NAB 2019: Making the Case for M&E as ‘Critical Infrastructure’

LAS VEGAS — Nearly 100,000 people attended this month’s NAB Show. And every single day, approximately the same number of people in places like Russia, Iran, China and elsewhere wake up and spend their days trying to infiltrate your networks, corrupt your data, and steal your content.

That was the message Clete Johnson, senior fellow with the Center for Strategic International Studies (CSIS) think tank, and partner with communications law firm Wilkinson Barker Knauer, brought to attendees of the April 7 Cybersecurity & Content Protection Summit, during his keynote presentation “Is the Media & Entertainment Industry “Critical Infrastructure?”

“These 100,000 people, that’s their jobs, that’s how they support their families, this is what they do to find fulfillment in their daily lives, break into your networks, and steal your content,” said Johnson, who was most recently the senior adviser for cybersecurity and technology at the U.S. Department of Commerce. “And they’re fed by galloping advances in innovations, fed by a very lucrative criminal market. And they’re backed by billions of dollars in R&D developed by sophisticated nation states, driven by nation-state interests.”

Since the 2001 Patriot Act, critical infrastructure in the U.S. has been clearly defined: “Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security.” And following the Sony Pictures hack by North Korea in late 2014, it’s time media and entertainment is added to that list of the country’s critical infrastructure, Johnson said.

“Is it like the water supply, telecommunications, financial transactions, electricity? I think there’s reasons to believe, in many important ways, that the answer to that is yes,” he said. Johnson and other cybersecurity experts were pooled together in December 2014 at the White House, shortly following the Sony hack, with other nation state concerns, including Iran going after a Vegas casino, Russia’s annexation of Crimea, and fears of Chinese attacks against corporations, added to the discussion.

“We grappled with what happened, what it meant — and it wasn’t just about a funny parody movie — and what to do about it,” Johnson said. On its face, it may not have seemed like a national security issue — an attack against a studio over a parody film, “The Interview” — but it was serious in ways that were alarming on multiple levels. “It was a nation state attack … beyond just espionage and data theft,” Johnson said. “We knew North Korea had these capabilities, but it was alarming that they would use them … it put them in the category of Iran, a rogue state that wasn’t afraid to use [its capabilities]. And it was a disruptive, and destructive, attack that was punishing Sony.”

There had been disruptive attacks before by nation states, and destructive ones as well, but the Sony hack stood out and clicked all the boxes of concerns that keep cybersecurity experts up at night, Johnson said.

“It was the first, significant, punitive attack on free expression, protected by the First Amendment of our Constitution” he said. “And the part we didn’t fully realize at the time, it was a cyber-enabled information operation … that subjected the company to really novel punishment for putting out content.

“This attack shocked me, and portended really dangerous things down the road.”

The good news? It resulted in action, with the White House making another push for the Cybersecurity Information Sharing Act (signed into law in December 2015), allowing for the sharing of cyberthreat indicators.

“These threats have grown tremendously since 2014 … and every criminal group has learned how effective these attacks are,” Johnson said. “The Sony attack was just the beginning.”

Because of the unique role media and entertainment plays in daily American lives — the impact of the broadcast industry, film producers, advertisers — it absolutely qualifies as critical infrastructure, Johnson said, not least because of the core value of free expression Americans treasure. Imagine a rogue nation attacking a certain journalist, a certain film producer, a certain actor, all in order to suppress their speech, Johnson said. “And it’s a matter of if, not when,” he stressed. “This is the future we’re looking at, and it’s going to become more serious.”

Beyond free expression is the assault on truth and facts, Johnson added. “Truth and facts undergird free markets, and democratic self-governance,” he said. Broadcasters serve the public interest as first informers to the population, and a coordinated attack against the facts they relay could prove devastating. A fake missile alert, false disaster response information, deep fakes, enabled by AI, pretending to be a trusted news anchor, all could prove devastating, Johnson said.

So what do we about it? M&E executives can no longer treat threats as an IT problem, must better assess risks specific to their platforms, and develop plans to deal with threats in advance, Johnson said. Practice your threat game plans like a fire drill, over and over again. And realize there’s no cavalry waiting to ride to the rescue: it’s on you to protect your intellectual property, Johnson said.

“Do not think your company is safe, or free of liability,” he said. “The bad guys are coming to get you.”

Co-produced by the NAB Show and the Content Delivery & Security Association (CDSA), the Content Protection & Cybersecurity Summit was presented by SafeStream by SHIFT, Akamai, IBM Security, Microsoft Azure, Convergent Risks, the Digital Watermarking Alliance, the Trusted Partner Network, and produced by the Media & Entertainment Services Alliance (MESA) and the Content Delivery & Security Association (CDSA), in cooperation with the NAB Show.