Director Michael Mann’s cyber-thriller, Blackhat, opened in theaters this weekend, and promised to be the most realistic portrayal of cybersecurity to date. So, of course, I just had to get down to my local theater and see it for myself.
For those of you unfamiliar with the terminology, blackhat is a name derived from hacker slang for a person who hacks for personal gain or malicious reasons. The story focuses on former blackhat hacker, Nicholas Hathaway (played by Thor’s Chris Hemsworth), who is recruited to investigate the deadly misdeeds of a ‘super-hacker’ plaguing both the FBI and the People’s Liberation Army (PLA).
The movie itself is OK. It’s not bad. It’s not great. Rather, it’s just the kind of action mish-mash that’s punctuated by the occasional gunfight, explosion and hyper-violence so common today. And to me, therein lies the film’s biggest problem: it struggles for the most part to get past the gimmick.
However, Hollywood has long needed a better depiction of hacking. Previous attempts, like cult-classic, Hackers, paint today’s largest national security concerns as the flamboyant tricks of the keyboard enacted by unrealistically eclectic personalities. This is not accurate. Nor is it the ethereal realm that Computer Man exists in. The very fact that Blackhat looks at hacking as a real thing with real-life consequences puts it miles ahead of Hollywood’s other fantastical depictions of the cybersecurity industry.
So let’s start with what Blackhat does right: it both explains and gives context to cybersecurity issues with considerable accuracy. Its overall premise, that a hacker can remotely cause a nuclear power plant to explode and manipulate stock exchanges, though a bit too cartoonishly evil, is solid. These things are indeed possible, and they have real life examples (though, thankfully, without nuclear radiation).
Its depiction of how hackers operate—that is, re-tooling older variations of malicious software, or malware, for other uses—is also spot on. The movie gives reasonable explanations about malware programs, like Remote Admin Tools (called Remote Access Tools in the film—but we’ll let that one slide) a.k.a. RATs and how they can affect Programmable Logic Controllers (PLCs) that most everyone can understand. Even in this case, I think the producers used a RAT instead of the more likely worm because it had more Hollywood panache. However, there is a scene where a piece of malware, most likely a RAT, is controlling a camera in a restaurant.
Where the movie continues to miss the mark: is most glaringly in the discrepancies of how technical accuracies are implemented. For example, a single hacker causing a turbine to spin out of control and a nuclear power plant to explode tiptoes on the edge of being implausible. Destruction like that has been done (again, not on a nuclear explosion level), but it took a very specialized, likely state-sponsored malware called STUXNET to do so. It is not something a single hacker could pull off without being detected first.
Here’s another example: our anti-hero (played by Hemsworth) needs to hack the National Security Agency (NSA) to repair a heavily damaged hard drive to find the criminal’s location.
He hacks the NSA through what’s known as a spear phishing attack—a targeted attack through email, often containing a malicious link or file. Posing as an NSA employee, he sends a .PDF document with a keylogger payload to another mid-level employee who has access to the fictional ‘repair program’ he requires. There are a few things that are questionable with this premise, many of which have to do with the access the NSA would hypothetically allow to what is supposedly a ‘super-secret memory repair system.’
Yet, the biggest complaint that I can levy against Blackhat by far is its depiction of time. It’s disorienting. One moment you’re in L.A., the next, Hong Kong, after that, Jakarta. It’s hard for a viewer to get a grip on how long who is where. It neglects time as a crucial element in security. Sizeable hacks like those encountered in the film can take a long time to implement.
In another example, our hero needs to hack into a bank’s financial servers to do what he was ultimately sent to jail for: to steal money. He does so by using a social engineering attack—an approach that uses social networking sites, text messages and, like in the movie, physical USB keys to trick victims into giving access to a secure network—on an on-duty security guard. Okay, that’s reasonable. But again we run into a problem: just because you gained access to a PC stuffed under a security guard’s desk does not mean you have immediate access to a bank’s financial servers. In the real world, even a well-trained cyber army takes months, even years, to map and mine a massive network. And that’s before they even think of attacking. In the film, the task took but a few hours.
I could go on, but by now I think you get the point: Yes, the movie is technically correct in a lot of instances—especially how hacking is used more as a forensic ‘follow the breadcrumbs’ tool than a mythical do-all—but it misses the mark when it comes to the process of hacking. And hacking is very much a process.
In truth, hacking is boring. It’s wearisome. It takes time, lots of it. Hacking is powerful, but it is not magic.
Regardless of the details above, I do like Blackhat. It raises awareness around a serious national security issue through the best medium possible, pop culture, and it does so in a responsible way. Blackhat is a refreshing take on an industry that’s easily misunderstood. And really, that’s all anyone can ask.