Blackhat is the latest in a line of movies that feature hacking as a major plot point, and it paints a pretty scary picture of what nefarious computer geniuses can do. But how accurate is it? Should we be worried? I talked to Jeff Schmidt, founder of JAS Global Advisors and Zurich Insurance Cyber-risk Fellow at The Atlantic Council, about the movie, some of its inaccuracies, and what we can learn from Blackhat.
What’s Blackhat All About?
To provide some background for this discussion, here’s a quick synopsis of the movie. Spoiler alert: if you haven’t seen it, and you don’t want to know the plot, you might want to come back to this article after you’ve seen it (though the box-office numbers and mediocre reviews suggest that it’s probably not worth the $20 it costs to see it in the theater).
In short, a hacker, Nicholas Hathaway, is brought out of prison by the American and Chinese governments to help them track down the source of a cyber attack on a nuclear plant in Hong Kong (the attack included pieces of code written by Hathaway years ago). After another attack on the Mercantile Trade Exchange in Chicago, some cat-and-mouse with the villain, a fight in a Korean restaurant, and some bank account sleuthing, Hathaway and the agents recover a HDD from the nuclear reactor.
Because of the physical damage to the drive, the American agents request access to a top-secret NSA data reconstruction tool called Black Widow, but is denied. Hathaway hacks into the NSA and uses the tool to discover the location of the source of the cyber attacks.
Heading to Jakarta they find that the hacker is planning something in Malaysia. After heading to the location of the next attack, they reason that the attack on the nuclear plant was a test run—the hacker’s plan is to flood a Malaysian river valley to destroy a number of tin mines, which will enable the him and his gang to make a bunch of money on the tin market using the funds they stole from the Exchange.
Needless to say, there are some chase scenes, a shoot-out, and some knife fighting, but Hathaway, the good hacker, ends up killing the bad hacker and making off with his money.
How Accurate Is It?
In general, Blackhat has gotten fairly positive responses on the technical side. Kevin Poulsen, a former hacker and a consultant on Blackhat, told Gizmodo that it’s probably the most authentic thing that’s been done in the realm of hacking movies. When I talked to Schmidt, he emphasized that he thought the team behind the movie had put a lot effort into getting things right, and did a really good job, despite the “overly complex, Rube Goldberg plot,” which—though a bit demanding in the suspension-of-disbelief area—he found entertaining.
Beyond the positive overall reaction, Schmidt pointed out a few interesting things in the plot that gave him pause. For example, if an organization like the NSA had developed the Black Widow data reconstruction program, they wouldn’t make it accessible over the internet, and they’d certainly protect it with something stronger than a simple username and password authentication. Similarly, computer forensics isn’t as simple as starting a program and waiting for a pop-up with the critical piece of information.
Similarly, the portrayal of tools like whois and talk simplifies the process quite a bit—they don’t just work like magic. Schmidt says that “good guys usually talk to bad guys over something more simple, like IRC or Twitter,” which surprised me a bit; government agents talking to cyber criminals via Twitter sounds like something out of a movie!
And, of course, to make the movie interesting, the writers had to make the plot complex, involved, and suitable for a thrilling mystery. If hackers were sophisticated enough to take down a nuclear power plant, Schmidt said, they wouldn’t need to go through the trouble of using such complicated tactics as flooding a Malaysian river valley in order to affect the tin market, which they had infiltrated through an attack on a commodities exchange.
Another tactic used to make the movie more exciting was to give the hackers martial arts and gun-fighting training, something they don’t usually have.
What Can We Learn from Blackhat?
When it comes down to it, even if Blackhat isn’t a hyper-realistic portrayal of the hacking life, there are still a few things we can learn from it. When I asked Schmidt if we’re likely to see an increase in the number of attacks like the ones portrayed in the movie, he said that, while nuclear reactors and trade exchanges and dams all have computer components and could potentially be attacked, “the reality is that the thing we should actually be worried about is the more boring stuff . . . bad guys are stealing money and intellectual property and information to influence, blackmail, bribe, and extort every day.”
He admitted that these sorts of activities are much less exciting, and that there’s not likely to be a movie about them anytime soon, but that this is where we need to focus our attention. Unfortunately, however, we’re likely to see this type of attack increase in the future—hackers are getting more sophisticated, methods are getting increasingly complex, and, as Schmidt put it, “defense is behind offense.” At the moment, the hackers’ methods are more effective than the ones used to defend against them, and they’ll likely remain so until a new technical development turns the tables.
As expected, Blackhat is a sensationalized account of what it’s like to be a hacker. But, as with a great deal of fiction, there are grains of truth that can be found throughout the story. Hopefully, those who see the film will be inspired to learn more about cyber warfare and cyber security so that awareness of today’s issues become more widespread. Though Blackhat requires a bit of imagination to appreciate, it does draw attention to an important issue in today’s world, and that’s always good.
Have you seen Blackhat? What did you think? How do you feel about the portrayal of cyber terrorism and cyber warfare in the film? Share your thoughts below!
Image credits: Universal Pictures, Businesswoman holding tablet via Shutterstock.