Cybersecurity

Q&A with Mr. Robot’s Kor Adana and Ryan Kazanciyan

Kor Adana is a writer and producer on USA Network’s “Mr. Robot”, a television show focused on hacking and praised by cybersecurity profressionals for its realistic depictions of technology. Ryan Kazanciyan is the chief security architect at Tanium and technical consultant for “Mr. Robot.”

 

How did you get started in cybersecurity?

Kazanciyan: I first got interested in computer hacking back when I was 12 or 13 years old, lurking on bulletin board systems in the early days of the web. I got a degree in computer science while continuing to self-study in topics like network security. Coming out of college, I spent my first six years on the job at a Big Four consultancy focused on security audits and “red teaming” — helping organizations understand how hackers could compromise their networks. I then pivoted to incident response and forensics, and spent five years investigating breaches by nation-state groups, criminal gangs, and hacktivists. During that time, I also authored and taught training classes for the FBI cyber squad and other agencies. Since 2016, I’ve worked at Tanium as their chief security architect, where I focus on building software to help enterprises protect and manage their systems.

Adana: My dad was an engineer, so I grew up in a house full of tools and soldering irons. When I was little, I would always take radios and TVs apart in an effort to learn how they worked. I think I was around 11 years old when I first started messing around on my dad’s Gateway 2000 486DX desktop. After that, I decided to build my own machine. I was inspired by films like “WarGames” and “Hackers.” In college, I ended up studying computer engineering and network security. After graduating, I got a job at a major automotive corporation doing cybersecurity. I wrote security policies and performed penetration testing. That position evolved into a forensics and e-discovery role, aiding the company’s [human resources] and legal departments. I did that for about five years before transitioning to the entertainment industry.

 

Your experience in cyber and network security led you to work for a television show, which isn’t a common path to Hollywood. How did that happen?

Adana: Ever since I was 10 or 11, I always knew that I wanted to write and direct for film/television. To me, computers were a hobby, but storytelling was my passion. After graduating high school, I knew that I wanted to study film at NYU, but my dad wouldn’t let me. He didn’t want to waste tuition money on a degree that wouldn’t guarantee me a job out of college. His stance was, “Don’t waste your time to become a starving artist. You’re good with computers, so that’s what you’ll study.” I disagreed, but if I wanted his help to pay for college, I had to go down the path he wanted. So I studied computer engineering and landed myself a job after graduating. However, in the back of my mind, I always knew that this wouldn’t be permanent. With every free second I had, I’d study story structure, write screenplays, and shoot my own independent projects. I was making good money in cybersecurity, so I saved as much as I could. Once I knew that I could comfortably live without an income for three years, I decided to quit my cybersecurity job and pursue my passion of writing and directing. I got an unpaid internship at a production company and I worked my way up the assistant track. Eventually I met Sam Esmail, the creator of “Mr. Robot.” When I told him about my previous life in cybersecurity, I think he realized how much I could contribute to “Mr. Robot,” both from a technical and a story perspective.

 

What are some tech projects/subjects you’re passionate about?

Kazanciyan: My day job at Tanium has me focused on how to automate, simplify and scale the critical tasks that businesses need to perform to secure their computers. I spend a lot of my time designing solutions for breach detection and response. But even mundane tasks like installing patches become incredibly complex and interesting if you’re a business with half a million computers spanning the globe.

I’m also fascinated by how hackers continue to innovate and take advantage of emerging technologies. In the last year, we’ve seen attacks that exploit vulnerabilities in digital currencies, commandeer insecure [internet of things] IoT devices to launch harmful denial of service campaigns, and manipulate social media on behalf of nation-state interests. Thinking about “what’s next,” when everything becomes an internet-connected device, is exhilarating (and terrifying.)

 

Movies and television often portray hackers and hacking in a certain negative or ridiculous way — think flashing red skull and crossbones graphics. Why is it important to you to be realistic in your portrayal of cybersecurity and hackers in “Mr. Robot”?

Adana: There are a couple of different factors at play here. First of all, most writers/producers/directors make the assumption that hacking is boring, so they need to add cool graphics and fast typing in an effort to dramatize a dull action. There is a little bit of truth to this, but the deeper problem is ignorance. If those directors understood the attacks on a conceptual level and saw the beat-by-beat actions associated with the attacks, I’m sure they’d realize that there is no lack of drama in the realistic portrayal. Of course, it takes extra time and effort to study and learn these things, which is why it doesn’t happen that often. Secondly, many of the most egregious examples of ridiculous hacking on screen came out in the 1990s and early 2000s. Their narrative back then was, “People aren’t going to understand this stuff anyway, so let’s just make it as fun and visual as possible.” Well, it’s 2017 and everybody uses smartphones, tablets and laptops on a daily basis. The average viewer has a frame of reference when it comes to technology, so it’s harder to get away with passing the skull and crossbones off as realistic when most people are familiar with a login process or a phishing email.

 

How do you appeal to the average American while staying true to technological limits?

Adana: We work really hard to ensure that the stakes of each scene are identifiable and relatable … regardless of what kind of technology is being referenced. Let’s take a storyline from season one as an example. It’s important to me that, emotionally, the average American understands that Elliot needs to somehow destroy something at an off-site tape facility. It will be difficult and risky, but it needs to be done. He, Mobley, Romero and Mr. Robot are going to need to pull off a series of cons in order to do it. If you understand that, you’ll be able to follow the drama of that story just fine. Now … if you are familiar with the technology, you’ll have the added bonus of recognizing the realistic attack Elliot is engaged in … that he’s utilizing a Raspberry Pi to give fsociety access to the company’s [supervisory control and data acquisition] network in order to exploit the HVAC system so he can increase the temperature in a vault to destroy the data stored on Evil Corp’s [linear tape-open] backup tapes.

 

What are some things the general public should know about cybersecurity and hacking that they (likely) don’t?

Kazanciyan: There’s real hope and promise that things will get better. Case in point: the computer in your pocket (especially if it’s an iOS device) is far more secure than the one on your desktop. Over time, more and more computing and connected devices will adopt the same types of features that make iPhones and Chromebooks so resilient. That doesn’t mean that hacks go away — but we can squash the easy, opportunistic attacks, and make strong security more accessible for the general public.

Adana: Some of the most effective attacks aren’t that technically complicated. A phishing email asking you to click a link to reset your password is a simple attack that even avid IT professionals can fall for.

 

The general hacking plots in “Mr. Robot” involve bringing down corporations, but how likely is it that hacking would affect the average person’s life?

Kazanciyan: I think reality has been just as strange and frightening as the show’s fiction. True, the world’s economy fortunately doesn’t hinge on a single conglomerate on the scale of Evil Corp. But we’ve seen hacks that attempt to undermine and manipulate elections, data breaches measured in billions of stolen records across all industries and attacks against the power grid and other critical infrastructure. It will soon be difficult to find anyone in the world who hasn’t been impacted by hacking in some way.

 

What are some ways a person could protect themselves from being hacked?

Kazanciyan: My top four has remained unchanged for many years: 1. Use a password manager so that you can have a unique, random password for every website and application. 2. Turn on two-factor authentication wherever it’s available — but especially for your password manager, email and financial accounts. 3. Wherever possible, use devices that were built to be secure from the ground-up. iOS (iPhones and iPads) and Chrome OS (Chromebooks) are much more secure than “ordinary” computers. 4. Be more mindful of what you share online. You can’t control what your bank or government does with your information, but you can control what you voluntarily upload to social media sites yourself.

Adana: I would echo everything that Ryan said. The only thing I would add is to pay for a good VPN [virtual private network] service and use a browser extension called HTTPS Everywhere. Both the VPN and the browser plug-in will help to securely encrypt your activity online.

 

What should the government do — if anything — to regulate cybersecurity best practices for large corporations and government agencies?

Kazanciyan: All branches of the government have been subject to extensive cybersecurity regulations for decades — and yet they still fall victim to preventable hacks. If you don’t have effective processes and technology to fully monitor and enforce those best practices — or if it’s too easy to get exceptions for compliance — these policies don’t have any teeth. Efforts like [the Department of Homeland Security’s Continuous Diagnostics and Mitigation program] are underway to change how agencies deal with threats — including adopting technologies that let them be far more agile. But we’re dealing with hundreds of departments and agencies, and millions of computers. It will take time.

That isn’t to say that regulation is useless; in fact, there’s a strong drive across private sector industries to align security efforts with a solid set of best-practices. Government-supported standards like the [National Institute of Standards and Technology] CyberSecurity Framework are a boon to that — even when not mandated in legislation. But once again, businesses have to change how they enforce and monitor those practices — not just add more regulation for the sake of it.

I’d also like to see more normalization across the laws that govern how businesses must handle breaches of personally identifiable information [PII]. Today, we still have a patchwork of per-state laws for PII breaches, industry-enforced standards [e.g. Payment Card Industry], and federally-enforced regulations [e.g. the Health Insurance Portability and Accountability Act].

 

Is there any legislation that you’re currently supporting or following?

Kazanciyan: Full disclosure: despite living in the D.C. area for the past 14 years, I’m definitely not a policy or legal wonk. That said, I’ll mention a few areas of legislation here in the US that come to mind:

— The IoT Cybersecurity Improvement Act of 2017 proposed by Mark Warner [D-Va.] aims to set minimum security standards for IoT devices purchased by the federal government. There’s been years of debate on how to regulate IoT security without encumbering innovation and growth. The U.S. government obviously exerts a lot of influence as a major purchaser of technology. This proposed legislation may be a forcing function to get vendors to do the right thing and benefit all who use these products.

— Electoral systems are in dire need of modernization and an enhanced, consistent approach to security. The [Lindsey Graham (R-S.C.) and Amy Klobuchar (D-Minn.)] amendment to the National Defense Authorization Act for 2018 attempts to address this, but it’s unclear if it’ll survive.

— There’s been another revival of the debate over whether businesses should be legally entitled (or able to obtain some sort of certification) that allows them to perform “active defense” or “hack back” to respond to intrusions. For a variety of reasons, I continue to believe that this is a bad idea. At best, it will distract from more pressing security initiatives where businesses should focus their efforts. At worst, it will lead to harmful collateral damage and the disruption of intelligence or law enforcement operations.

 

What sort of response have you received from the hacker community, Doomsday preppers (since societal collapse seems to be a plot point) and/or government officials?

Kazanciyan: It’s been incredibly positive. I was at a corporate event last week, and since season three is underway the show came up quite a few times. We have fans that range from threat hunters serving our military and intelligence agencies, through executives at some of the biggest private-sector companies and, of course, plenty of students, researchers and otherwise-unaffiliated hackers around the world. That enthusiasm has always driven Kor and me to continue investing the effort to keep things real. It’s a labor of love.

Adana: It seems like the hacker community has fully embraced our show and appreciates the details that Ryan, I, and the rest of the team incorporate into the scenes. There are a lot of people who tell me that they usually don’t watch television, but they love watching “Mr. Robot” because it’s the only show that comes close to a realistic portrayal of cybersecurity and hacking.

 

Has doing the show changed your conception of cybersecurity or cybercriminals?

Kazanciyan: It’s positively impacted how I think about, and communicate, issues around security and computer hacking to a broader audience. I’ve spent so much of my career dealing with the “enterprise” side of security, and that inevitably becomes a bit of a bubble or echo chamber. When contributing to the show, I have to think about conveying and selling the technical elements of the story to a general audience, not just the experts. And I think that pays off — not just in terms of making something that’s hopefully entertaining, but also to inspire people to learn more. It’s gratifying to hear someone mention that they saw something that looked cool on the show, did some research and discovered something new. Or that it got them thinking about their passwords, and that led them to turn on two-factor on their Gmail account. Those bits of awareness can make a real difference.

“Mrs Robot” airs Wednesdays on USA Network. Joe Uchill contributed.