Deep-voiced announcer, with a touch of menace in his tone: Next week on CSI: Cyber, the team heads to the RSA Conference to appear on a keynote panel before an audience of enraged cybersecurity professionals. Some have attended the session just for the chance to be infuriated. Some are only there for the free ice cream. Will the team get out alive?
CSI: Cyber, the CBS crime drama, has had some outrageous plotlines, but this is the worst one of all — because unlike the absurdities that pass for entertainment each week on network TV, this one is really happening. Most security professionals find the program ridiculous and exploitative, but as long as it was confined to the airwaves, it could be ignored. When it is given a prominent position at one of the cyber world's premier security conferences, however, it becomes an outrage.
That probably isn’t what RSA expected when it announced the keynote panel featuring two of the stars and the executive producer of CSI: Cyber. After all, RSA had received praise in years past for bringing in other TV celebrities, such as Stephen Colbert and the MythBusters. This time, the praise turned to scorn.
Why, though? While CSI: Cyber is indeed ridiculous and exploitative, relying on stereotypes and plot inventions that are beyond absurd, it’s a fairly innocuous bit of entertainment. Can’t we just relax and enjoy the show? I mean, people in the CIA must see the Bourne movies as far-fetched, but for the rest of us they are just exciting and entertaining.
The truth is, I think we in the cybersecurity field have been quiet about CSI: Cyber for just that reason. We don’t think it reflects reality in any way, but we don’t really expect that of such a commercial entertainment. If we just ignore it, it might not go away, but at least it can’t really rankle us.
It’s a different story when you take the show out of the flat screen and bring it to the RSA Conference. That gives the show and the many liberties it takes with the cybersecurity profession a legitimacy they don’t deserve. (I go into a good deal more detail about this in this video.)
CSI is a franchise, and it’s been a highly successful one, so it’s pretty easy to see how the producers were able to convince the network to give CSI: Cyber a shot: It combines the CSI that the public has come to love with a current buzzword, cyber. But CSI: Cyber isn’t a big hit. It was renewed for a second season, but the numbers this year haven’t been great. Maybe it will come back for a third season; maybe not. I’m not a TV scheduling expert.
The point is that the franchise has perfected an approach. The writers and producers look at the news, find interesting crimes that could make good television, then produce an episode with a “ripped from the headlines” feel about it. The thing is, though, that as buzzy as “cyber” sounds, the actual profession doesn’t really lend itself to compelling TV. For those of us working in it, it can be very interesting and rewarding, but there’s no way that a mass audience is going to plant itself in front of its TV sets to watch us tapping our keyboards and squinting at our two, maybe three monitors.
So what can the producers do? Add more monitors, of course, just for starters. Then equip the cybersleuths with guns and muscles and witty repartee. Speed things up, so that the cybersecurity experts aren’t seen as painstakingly plodding along, and make them the center of every investigation, and not just some supporting role in a much larger operation. Check the news for actual cybercrimes, but realize that you will have to jack them up by imagining “future evolutions of past crimes.” In other words, make things up.
And so, when the producers read about hackers being able to listen in to baby monitors, they take it up a level, and we end up with random kidnapped babies being auctioned off over the Internet. When they read about the (questionable) hack of an airplane system in flight, they come up with a virtual hijacking of an airplane by the Chinese government. Who’s going to watch what cybersecurity pros really do?
Even less defensible is the way that the characters in CSI: Cyber have been rendered as stereotypes. Of course, the lead technologist has to be an obese, insecure, socially awkward geek prone to incomprehensible technobabble. The supporting cast offers up social misfits, ex-criminal hackers and one special agent who gets to beat people up. Worst of all, the show frequently depicts the investigators committing crimes to solve crimes.
In the real world, FBI special agents have physical fitness standards and are frequently lawyers or have other work experience. I know this because the Irari Report once interviewed Donald Good, deputy assistant director of the FBI for cyber. On the show, the cyber agents are few and work out of Washington. In reality, most of the FBI’s scores of cyber agents are stationed in field offices around the world. They also spend extended periods of time supporting non-cyber cases, as well as performing long-term investigations. You know, boring stuff.
When the original CSI series first aired, it had a real-world impact that came to be known as the CSI Effect: Juries were setting criminals free because jurors who watched the series believed that there should be a mountain of forensic evidence in every case. They had unreasonable expectations of the forensic science profession, entirely based on what they had seen the CSI investigators do on TV. As a sort of side effect of the CSI Effect, some criminals began to plant evidence, incriminating other people, based on what they had seen on TV.
Should CSI: Cyber thrive, we might see a new permutation of the CSI Effect, one pertaining to the computer security profession. The show gives viewers the impression that investigators have immediate access to every database in the world, creating unrealistic expectations for law enforcement. I am waiting for a jury to set a criminal free because CSI: Cyber gave jurors the expectation that, when you get an IP address, you automatically have the definitive location of a criminal — a concept that is blatantly wrong, yet constantly repeated throughout the series.
You know, thinking about CSI: Cyber gives me a headache, but I don’t usually publicly gripe about the show, except for making videos like this and to cracking jokes. Most people in the profession have reacted similarly. Maybe that’s why the organizers of the RSA Conference underestimated the contempt that the security profession has for the series. Until now, we’ve been content with making private jokes; now we have to make public statements.
But though I disdain the show for its distortions of our profession, my wrath is directed at the RSA Conference organizers, not the producer or actors of CSI: Cyber who will be on the RSA panel. The show is certainly silly, but the producer is not answerable to the security community for that. His responsibility is to CBS, which expects him to produce a successful TV series. And CSI: Cyber has been reasonably successful, so he’s done his job. As for the actors, they are responsible for portraying the characters they are paid to play, as they are written. I wish their success hadn’t come through the exploitation of our profession, but it’s not their fault. And had the program stayed within the realm of televised entertainment, where absurdities amount to a tradition, I could go on ignoring it. The RSA panel changes everything, though.
In response to the negative reaction, conference organizers issued a rare statement, titled “Expanding the reach of RSA Conference.” In it, they contend that the issue is that people are upset because the panelists know nothing about security. That is not the case, as we have previously welcomed many non-security speakers. The primary issue is that the series is exploitive and insulting to many people in the security community.
The organizers then state they will use the panel to explore whether CSI: Cyber is encouraging more people to enter the profession (I doubt it; the viewers are much more likely to be retired than in college), the response of the CSI: Cyber panelists to the sort of criticism that their appearance has inspired, and how they get ideas for their storylines. Interesting? Maybe. But more appropriate for Comic Con than the RSA Conference.
Nonetheless, I plan to attend the session, just because I write and speak on the issues involved and need to be informed. (Besides, the session is one where free ice cream bars will be distributed.) If I am wrong about the worthiness of the subject matter, I will issue an apology to the RSA Conference.
Not that I expect that to happen. What I expect is that the CSI: Cyber participants will pander to the audience and tell us what a hard job we have. They will claim that they have to dramatize the show to suit the medium, but they will claim they intend to pay us homage in the process. They will tell us how much they respect us, but then they will continue to exploit us and portray us as stereotypes who have to commit crimes to catch criminals.
If I’m right, my ice cream could end up tasting pretty bitter.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.