Addressing cyber attacks; protecting media content
Following a spate of high profile attacks, broadcasters and multimedia companies are taking action to prevent severe and potentially irreversible damage being caused to their assets, content and business models.
This growing activity was noticeable at the September 2017 International Broadcasting Convention (IBC), the leading broadcast industry event held every year in Amsterdam. An unprecedented number of senior executives from major broadcasting and multimedia companies and from IT security solution providers addressed closed sessions, panels and conferences to highlight the threats facing the industry and to present possible answers and solutions.
Standards developed by ISO/IEC JTC 1/SC 27: IT Security techniques, a Subcommittee of the Joint Technical Committee set up by the IEC and ISO for Information Technology, are central to protection against cyber threats.
Multimedia companies face another issue: safeguarding their work from unwanted copying and distribution outside approved frameworks. A number of Standards for digital rights management (DRM) have been developed by IEC Technical Committee (TC) 100: Audio, video and multimedia systems and equipment, and by ISO/IEC JTC 1/SC 29: Coding of audio, picture, multimedia and hypermedia information, to limit the usage of digital content and devices in such a way as to protect rights owners.
Targeting media? Nothing new!
For centuries, political authorities and other institutions everywhere have clamped down to prevent the publication of newspapers, pamphlets and books or works of art such as films or plays, for reasons that include threats to public order, national security or indecency. Electronic media has supplied a new dimension to the distribution of news and cultural content across borders, bringing new challenges.
Many countries started broadcasts so as to reach their nationals in overseas territories and enable them to maintain links with their home country (Netherlands, 1927; France, 1931; Great Britain, 1932; Switzerland, 1935). Vatican Radio started disseminating religious broadcasts in 1931.
For other countries, the main purpose of transnational foreign language broadcasts was to spread propaganda abroad (USSR, 1929; Germany, 1933) or to undermine other countries’ influence in some regions of the world (Radio Bari in Italy, 1934). Countries that felt threatened were persuaded in their turn to broadcast to foreign audiences so as to counteract propaganda and/or promote their cultural achievements.
The Second World War, and later on, the Cold War, caused a massive expansion of such broadcasts, the emergence of clandestine and “black propaganda” outlets and the jamming of any foreign broadcasts viewed as damaging national interests. The USSR reportedly operated some 2 500-3 000 jamming transmitters in the 1980s.
During conflicts, broadcast media are routinely targeted. According to Serbian officials, North Atlantic Treaty Organization (NATO) forces fired more than 1 000 missiles at Serbian broadcast media facilities in 1999 during the Kosovo war, causing dozens of casualties. Broadcast media are also often among the first targets during coup attempts.
New technologies, new vulnerabilities, new forms of attack
Digital technologies have radically transformed the way broadcast and multimedia content is collected, produced and delivered. Interconnection and distribution via electronic networks have opened up new avenues, enabling a multitude of perpetrators (not always easily or quickly identifiable) to attack content producers and distributors for a wide variety of reasons.
A number of serious breaches have led broadcast and multimedia companies to look for solutions in preventing attacks and, failing this, for mitigating their impact and allowing recovery. In addition to implementing existing standards or recommendations, these companies develop new ones, set up guidelines and increase cooperation and coordination between operators at national or regional levels and between trade organizations.
Difficulties tracing perpetrators and motives
High-profile cyber attacks have hit a number of broadcasters and entertainment companies in recent years. The following examples reflect the scope of the threats, the nature of the attacks and the range of possible perpetrators and motives:
- In November 2014, a group calling itself the “Guardians of Peace” released confidential data from the Sony Pictures entertainment company. The files made public contained, according to Sony Pictures officials quoted by Reuters, “a large amount of confidential Sony Pictures Entertainment data (…) including personnel information and business documents”. Stolen data also included Sony films that had not yet been released, personal information about Sony Pictures employees and contracts and marketing plans that could influence competitors’ strategies by exposing trade secrets. The attackers not only stole data but also “erased everything stored on 3 262 of the company’s 6 797 personal computers” and wiped out 837 of its 1 555 servers. US officials blamed the attack on North Korea, implying it may have been linked to the studio’s release of “The Interview”, a comedy set in North Korea about a plot to assassinate North Korean leader Kim Jong-un. This followed threats of retaliation by North Korean officials that included complaints to the White House and to the UN Secretary General. In addition to reputational damage, Sony Pictures estimated the overall cost of the attack, including restoring its financial and IT systems, at USD 35 million
- In early April 2015, French international TV broadcaster TV5Monde, which is available in 200 countries, came under a sustained cyber attack that started with a group calling itself the Cyber Caliphate claiming responsibility in messages posted on the company’s social media platforms. The attack took the broadcaster’s 12 channels off the air and nearly led to the total destruction of its systems. Quick action by a technician who identified and unplugged the machine from which the attack was being carried out saved the broadcaster. Its director general, Yves Bigot, later told the BBC “we were a couple of hours from having the whole station gone for good”. TV5Monde was able to resume some limited operations early the next morning after experts from the French National Cyber Security Agency (ANSSI) were called in to assess the damage and take the necessary measures. Bigot set the cost of the attack at EUR 9 million in 2015-2016, with additional yearly outlays of EUR 3-4 million required to ensure the protection of its systems
- In late December 2016, directors of Larson Studios, a Hollywood audio post-production company working for major studios, received messages from a hacking group calling itself the Dark Overlord, informing them that it had broken into their company’s servers. The group, which had taken all the company’s data from its servers before wiping it, threatened to leak it online unless it was paid some USD 50 000 in bitcoins in ransom money. The stolen data consisted of dozens of titles from major studios, including 10 unreleased episodes from the latest season of the Netflix “Orange is the new black” series. Fearful of the adverse reaction of its clients, Larson Studios paid the ransom, but didn’t inform its clients. The same group later threatened Netflix with circulating the unreleased episodes of the series online unless it was paid a ransom. Netflix refused to pay and the series was uploaded on a peer-to-peer torrent site. The move is unlikely to have affected Netflix, which relies on subscriptions and not on an advertising-based business model. However it cost Larson Studios an “estimated six figures” on new security measures to prevent future attacks, in addition to the USD 50 000 ransom it paid, not to mention lost productivity and the need to rebuild trust with its clients following the studio’s perceived failure to safeguard their information
Forensic evidence and “plausible deniability”
The possible motives of these attacks range from inflicting financial and reputational damage, disrupting normal operations and extortion to destroying installations or testing new forms of cyber attacks to target more important assets at a later date, as is believed to have been the case in the TV5Monde attack.
Finding out who lies behind the attacks can be a lengthy process that requires extensive forensic analysis of data to yield tangible results. The modes of attack may give an indication as to the motives and the perpetrators, but the evidence often comes well after the attacks and the suspected perpetrators are likely to deny the findings.
The Larson Studios breach appears to have been the result of a random attack from hackers who “were basically just trawling around to see if they could find a computer [running an older version of Windows] that they could open”, according to the company’s chief engineer. The motive was obviously extortion. The same opportunistic mode of penetration is observed in cases of ransomware when unsuspecting employees open a malware-infected file.
Investigation into the Sony Pictures attack indicates that the hackers had penetrated the company’s network – which had been breached dozens of times in previous years – some weeks, or even months, before the malware was activated. US official sources attributed the attack to hackers linked to the North Korean government, a claim denied by the latter. There was no demand for a ransom, but the attack resulted in major disruption and significant financial losses.
The TV5Monde attack is particularly interesting and important as it targeted a broadcaster. Broadcasting installations are now considered to be integral parts of the critical infrastructure in countries including the US, UK, France, Germany and the Netherlands. According to ANSSI, which gave details of its findings some two years after the TV5Monde attack, it was carefully prepared and was initiated nearly three months before its effects became obvious. In late January 2015, attackers penetrated the broadcaster’s IT network, mapping its infrastructure and analyzing its vulnerabilities before launching their attack on 8 April. They even went as far as leaving traces of known malware in the system to mislead investigators. TV5Monde Director General Bigot told the BBC that the investigators were able to prove only two things. Firstly, that the attack was designed to destroy the channel, and secondly, that it was linked to a group called APT28, also known as Fancy Bear, one that is reportedly linked to Russia’s military intelligence service, the GRU. Bigot said that the investigation would be unable to answer two questions: “why TV5Monde?” and “Who gave the order and the money to that Russian group of hackers to actually do it?”.
Broadcasters and media companies take action
Broadcasters and multimedia companies are now working together to face an existential threat and critical disruptions to their business models. They rely on well-established IEC and ISO/IEC JTC 1 Standards and on recommendations and guidelines developed by broadcasting and multimedia companies and trade bodies. These companies work closely with national security agencies and IT security solution providers. They have set up a number of collaborative bodies and structures and have developed tools to face threats.
The European Broadcasting Union (EBU), an alliance of public service media organisations, which has 73 members in 56 countries in Europe and the Middle East, and 33 associate members in Africa, Asia and the Americas, has established a Strategic Programme on Media Cyber Security (MCS). As of 1 January 2018, the EBU had published six cyber security-related “Recommendations”, covering a wide range of domains that include best practices and minimum cyber security requirements for media companies, broadcast systems, software and services, as well as cloud security or mitigation of ransomware and malware. These recommendations refer to a number of ISO/IEC Standards, for IT Security Techniques, such as ISO/IEC 27001:2013, ISO/IEC 27002:2013 , ISO/IEC 27017:2015 or ISO/IEC 27018:2014.
The EBU also organizes workshops, seminars and webinars that bring together its members, vendors and service providers to address cyber security issues.
The Digital Production Partnership (DPP), a media industry business initiative founded by the UK's public service broadcasters: BBC, Channel 4 and ITV, brings together broadcasters, production companies, distributors and trade associations. The DPP, which has formed a partnership with the North American Broadcasters Association (NABA), has set up a Committed to Security Programme, which, it believes, “will help reduce the likelihood of content loss or theft”. The DPP awards a ‘Committed to Security Mark’ to companies that meet a number of standards listed in its broadcast and production checklists, which include ISO/IEC 27001:2013.
One of the DPP members, the Association for International Broadcasting (AIB), the only global alliance of media companies that deliver, or support the delivery of, cross-border and multi-platform international broadcasting, set up a Cyber Security Working Group to help share information and expertise about existing cyber threats to media companies.
A multi stakeholders effort
Protecting broadcast and multimedia assets and content is a task that calls for collaboration between a multitude of stakeholders to develop standards and best practices. They also share warnings regarding threats and exchange advice and solutions for deterring and detecting cyber threats as well as defending against them, mitigating their impact and recovering from them in cases when defences have been breached. Implementing the relevant IEC and ISO/IEC JTC 1 Standards is essential if these objectives are to be achieved.