I first learned about the concept back in Belfast in 2014 when I shared a taxi with cyber-psychologist Mary Aiken, and she told me about the concept of the show, and how she was training lead actor Patricia Arquette for the dramatized role of Aiken.
That show is CSI:Cyber, and despite it receiving unpopular reviews from the security community, it has been renewed for a second series and this week at RSA Conference in San Francisco, two members of the cast and its creator took centre stage in the keynote theater.
Appearing were Charley Koontz and Shad Moss, alongside CSI creator Anthony E Zuiker, who opened the panel with the declaration that “it’s just a TV show”. The panel was chaired by RSA Conference VP and curator Sandra Toms, who had addressed the controversy of this panel in a blog post.
In that, she said: “With a cyber-crime edition now on a top-rated network, RSA Conference saw the opportunity to bring two audiences together: Hollywood and the security industry.
“While the show may not be technically accurate, it does introduce our profession to new league of people—and more importantly to a new generation of potential cybersecurity professionals. The number of cybersecurity job openings continues to outpace those entering the industry, and if pop culture can help bring awareness to the industry and spark interest in the next generation to learn more, we welcome that discussion and recognize its value.”
Toms began the session by pointing to other media that had addressed science, technology and mathematics such as Star Trek and War Games, and asked if they “prompted of a new generation of kids to learn a lot about STEM”.
She said: “We have 200,000 unfilled positions, and by 2020 it could be two million. This is an incredible time and could CSI:Cyber introduce cyber security to a new generation of security professionals?”
With that, CSI creator Zuiker took the stage and revealed that he had pitched CSI:Cyber to the networks five years previous to its commission, but it was passed over. Meeting Aiken and seeing the “future of crime” gave him a new idea of focusing on cyber-crime. He said: “It became more relevant and as it is more accepted in media as a problem and of the future, who does crime better than CSI?”
Asked by Toms about it not accurately representing the security industry and day jobs of thousands, Zuiker said that it was about show business and while they relied on “great technical advisors and great researchers”, they were not making stuff up but needed to keep the “fast moving train” moving with three times the action of the plot point.
“The purists who know the space well and feel that we don’t do a good job of entertaining television, we live in hyper-reality to represent the world we live in,” he said.
At the time of writing, the video of the panel is not available on the RSA Conference website, but let’s just say Zuiker was passionate with his answers. Of course it is more dramatic to show live hacking in the style of CSI:Cyber than to show the slow process of reverse engineering malware, but this has been one of the criticisms of CSI:Cyber, that it goes for Hollywood excitement over the reality of the job, and Zuiker did not deny that.
As for attracting talent, well maybe by 2020 the modern Security Operations Center will reflect what is seen in this show.
Next came the two actors. Moss plays Brody Nelson and Koontz plays Daniel Krumitz. The character of Nelson is a black hat turned white hat working in investigations; there’s one for the debate on hiring ex-hackers.
The character of Krumitz is the typical plus-sized, bearded smart guy, which Koontz acknowledged by saying he felt like the character fitted in but he didn’t want “Cheeto dust on my keyboard”. He also said that the character “struggles with being the smartest one in the room”.
Sadly there was no Arquette, who remains a star in my eyes, mainly for her fantastic performance in 1993’s True Romance alongside another actor who would go on to IT security TV drama greatness – Mr Robot’s Christian Slater.
Moss commented on the intelligence of his character on “how smart he is in using a computer and he can jump into the FBI field with no college background”, and how he uses his once “bad ways for good ways”.
Asked if it glamorized hacking, Zuiker said he was “aware we are entertainment for the industry”, and he was humbled by the “heavy lifting on that side of the stage” referring to the audience. He said: “All we do is tell the best stories possible that cyber-crime is out there and have a level of take away. The FBI is not adverse to entertainment that can show expertise that is used in the crime system.”
He also commented that the average CSI audience is 51 and female, and it was important to address an area that affects them every day, and that is “why education is important as we are entertainment and that is why this audience (referring to the audience in the theatre) does the real work”.
The message was clear from the panel that they had to “hyper-reality” as they have bosses who demand an exciting product from its audience, and Zuiker mentioned that from visiting Government, they recommend doing two things – put a number in your password and do your updates. “They are begging me to do this on CSI:Cyber,” he said.
At this point I had to leave, and mentioning to Joe Stewart, Director of Malware Research at Dell SecureWorks that I had left to meet, his first question to me was “did they talk about how their show is totally unrealistic?”
In a week where actors took centre stage at RSA Conference, from Mr Robot’s Rami Malek talking on stage with Qualys to the closing keynote by Sean Penn, it was clear that what CSI:Cyber presents is drama to a middle-aged audience, and if there is something learned, then all the better for it.
However those “kids” who may want to consider a career in cyber security would not have been in the audience for this panel and its justification, and are probably not watching the show and the false sense of security being presented will likely remain.