SUBSCRIBER+EXCLUSIVE ANALYSIS — While top cybersecurity officials sound the alarm over intrusions by Russia, China and individual hackers into U.S. critical infrastructure, they’ve noticed another problem: It's hard to get ordinary Americans to pay attention. With so many other things to worry about in terms of global news and information (not to mention disinformation), it's an understandable concern. And when it comes to cybersecurity, getting the public to listen isn’t just a public service; it’s a necessity. That's because a citizenry that ignores this particular problem will make fighting it that much harder.
With this in mind, a recent summit of the Cyber Initiatives Group (CIG) featured a session with a top U.S. cybersecurity expert and a Hollywood producer with a CIA background that explored a basic question: could the creative minds behind popular films and series help cybersecurity professionals get their message across? And might they do it in a way that would get more Americans to be smarter about their own technical devices?
It's hardly an idle question; officials have documented significant breaches of U.S. infrastructure that began because old routers and other devices hadn't been updated and upgraded, and offered easy prey for the hackers.
The good news? There may be many avenues for a Hollywood-government collaboration that would at least put a dent in the problem. Certainly there's no shortage of ideas - ways to integrate modern, realistic cyberthreats into the popular culture. In the CIG summit conversation, which was moderated by The Cipher Brief, Rodney Faraon, who has been a CIA China analyst and more recently Executive Producer of the NBC series State of Affairs, said, "Hollywood is such a driver of our national dialogue on issues and it reaches more people than any government reporter or testimony on the Hill."
THE CONTEXT
- The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to federal agencies following a breach of Microsoft attributed to the Russian hacking group Midnight Blizzard. The breach allowed the group to access source code and emails of Microsoft executives. Microsoft and CISA are collaborating to mitigate risks and provide guidance to government agencies that may have been affected.
- The North American Electric Reliability Corporation (NERC) said recently that U.S. power grids are increasingly vulnerable to cyberattacks, with weak points increasing by around 60 per day. NERC said geopolitical conflict and the upcoming U.S. elections are helping increase the profitability of attacks on U.S. power infrastructure.
- The Chinese-sponsored hacking group Volt Typhoon has breached several U.S. critical infrastructure systems for “at least five years” with the long-term goal of launching “destructive cyberattacks,” according to the NSA, CISA, and FBI. The Five Eyes intelligence partners have also published a white paper warning the business sector and critical infrastructure operators of the threat posed by Volt Typhoon.
- Russia has accelerated disinformation efforts to undermine support of Ukraine and influence the upcoming U.S. presidential election.
THE BRIEFING
The Cipher Brief tapped experts to discuss the best way to bring attention to the today's most pressing cyber threats.
This excerpt of the full briefing has been edited for length and clarity.
The Cipher Brief: How do we bring up some of these threats, especially when it’s things like critical infrastructure, and where are there some strengths, ways we may have seen this done in the past that we may want to dig back up?
Col. Frost: I watched this show on Netflix, Leave the World Behind, and I kept putting it on social media, telling everyone I could: This is what electronic warfare could look like. This is what happens when information operations are conducted, all these different types of activities. And the best part is all of the things are true. These things have actually happened, whether it's hacking into a vehicle, looking at precision navigation and timing. It just wasn't a really widely watched movie.
I thought, so let's make a blockbuster like that with the actual threats that we're facing right now, specifically from China.
Faraon: I think Hollywood is such a driver of our national dialogue on issues and it reaches more people than any government reporter or testimony on the Hill. So I think it's essential, really, if we want to create this culture of counterintelligence or culture of information security, then we have to actually be part of the popular culture, right? 330 million Americans, let's go - how do we hit each and every one of them and how do we persuade them that this is the way to do it, and how do we show them?
One of the things we could think about is we need to reach the audience where it's at. And going beyond Hollywood, with all the TikTok discussion, it means reaching influencers.
So let me give you an example. I was part of a panel discussion at Spyscape in New York last year, and as part of that, they asked me to be interviewed by Maria Comstock, who's an Instagram TikTok person with a million followers. No one from the intelligence community. She just graduated from Berkeley. So she's hitting that young audience. Well, the other day I was at my daughter's volleyball practice and one of the other moms came to me and said, "You were in the CIA, I saw you on TikTok talking about all these things." And I thought, this person would never have known who I was unless I was part of this national phenomenon. So that's one thing. The other thing is that we need to have content across platforms. It's not just blockbuster movies, it's everyday shows, whether it's a soap opera, a TV show about intelligence or Friends, something in there should address the issue of information assurance and cybersecurity.
And finally, we have to do this in an authentic way. There's no better, more skeptical audience than an American audience that thinks whether or not something's right or not. Obviously, that's arguable given today's political environment, but I've seen so many things get knocked out of the popular discussion because it's just not real. No one would ever do that. And so we need to make sure that whatever we do is something that is believable by the people that we want to reach.
I think one good way of doing this is not trying to make a show or a big project, but actually send out teams of briefers to Hollywood and other places where they do writing and offer free seminars on these kinds of things. What does it look like? I'm being asked that all the time. I'm sure some of my former CIA colleagues are being asked all the time, “Can you talk to this screenwriter to try to make this a little more authentic than it already is?” Pushing our people out there and talking in a room with the writers so that the next time, no matter what project these writers are working on today or in the future, this will be something in the back of their minds that they might want to incorporate into what they're doing.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Col. Frost: I did want to talk to Rodney about the impact and influence of China itself, and how can we best get around that, so people aren't afraid to say something to really negate their entire career. I mean, they don't want to throw it away because they posted something against China. And how do we work to combat that?
Faraon: China has a big influence on our industry because the industry wants to sell tickets to movies in China. But I think that Beijing, especially under Xi Jinping, has been very careful about doling out those privileges to American movie and television studios. And that's the main reason why it's very hard to get something cleared by the suits up in Paramount or Netflix that has anything to do with China being a potential adversary. For example, we actually had a script done for a pilot television show about intelligence services and their liaison work, and we had an incident that forced the Indians, the Chinese, the Russians, the Americans and the British to all come together and tackle a common enemy. And I wanted this film to show that, Look, if the Chinese do things one way, and if we do some things in another way, we can actually do great things for the world together.
When we talked to Jackie Chan about partnering with us as executive producer, he read the script and said No, this will never work. I'm like, why? We have Chinese heroes in here. He says, No, because your incident shows a vulnerability in China that they cannot abide by. So these are the issues that you've got.
The Cipher Brief: Have you seen any tactic where you kind of sidestep and create a faux China in this type of environment?
Faraon: There are a couple ways to do that. One is just like in the film, Mile 22 — put out by STX, Mark Wahlberg, Lauren Cohan — they just basically made up all the countries. It could have been Far-Off-a-stan, or Whatever-stan. They just made up the name of a country and they did it that way. Another case, Blackhat, which was a Chris Hemsworth film directed by Michael Mann, we helped a little bit on that. This was one of those films where the Chinese were actually cooperating with the Americans and the adversary in this case was a third-party criminal element, like Mr. Robot — an underground information terrorist society that is threatening nation states as well as individuals. So those are a couple of ways of doing it.
Col. Frost: It's not too hard now to revitalize some of those 1980s movies to look at Russia again. But it would be very insightful, if we go back, to go back to the impacts of some of the real danger that Russia has implanted not only in our critical infrastructure, but just the personal stories that they've had targeting young kids. I think this is an area where we've had FBI alerts come out that have spoken to the fact that in the past they had targeted young girls, but now young boys, too. And to talk to how they're targeting your children, keeping your family safe, things like that. There are plenty of superhero moms out there - and wouldn't it be great to show someone in the cyber field that's not only protecting her country, but also her family writ large in this space. And I think that's something that people would understand.
And then we can tagline a message: Add on that multi-factor authentication. Go in there and do these things that you don't think are that important. When it says "update now," you really should update. Those kinds of things. I know we get it all the time, just ad nauseam. We might understand "Patch Tuesday," but for the majority of Americans, they just don't think about this because it's not front of mind for them. So it would be great to bring Russia and some of those horrific actors that are out there to the public eye, to stop them.
Today’s constant barrage of information makes it easy for countries to wage disinformation campaigns and your emotions are the weapon of choice. Learn how disinformation works and how we can fight it in this short video. This is one link you can feel good about sharing.
The Cipher Brief: The lessons hat we're getting right now out of Ukraine, any feedback on something that might go in that direction?
Faraon: I think there is a narrative. There are lots of ways to bring that story home. But I think it should start with the Ukrainians and not the Americans. Their cyber experts are really good, and there's a story I heard about some Ukrainian coders who are working for an American company. They were cheaper and then the war started. So what happens after that? And how do the Americans support their friends who are in Ukraine, who are fighting? How do these Ukrainian coders now pivot from doing something commercial into something having to do with a war? And obviously the Russians, as we saw in Georgia and other places, they use cyberattacks as part of a warfare domain. So that's probably one way of doing it. I'm sure there are a million ways to skin this cat.
Col. Frost: I mean, wouldn't it be great to look at - even pre Russia - the declassification of some of the intel that came out of the White House and what Russia was trying to use as their narrative to kick the war off? It would be fascinating to see from - obviously a made-up version - the Russian perspective of what they were trying to plant. It would be very interesting to start to see the downflow of that, and how our country goes in and tries to assist other nations as they're being targeted by these huge nation-state actors. I think that is a very creative way to show the work that we do, whether it's at Homeland Security or in the Defense Department.
The Cipher Brief: What kind of timelines do you see on these kind of things? Are we looking to help educate writers today for a project that may come out in a year, or does it move a lot faster than that?
Faraon: Feature films can take a year to get out there. So the script that we have that's sitting dormant about Russia and Ukraine, we've had it for six years. Actually, we wrote it before the war started, so now it's relevant. Now I'm trying to claw it back from the producer who paid for it, so that we can start pitching it again. But television shows, developing State of Affairs took us about a year.
I think that if you went in with briefers and talked to writers, particularly television writers who have to come up with content every week, that's going to be a lot faster. I wouldn't limit the audiences to those types of writers, but they might put something in as early as next week if it's possible.
The Cipher Brief: On the influencer point, who are the gatekeepers and where are the open doors in these types of conversations?
Faraon: The CIA has have been doing a good job of going out to the Comic-Cons that are in the area. And so there's always going to be people who are curious there, including influencers who want to do more about that phenomenon.
Col. Frost: I do find the fact of getting influencers that understand that our information environment is heavily swayed sometimes by disinformation and misinformation, that would be great to have that as a starting point. I've got to give it to the National Park Service, their X account - what used to be their Twitter account - is hilarious. They actually have someone behind it that's humorous. So things like that that are just daily snapshots in time. CISA has done a really great job at trying to do a lot of public outreach to bring these things to the forefront. And it would be great to see smaller efforts, not to have to go all the way up to the Department of State to have some kind of external messaging. That would be really helpful.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief