Last week, I attended the San Francisco premiere of a new short documentary, "The New Face of CyberCrime." Directed by Frederic Golding and brought to fruition by the folks at Fortify Software, the film was screened for select members of the media as well as IT executives from around the Bay Area and was followed by a panel discussion moderated by Fortify founder and Chief Technology Officer Roger Thornton.
The panel featured:
Howard Schmidt, president and CEO of R&H Security Consulting and former White House cyber-security advisor
Ted Schlein, managing partner of Kleiner, Perkins, Caufield and Byers
Grant Bourzikas, director of Information Security for Scottrade
Frederic Golding - director of the film
The 20-or-so-minute film talked at a high level about the cyber-crime landscape, focusing on the role organized crime now plays because there is money to be made out there. Discussions with a few grey-hat hacker types, some IT folks and analysts around the industry, and Schmidt himself hammered home the point that this is a dangerous time on the Internet, and people need to be aware of how they and their information can be tricked, captured and compromised online. However, there really wasn't any prescriptive advice to be gleaned from the movie, which left me (and, I felt, many in the audience as well) wanting more.
Given Fortify's niche in the industry (code scanners), it is unsurprising that the film concentrated on how poor development practices and shoddy code open doors for thieves in the current threat landscape. As far as I can recall, cross-site scripting was really the only type of vulnerability that was discussed at length, as we got to see a grey-hat hacker type sit in an outdoor cafe, talking about the things that he could do from there over the Wi-Fi network. Hardly compelling visually, and probably hard to grasp for those unfamiliar with the ins and outs of coding best practices.
In fact, the whole film seemed to suffer from a bit of a lack of focus. In the panel discussion, an audience member asked what I was thinking, "Who is this film aimed at?" The quick-cutting visual style, featuring a lot of talking heads interspersed with jerky shots of racks of servers and network cables, and the high-level gloss-over of the problem with no real prescriptions, kind of indicated that film was directed towards a very mainstream audience. Like something you might catch on Nova on Saturday afternoon.
Yet cross-site scripting seems like a poor choice of angle for a mainstream audience, which would probably benefit more from a more endpoint-focused perspective, or better yet a look at how to actually protect and monitor your digital assets.
Golding made very clear that he did not intend the film to be a call to action, but rather an opportunity to initiate a dialog and help people in the industry build awareness of cyber-security. Something with recommendations or deeper discussion of the issues would be more of a corporate film rather than a documentary.
Thornton indicated that the filmmakers and producers needed to weigh the balance, keeping the audience engaged while still providing some meat. Apparently, they had initially planned to reach out to more criminal elements to show that side of the equation, but were warned off that course by law-enforcement advisors who told them they could get killed if they weren't careful with what was shown or who they talked to.
Golding consistently expressed surprise at the things he learned during the filmmaking process, and clearly showed his unfamiliarity with the technical matters at the heart of his film (honestly, why would any Joe User know about coding best practices and PCI compliance?) And I fear his unfamiliarity with the subject matter gave Fortify's folks a chance to steer the subject matter toward their own bread and butter -- a rather unfortunate, but unsurprising development.
Ultimately, the question of target audience was never answered during the panel, so I posed the question to the PR representative who invited me to the screening in the first place. His answer surprised me:
"The documentary will not be made publicly available, but I can send you a copy of the DVD if you like. I just need you to agree that the DVD will be for your own personal use and will not be made public."
So really, this film is only going to be shown to prospective Fortify customers. It's a marketing film. Super (I feel used). Some full disclosure up front would have been great, as it turns out that the panel itself was peppered with Fortify board members as well. Five minutes of research turned up the fact that both Schmidt and Schlein are on Fortify's board of directors.
Nonetheless, the panel discussion was a little more interesting, as the audience let loose some of its unrest regarding the film. Since the director intended the film to provoke a dialogue, in this one sense, it was successful.
An impromptu poll taken of the audience indicated that the majority of those in attendance thought of themselves as information security workers, while a handful of people were in software development, and almost no one considered themselves to be both. And if I may generalize a bit, the security-oriented audience had the reaction of, "We know all this. Now what are we supposed to do about it?"
Of course, Fortify's answer was an unspoken but quite evident, "Buy our products."
Scottrade's Bourzikas ultimately was the most interesting speaker as he weighed in on subjects like the biometrics and the efficacy of PCI compliance mandates.
Bourzikas called PCI compliance "Uh, interesting." He intimated that that kind of security doesn't really make you more secure. In the end, authorized users query a database and get a response. How do you ensure that that user is who he purports to be? Ultimately, these are business decisions and at some point security becomes a hindrance. The company first of all needs to make money, and can't tell users how to behave.
When two-factor authentication was mentioned as a solution, Bourzikas made it clear that his customers did not want it, and weren't willing to bear the additional expense to institute it.
TJ Maxx was used frequently as a case in point during the film and the panel discussion -- highlighting the real financial consequences for a business cleaning up a data theft mess, while hinting at what it means for end users as well -- the latter described basically with two words, "identity theft." But counter to the PCI discussion above, it seems the TJ Maxx example actually could have been prevented by conforming to PCI regulations, as evidence has pointed to wardrivers cracking WEP (Wired Equivalent Privacy) encryption on TJ Maxx's wireless network and culling customer information that way -- a situation clearly addressed in PCI.