When I was a student, back in the dark ages, I remember the very first thing I was taught in the very first lecture on recording classical music. The maxim was “the truth, the whole truth, and nothing but the truth”.
What the lecturer (the late lamented John Borwick) meant was that you needed to capture the music (the truth), with all of the instruments properly audible and balanced (the whole truth) and with no extraneous sounds or noises (nothing but the truth).
You can apply the same principle, in a very different way, to a challenge which has crept up on us over the last couple of years. It should now be at the top of the list of things keeping awake everyone involved in handling content and metadata, but probably is not (yet).
We are all aware of the risks of cyber security. Rarely a week goes by without some massive data leak in a high-profile organisation, or attacks by viruses like WannaCry. Businesses are brought to their knees by ransomware. We are constantly being urged to keep on top of our personal password practices.
In the media world, we have risen serenely above this, because we had no need to worry about it. There is an excellent white paper on cyber security in the media industry by the DPP, the UK broadcast body. It is a free download from digitalproductionpartnership.co.uk and it is a great read.
It’s very first words are “For over 20 years the media industry has largely avoided the risks around the corruption and leakage of content by working on digital tapes. Security was achieved by obscurity: unless you had an HDCam tape machine at home, it was pretty unlikely that you were going to be able to digitise that material and post it online.”
That is no longer true. We ship files around, and we ship metadata around. The content is at risk, and the way we use that content is at risk. Hacking into the intellectual property controls of a programme archive is as potentially dangerous as stealing the content outright. Broadcasters certainly wouldn’t want playlists manipulated, replacing programmes or commercials with unwanted content.
With the move to IP, global connectivity and the cloud, media companies are now very much at risk of cyber attacks. It is already happening: Yves Bigot, director-general of TV5 Monde, victim of one of the most famous attacks, confessed “we were a couple of hours from having the whole station gone for good”.
This was a carefully planned attack, almost certainly perpetrated by a Russian group calling themselves APT28. The BBC security correspondent Gorgon Corera researched the incident, and found evidence of careful planning and rehearsal. The hackers developed bespoke targeted malware to corrupt and destroy internet-connected hardware, from the camera robotics to the encoders. There appeared to be seven different points of entry.
Attacks potentially come from a wide range of sources. Some will simply be people wanting to watch something for free: the recent Game of Thrones hack is a good example. Others will be from radical interests, and even from quasi-state sources. According to Al Jazeera’s CTO Mohamed Abuagla, “If we ran a story on government corruption in China, I would get Chinese attacks. If there was a story about the regime in Syria, we get Syrian attacks.”
Plenty is happening to help. The DPP is now working with the North American Broadcasters Association on the basics of documentation, testing and authentication. The EBU has published a recommended practice document, R143. Media companies fall under the requirements of the EU General Data Protection Regulation, which comes into force in 2018.
Everyone needs to act now, to develop policies and practices which minimise risk. As with any computer protection system, this needs to include the human factor too. Social engineering tricks like phishing are still the easiest way for hackers to gain access to otherwise protected networks. No-one wants to be responsible for inadvertently allowing an IS video to air.
The goal is to ensure that, as we create, move, share and distribute content and its associated metadata, we allow only the truth, the whole truth and nothing but the truth.
|Guest blog by: