT
Spy vs spy
Page one of the best practice manual pretty much says ‘appoint a Chief Information Security Officer’. A CISO can still face battles though.
“CISOs are in a position where they are a cost centre,” says Silvers. “They don’t drive profit, they drive cost, and they’re in the unenviable position sometimes of restricting usage or ways of doing business that can be inconvenient. So it’s critical that they and the management of the company are on the same page so that they feel empowered to act. Best practise it to have regular meetings with senior management.”
The education at this level needs to work both ways though. Directors need to understand the arguments, CISOs in some cases need to ramp their communication skills: both sides working on ensuring the conversation is informed and productive.
The key takeaway though is that this is a very dynamic situation. Silvers talks about an AI arms war about to break out, with both offensive and defensive capabilities boosted significantly as key tasks get automated and can be put through an iterative process at machine intelligence speeds. Plus, the Internet of Things opens up whole new attack surfaces and boasts what he refers to as ‘jaw-dropping’ privacy and security implications.
“There is no silver bullet solution and anyone who tells you that there is, is trying to sell you something,” he says. “It’s about building from the bottom up a robust organisation-wide information security programme. [One] that does everything from having policies around access control and making sure that the right people internally have access to certain types of sensitive information, to making sure you have the right monitoring capabilities over your tech infrastructure so that if threats are there they can be detected. It’s about having the human capabilities to match up to the technology too. You see companies that have the alert but have no human capability to chase it down and act on it. It’s about matching up the right mix of people, processes, and technology.”
And in that, despite being one of the newest challenges faced by the broadcast industry, there is almost something that feels familiar.
Read more How to guard against cyber attacks