An official website of the United States government
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

The Cyber Defense Review

Why CSI: Cyber Matters

By Col.Gregory Conti and Dr. Fernando Maymi | April 07, 2015

CSI: Cyber is getting beat-up by the information security community and at first we went along for the ride.  You have to admit it is fun to play cyber bingo, live tweet during the show, or critique the technical inconsistencies, but there is something more here, something very important.  The security community has long fought an uphill and losing battle to recruit new talent and educate users about the risks of information security.  CSI: Cyber offers the potential to do just that, and on a massive scale.  It also has the potential to spread Fear, Uncertainty and Doubt (FUD) and scare the masses, and our lawmakers, into reactions that would be counterproductive.

 

CSI: Cyber offers the infosec community a tremendous opportunity to raise public awareness, educate, and inspire the next generation of information security professionals.

 

If you use number of Twitter followers as a rough metric for influence, the leading minds of the information security community average between two thousand and ten thousand followers, a few outliers approach about forty thousand.  As a point of comparison, guess how many Twitter followers CSI: Cyber cast member Shad Moss has… more than three million.  That’s right, Shad Moss (AKA rapper Bow Wow) and his reformed black hat hacker character, has more followers than the entire top one thousand information security professionals, and Shad Moss is just one cast member.

Children all over the country have been inspired to be law enforcement agents by shows like Criminal Minds, NCIS, Bones, and CSI.  Summer camps have sprung up catering to those seeking to learn more, even if the reality is a little more pedestrian than the hipper depictions on the screen.  I’m confident that the country won’t face a shortage of crime scene lab techs and associated law enforcement agents any time soon.

With this type of influence comes responsibility.  Fear, Uncertainty, and Doubt, long the enemy of the infosec community makes for good television.  No movie or television program is immune.  We all remember the “fire sale” antics of Live Free or Die Hard.  The trick then is to walk the fine line between technically grounded reality and compelling FUD-laced entertainment.

We shouldn’t forget either that many in the information community today were inspired by War Games.  Imagine if the infosec professionals of 1983 could have live tweeted during the movie.  I’m sure they would have had a coronary.  Get off my lawn, there is no way a teenage hacker could have broken into a DoD computer and started a nuclear crisis.  As a teenager, we found War Games compelling, even if we didn’t know what we didn’t know.  Today War Games and WOPR are enshrined in our lore.

 

CSI: Cyber’s Hayley Kiyoko reminds her 200,000+ Twitter followers to secure their wifi.

 

Done correctly, shows like CSI: Cyber can both educate the populace and inspire the next generation of information security professionals.  Even if the reality isn’t quite as easy as what might appear on the screen, these shows can help raise the bar on what young people aspire to be.  They may even inspire people to lock down their wifi.

When thinking about CSI: Cyber, it may be useful to compare it against House. House ran for eight seasons, racking up 51 awards (including two Golden Globes) and 112 nominations. The show employed a prominent physician (Lisa Sanders, author of the column “Diagnosis” from New York Times Magazine) as an advisor and importantly, according to Dr. Sanders, “three different doctors… check everything we do.” This level of medical realism provided a rich backdrop for stories that ultimately revolved around very real, complex human characters.

CSI: Cyber offers an opportunity for partnership between the infosec community and Hollywood.  We can help make the show better culturally and technically, while the actors and the production team ply their craft.  There are many talented infosec professionals, I’m sure some would be willing to help.  Enabling CSI: Cyber and similar efforts represents a win for both sides.  Perhaps even a few of our favorite hackers could get cameo appearances, if not in person, at least their code or some of their music.

We’d like to add that the idea of working with Hollywood to help educate the public on information security is not new, we first heard it suggested as a potential strategy in 2009 by Melissa Hathaway who had just led a 60-day national-level cyber security review.  At the time the idea was a valuable insight and we believe this even more today.

With CSI: Cyber the information security community has a rare opportunity, where our discipline is at the forefront of national attention.  Despite its flaws when viewed through the eyes of an information security expert, CSI: Cyber is a serious, professional grade effort addressing critical information security issues in front of a global audience.  There is no doubt that the recent Sony wake-up call has gotten the media industry’s attention.  Ultimately, the final answer may not be CSI:  Cyber, but we as a community of researchers and practitioners should learn to partner with those producing movies and television.

This article examined how we could use the current focus of a television show like CSI: Cyber and the momentum behind it to help people care about information security, consider pursuing a career in security, and work towards a more secure Internet.  By figuring out how to reinforce and inform the work of the media industry we all benefit.  Yes, the shows must entertain to succeed and with that comes the risk of FUD, but it can also inspire and intelligently educate.  Properly done, we shouldn’t be jeering at CSI: Cyber and its kin, we should be cheering them on.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.