Veteran cybersecurity professional and published author Greg Scott believes that fiction helps us understand the real world. However, Hollywood fiction about hackers is so far from reality that it makes Scott cringe.
Greg Scott is a published author, and he calls his first novel Bullseye Breach, an educational book disguised as fiction. Cybersecurity books are good medicine for insomnia, he laughs after recently publishing his second novel, Virus Bomb, and promises he will not stop writing fiction just yet.
Scott believes fiction helps us understand the world around us - it keeps us engaged while it also helps us learn something. He hopes some talented Hollywood scriptwriter will notice Scott’s fiction one day. Because for now, the way they picture hackers and any IT-related issue just makes this cybersecurity veteran cringe.
But don’t worry - if (when) Hollywood starts picturing the cyber world more accurately, the drama will still be there as there’s plenty of tension and emotions in real-life cyberattacks, too.
We virtually sat down with Scott to discuss his take on fiction and current events.
You claim that fiction helps understand real life better. How and why?
I spent 20 years on my own, and a lot of that was building firewalls. Go and try to convince a business owner that firewalls are good and tell them why they are good, and their eyes glaze over. And then you start talking about security and all the threats we face over the internet, and their eyes glaze over even more.
Even now, it's abstract. It's like stuff on a computer, and it's not real; nobody is physically doing anything to me. People don't get it.
I talked to a dentist one time. He had an office full of Windows XP systems, and one of those systems was a server stuck in an unused cubicle, and that system was in such bad shape he had to call the brother of his receptionist every morning at 9 o'clock to turn this thing on. It has all of his patients' X-rays inside. He couldn't look at them unless his system worked - this barely functioning Windows XP system. I said, what are you going to do if that system dies? His answer was - I don't need computers to do dentistry. Why do you have these things then? Just turn them off. He couldn't do that.
That is the mentality out there.
So it occurred to me that maybe I could write a story. When you read the security study books, they are a great cure for insomnia. They are thick and really dry. I noticed every time they put a paragraph or two with the personal story, my interest would pick up. I like reading fiction anyways. Fiction I can read all night but dry "How to" stuff - it's torture. Maybe I can do fiction, and that would somehow weave in lessons. That's how Bulls Eye Breached started. It is a story about how Russian mobsters invade and poison 20k point of sale systems and steal 40M customers' credit cards. It may be similar to a data breach that happened on Christmas of 2013 here in Minneapolis. I could give personalities to the players, making it fiction, so I control the whole story. I could dream the ideas on how to fight back. It's fiction, so I rule the world. I'm the supreme ruler of my fantasy world.
It occurred to me that there's more than just money at stake. There's terrorism and all kinds of nasty stuff. What would happen if a country got serious about attacking the good guys? How would that play out? That's where the Virus Bomb came from. Who would be the people to solve it?
When you read these stories, there's a retired former government agent with superpowers. He kicks butt and saves the world. He finds some IT guy to find all the stuff they are supposed to find out. There are all kinds of Hollywood hacker stereotypes. I decided we can do better than that. Jerry Barkley (the protagonist of Scott's novels - CyberNews) is a bald-headed IT guy who lives in Minnesota, far away from all the power centers. He was never president of anything in high school, and he never worked for the government and didn't have any superpowers, but he knows what he is doing and is competent. He's been through his share of adversity. He is just an ordinary person who gets involved in these things and finds ways to fix them. Real superheroes are ordinary people who step up even then they don't want to.
Who are those superheroes in real life situations like, for example, the Colonial Pipeline cyber attack?
If ordinary people had done their jobs inside the Colonial Pipeline, the outcome would have been a whole lot better. In the real world, and this is what I emphasize in fiction, nearly all these attacks are preventable. Out of a hundred attacks, there might be one attack where everybody did everything right, but it happened anyway. The overwhelming majority of these attacks are preventable.
One of my pet peeves is that nobody wants to talk about how they were penetrated. But if you dig down into the weeds as much as you can, you find out that people at the victim organization, generally, were careless, and then they fell victim to an attack. With Colonial Pipeline, they didn't segregate their network. The bad guys cut into the billing system. They didn't trust that the bad guys could also control the SCADA (supervisory control and data acquisition, designed to collect, analyze, and visualize data from the industrial equipment) system. That was one thing. Plus, it isn't good for business when you ship oil to a whole bunch of places, but you can't bill for it because you don't know how much you are shipping and who you are shipping it to. That shutdown fuel delivery for like two weeks because their billing system was polluted. They spend 4,5M dollars in bitcoin. Law enforcement recovered a couple million of that. But they paid money to the attackers for the decryption keys that were too slow. What did they do wrong? They didn't segregate their networks, and they couldn't trust that SCADA wasn't affected.
Number two, they didn't have a workable disaster recovery plan to recover fast in the event of a disaster.
Number three, they didn't have a plan, and they didn't practice it. When this event happened, they had to invent a whole bunch of stuff on the fly.
Will these real life events with severe consequences make people more interested and concerned about cybersecurity more and help them understand what's a stake?
I hope so. I keep trying, I do the best I can to try and get the message across. I'm still trying to find a way to light a fire into people so that the public sees how they depend on this stuff. I haven't solved the riddle yet but I'm going to keep plugging away at it.
You've been in the business for decades. Is this better for you now than it used to be years ago?
Yes and no. It is better because the technology is better. There's more computer power in my cell phone than in the first PDP-11 computer I got interested in way back then. The technology is better, and tech people are more acknowledged in the world. The world needs us. Who would have thought it?
Personally, I'm a natural pioneer, and technology is not pioneering anymore. Some pieces of it are, but technology itself isn't pioneering. It's not "oh, you must be really smart and wear a white lab coat because you do stuff with computers." The world doesn't see us that way anymore. In that regard, it’s not better.
Technology isn't as new to me as it used to be. I've explored a whole bunch of stuff already. Overall, it's still pretty good. It puts food on the table and pays for my house. It gives me good material to write about.
Do Hollywood films about hackers and cyberattacks make you cringe? Are they realistic at all?
Not even close to realistic. That's why I coined that phrase “Hollywood hackers.” You watch some of these adventure shows where Bruce Willis saves the world. If somebody gets in his way, he just punches and keeps on going. The nerd, the guy that finds out stuff, they are never leaders, they are never powerful, they are just people who find out stuff, and then you can kill them off when you don't need them anymore.
The world doesn't work that way. It is a lot harder to hack into the Department of Motor Vehicles and just find peoples’ names and addresses. It’s a lot harder than they give it credit for. There's a lot of drama to that stuff, too. There was mass murder in California where the FBI had a phone from the suspect and thought there's information inside this phone that could maybe lead to other conspirators, partners in crime. But it was an Apple phone, and they couldn't get inside it. So the FBI tried to force Apple to do a software update to get inside this phone.
Imagine a movie based on that incident. Imagine you cut to the scene where the guys in Apple are trying to decide how to respond, and you cut to the scene where FBI guys are trying to find out how to attack. You go back and forth, and there's a whole bunch of tension there. There just has to be. It's high stakes because the government could have fined Apple enough money to bankrupt Apple. So think about all the ramifications for that action around the whole world. Somebody, some clever Hollywood scriptwriter, should put a script together based on that, and that would be a blockbuster.
Do these real-life cyberattacks contain as much drama as Hollywood movies?
Yes and no. There's plenty of drama and tension, but just different from how Hollywood portrays it. In the Hollywood version, somebody who is bright but doesn't get along well in society sits in front of a computer and types a few commands. The next thing you know, they are inside whatever system it is, and they are stealing all kinds of information. When we can get on with a story where somebody punches someone in the nose or bullets start to fly.
In the real world, that act of getting inside the target network takes a bunch of recon and planning. Most of it is tedious. You can do all kinds of stories around the consequences of an attack. You can do all sorts of stories about the people at the front lines trying to recover from it after their leaders failed them because they didn't plan. There's usually somebody on site that knows how to fix it, and that person does not sleep day and night and has to work hard to get credibility from all the vice-presidents. There's plenty of drama that fiction producers could derive from that if they wanted to bad enough.
I hear that cybersecurity specialists are stressed because of all the pressure to protect networks.
It could be a burnout job. Often, the CISO (chief information security officer) is the designated scapegoat when things go wrong. The worst part of that job is you tell everybody the stuff they are supposed to do, and you plan, you try to persuade as much as you can, and nobody listens to you, and then somebody attacks and steals everything from you and then it's your fault. That's the worst outcome from that job.
The best outcome from that job is just the other way around. You use your soft skills to persuade people, and you get them on board, and you do a bunch of teaching and education, and then somebody tries to attack. You know that they are attacking, and you show everybody that these guys are trying to attack us. Here's who they are, and they are not getting in. That is the best outcome.
But CISOs probably are still the scapegoats even if they did everything right but someone just clicked on a phishing email.
You are not going to stop phishing. That is true. You and I probably will not fall for a phishing scam because we do this stuff all the time. But in a company with a thousand people, the odds are a thousand times greater.
As the CISO, you realize that, and you take steps to mitigate that possibility. One of the things you do, you have a good permission model. If I fall for a phishing scam and somebody scrambles everything I can touch, it will cause some damage, but it won't shut down the whole company because I cannot touch the entire world. It is a lot easier to recover what I broke than to recover everything in the whole world. The permission model is a big deal, and segregation is a big deal, too. Keep the pieces of my network segregated. Typology counts. We don't give enough credit to it. Segregate that network so that different elements are behind different access rules.
Could a cyberattack cause a nuclear disaster? How would that work?
If you want to be an attacker, you go after the transportation industry and get inside, find out who is shipping what stuff, when, and where. If I'm an attacker, and I've done social media and zero-day attacks, I'm inside all these transportation companies, and I know what stuff is loading on what trucks and where they are going, who the drivers are. Here's a piece of nuclear material going from this power plant in Minnesota to a cave in Nevada.
I'm going to go after that truck and hijack it. That's how you do it. You get inside these systems to find out information. Information is power. Here's the tactical problem with going after a nuclear material. The power companies have all these nuclear ways, and they store it on-site, and sooner or later, they will open up these caves in Nevada where they send this stuff. There are all kinds of studies on whether or not an earthquake will destroy the cave over the next millions of years. Once we figure that out, we will move all that stuff into those caves and bury them forever, so they don't poison the world.
You steal one of those things. How do you steal it so that nobody knows how you stole it? When you steal it, everybody is going to be looking for you. How do you do that? These casts are as big as houses. It's tough to steal one of those things and then move it someplace where nobody can see it. That's why in fiction, I did biological disaster instead of nuclear.
But is it possible?
When you look at the politicians and Hollywood, we are afraid of somebody launching an attack that shuts down a whole bunch of networks, and that stops the world. That's not the proper game. The proper game is to let the networks continue running and drain all the information out of those networks, and use that information to shut down something else. That's the game. It is a lot more complicated, subtle, and a lot longer to plot. But it could cause a whole lot more damage if you do it right.
Would we see that many attacks if the world would be a different place geopolitically? If, for example, Russia and the US got along?
Yes, we would. We would see the Colonial Pipeline cyber attack. Nation-states are doing a lot of these attacks right now. Russia is responsible for a lot of them. So is China. The US is responsible for some against Russia and the Chinese. Well, we went after Iran. It was Stuxnet and the nuclear stuff. There's history on our side, too. But we are the good guys, so it's ok when we do it. But if nation-states did not launch these kinds of attacks, and all the countries got along well, there would still be plenty of criminal organizations out there. There's a whole underground infrastructure, a whole economy where bad guys buy and sell information and collaborate. So there would still be attacks like the Colonial Pipeline and some others. Target in 2013, 20,000 points of sales systems and 40M credit card numbers - that was criminals, that wasn't government-sponsored.
But it would be definitely harder for them to operate.
If the Russians, North Koreans, and the Chinese clamped down on these guys, it would get better. But there will always be somebody who wants to do hosting for anybody who pays money, no questions asked. It would be better, it would be more challenging, but the criminals would be smarter. I don't think you will ever get rid of it. You could maybe reduce it, put a dent in it. People are still people. We are as corrupt as we can be. That's always going to be that way.
More great CyberNews stories:
Subscribe to our newsletter