Landslide

Held Hostage: Why Cyber Attacks against Film and Media Industries Are on the Rise

Keisha M. McClellan and H. Drew McClellan

Intellectual property (IP) theft is rapidly becoming a favored currency for cybercrime. The data breaches of financial and other sensitive information records of companies such as Equifax, Anthem, JPMorgan Chase, Merck, and the global shipping firm Maersk dominate news headlines and threaten to bring corporate America to its knees.1 According to the Organization for Economic Cooperation and Development, “U.S. brands and patents are more likely to be infringed than those of any other nation, making up as much as 20% of all goods seized in the global counterfeit trade.”2 This article examines a startling new trend in cybercrime: hackers are going beyond the theft of consumer data and financial information and now are holding the intellectual property of prominent film and media companies hostage. Why hackers are increasingly targeting media intellectual property on a global scale, why attorneys and the companies they represent should view avoiding these attacks as strategic risk management, and what approaches can ameliorate the impact of such inevitable hacking will be addressed.

Reliance on Digital Platforms and External Vendors Increases Vulnerability to Cyber Theft

With the increased frequency and scale of twenty-first-century piracy, film and media companies are particularly vulnerable. Technological advances enable media companies to achieve more output with less production expense, but such efficiencies create new access points for would-be hackers.3 Ironically, technological innovations that transformed the film and media industries have also lowered the barrier to safeguarding intellectual property. Digital cameras enable photographers and directors to shoot footage for longer hours with less outlay: tape and film stock expenses substantially decrease with the use of digital photography equipment. Additionally, digital editing systems and software create new efficiencies by storing huge quantities of content in a digital format. But this means the prized content of a studio is being stored on a platform that may be easily compromised.

Further, studios’ age-old production model of partnering with external experts in areas such as special effects, graphics, and audio mixing creates additional nefarious opportunities for cyberattackers. Cyber thieves hope that “lax network security at these vendors will allow easy access to content that they can hold hostage for a ransom.”4 Grady Summers, chief technology officer at information security firm FireEye, says, “Hackers have realized you might have a very well-funded security program at a Disney or Comcast, but if you step down the supply chain, you’re going to find a special effects crew or a sound editor who doesn’t have good security.”5

Film and media companies’ modern-day reliance on digital technology and external creative increase their susceptibility to IP theft. Digitalization of the industry may carry the benefits of time and cost efficiency, but it also carries the burden of increased risk of cyberattacks. Years ago, would-be content pirates required actual physical access to a rough-cut of a pilot or movie to do damage. But that is not the case now. By example, when a group known as “thedarkoverlord” hacked and released 10 new episodes of Netflix’s popular series Orange Is the New Black on the media-sharing website Pirate Bay, industry insiders worried which network would be next as the hackers teased on Twitter, “Oh, what fun we’re all going to have.”6 In its statement regarding the hacking, Netflix noted that “[a] production vendor used by several major TV studios had its security compromised.”7

The Pool of Potential Cyber Thieves Is More Diverse

The digital world of content collection and storage has democratized the IP threat. Film and media intellectual property face cyber threats from a myriad of bad actors. Cyber thieves can compromise a media company’s system with fewer resources than were required in the past, because a satchel of money to bribe executives or an elaborate physical intrusion plan is no longer needed. This means that cybercriminals can operate as part of an elaborate criminal network or a small or solo operation from many remote corners of the world. In sum, technological innovations can lower the barrier of cybercrime deterrence.8

In their New York Times op-ed piece, Dennis C. Blair and Keith Alexander lament that “intellectual-property theft costs America up to $600 billion a year,” and that “China accounts for most of that loss.”9 A string of embarrassing hacks of social media accounts for the CEOs of Facebook, Google, and Uber by OurMine has purportedly linked back to a Saudi Arabian teenager.10 And for North Korea, ultimately linked to the notorious Sony hack of 2014 and the 2017 global ransomware attack called WannaCry, cybercrime is “an almost perfect weapon for a Pyongyang that is isolated and has little to lose.”11 Thus, from foreign nation-state hackers to lone cyber wolves, IP theft has the dubious distinction of potentially leveling the playing field between lesser-resourced criminals and corporate America.

IP Theft Is Valuable and Easy to Commit in the Digital Age

The film and media industries’ deep financial pockets and the contemporary ease of stealing and ransoming content hint as to why these industries are increasingly more attractive to cybercriminals (see fig. 1). When asked why he robbed banks, infamous bank robber Willie Sutton replied, “Because that’s where the money is.”12 So, too, with film and media industries. The sheer size and influence of movie studios and media companies make their loss of content a significant loss financially and competitively with regard to other industry players. Film and media companies are desired targets because they are content powerhouses with global audiences. “The thieves are aiming for quality now, not quantity, and with Hollywood studios, especially those with massive fan bases, there’s a lot of potential for payments.”13 Plus, would-be cyber criminals can strike “without putting a lot of resources into their attacks, potentially making them worth a try even if they don’t have a high chance of success.”14

Intellectual property is primarily valuable for the rights it prohibits others from having. “Elusive as intellectual property boundaries are, the business value they secure is enormous,” says renowned IP expert, author, and Stanford Law professor Paul Goldstein.15 Because the film and media industry business model is defined by IP content, cyberattacks can threaten the very core of a studio’s brand reputation and livelihood: the devaluation of a media company can occur in the aftermath of a high-profile breach incident. For instance, “Verizon reached new terms for its acquisition of Yahoo and exacted a $350 million discount toward its purchase price because of the Russian hacks.”16

The Technology or Motive Itself Can Serve as a Serendipitous Shield

At times, damage control from a breach incident can result surprisingly from a hacker’s lack of strategy. A hacker’s posting of unreleased episodes of a popular Netflix show had little effect because the pirated episodes were not easily accessible to the general public. In essence, if a show “lands on The Pirate Bay and nobody watches, did it really stream?”17 Additionally, sometimes a breach incident may be orchestrated to aid a company in discovering important vulnerabilities. OurMine, a group known for compromising the Twitter accounts of Facebook’s Mark Zuckerberg and Google’s CEO Sundar Pichai, claims its hacks have a positive purpose: “[W]e are just trying to tell people that nobody is safe.”18

Strategies for Addressing IP Cyber Theft Risk

With the rise of more frequent cyberattacks against film and media companies, three approaches are widely recommended: (1) remove the financial incentives, (2) fix the vulnerabilities, and (3) create an integrated legal and strategic framework.

Remove the Financial Incentives

Many advisors suggest that companies should decline paying the ransom: efforts should be made to remove the financial incentives for IP cyber theft. “Netflix could, for example, simply offer the stolen episodes for free as a ‘trial’ of their service,” Rick Holland, vice president at the digital risk management firm Digital Shadows, suggested.19 “While this isn’t an option for everyone who has had their data stolen, it can help to discourage future thefts by removing the financial incentive.”20 The thinking goes that with less incentive for a monetary windfall, cybercriminals will lose interest in hacking. While “paying money to a criminal is never a good idea,” a case-by-case assessment of what information is being held hostage and its value to the organization should guide the decision on whether to pay the ransom or not.21

Fix the Vulnerabilities

At bottom, it may be difficult to fix vulnerabilities, but it is critical to do so. For example, reducing breach access points by moving more supply-chain and production partnerships in-house can be financially and logistically infeasible. The increase in production costs could be unsustainable in the near-term, and the long-term cost of acquiring or developing in-house expertise in distinct areas could be financially risky. However, evaluating the security of potential third-party creative vendors such as graphic design firms and production companies should be a fundamental first step when considering working with external partners on a project. Alexander Heid, chief research officer at Security Scorecard, advises that studios need “visibility into the info ecosystems of their partners. They need to look at what their partners’ networks are like.”22

Moreover, creating internal processes that warn employees and executives of the dangers of phishing plots can be a priceless preemptive move. To this point, in September 2017, music video site Vevo suffered a breach that included office documents, videos, and even details about individual artists that originated from a phishing scam on LinkedIn.23 And of course, regular and sustained security improvements of digital software and computer systems throughout the company should consistently be a priority in an industry whose heartbeat survives on digital photography, editing, and storage.

Create an Integrated Legal and Strategic Framework

Rather than take an ad hoc, single-event approach to IP cyber theft, film, media, and entertainment executives and the legal profession would be prudent to strategically manage risk. In treating potential IP cyberattacks as systemic risk with legal implications, several benefits may accrue:

  • Better formulated and executed responses to cyberattacks;
  • More appropriately focused organizational resources relating to cyber risks;
  • More creative strategies, proactive responses, and initiatives regarding cyber risks; and
  • Lower financial shocks and enterprise risks.

Figure 2 describes four, but certainly not all, of the critical elements that a strategic approach to managing cyber risk in the film and media industries should minimally encompass. As shown, initiatives to proactively identify and quantify the cyber risks that film and media companies face are a starting point and minimum imperative. These steps are paramount precursors to development of operational, strategic, and legal plans to both deter and mitigate the impact of cyber theft and ransom attempts. The recommendations of legal counsel can be invaluable in analyses and decisions about contractual partnership terms with creative vendors, due diligence regarding vendors’ security capabilities, proactive response strategies for ransom demands, and scenario development around potential litigation.

Conclusion

In light of the complexity and range of potential impacts of cyber theft in film and media, elevating the perspectives of legal counsel and decision makers within the creative production process will be imperative going forward. The challenge is not only technological but also a strategic issue that requires an integrative approach to fuse legal and managerial perspectives. On the managerial side, this will necessitate that executives include legal counsel early and often in operational, production, and cybersecurity planning to benefit from the expertise attorneys provide in crisis and risk-averse management.

Further, legal counsel would be well advised to develop an understanding of the operational and managerial activities that are particularly sensitive and/or vulnerable to cyber intrusions in the early phases of production. A representation of this new integrative approach and role for legal counsel is presented in building block form in figure 3. As shown, the foundation for the new role is engagement in the earliest stage of IP-infused projects and engagement throughout the process, to include consideration of how to respond to breach incidents when they come, not if they come. This approach will be critical for the future of film and media studios’ financial sustainability as IP cyberattacks continue to rise.

Endnotes

1. Jordan Novet, Shipping Company Maersk Says June Cyberattack Could Cost It up to $300 Million, CNBC (Aug.  16, 2017), https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html.

2. Mark Elliot, Why the US Can’t Afford to Fall Behind in Intellectual Property Enforcement, Forbes (Apr. 17, 2017), https://www.forbes.com/sites/realspin/2017/04/17/why-the-us-cant-afford-to-fall-behind-in-intellectual-property-enforcement/.

3. Hacking in Hollywood: Why the Industry Needs to Shore Up Security, Knowledge@Wharton (Aug. 11, 2017), http://knowledge.wharton.upenn.edu/article/hbo-hack-and-internet-security.

4. David Ng et al., Cyberattacks Once Again Roil Hollywood, but Can Anything Be Done about It?, L.A. Times, May 23, 2017, http://www.latimes.com/business/hollywood/la-fi-ct-hacking-disney-netflix-20170523-story.html.

5. Sandra Gonzalez, Are More Hollywood Hacks on the Horizon?, CNN (May 16, 2017), http://money.cnn.com/2017/05/16/media/hollywood-hacking-problem/index.html.

6. Nicole Perlroth & Matthew Haag, Hacker Leaks Episodes from Netflix Show and Threatens Other Networks, N.Y. Times, Apr. 29, 2017, https://www.nytimes.com/2017/04/29/business/media/netflix-hack-orange-is-the-new-black.html.

7. Id.

8. Sindhuja Balaji, Indian’s Transition to Digital Has Caused a Spike in Cyber Attacks, but They Can Be Fought, N.Y. Times, Sept. 19, 2017, https://www.forbes.com/sites/sindhujabalaji/2017/09/19/indias-transition-to-digital-has-caused-a-spike-in-cyber-attacks-but-they-can-be-fought/.

9. Dennis C. Blair & Keith Alexander, China’s Intellectual Property Theft Must Stop, N.Y. Times, Aug. 15, 2017, https://www.nytimes.com/2017/08/15/opinion/china-us-intellectual-property-trump.html.

10. Joseph Bernstein, This Saudi Teen Is Probably Behind the Hacks of Dozens of Tech CEOs and Celebrities, BuzzFeed (Oct. 4, 2016), https://www.buzzfeed.com/josephbernstein/this-saudi-teen-is-probably-behind-the-hacks-of-dozens-of-te.

11. David E. Sanger et al., The World Once Laughed at North Korean Cyberpower. No More, N.Y. Times, Oct. 15, 2017, https://www.nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html.

12. Famous Cases & Criminals: Willie Sutton, FBI, https://www.fbi.gov/history/famous-cases/willie-sutton (last visited Jan. 15, 2018).

13. Alfred Ng, HBO’s “GoT” Attack Shows Hackers Love Preying on Hollywood, CNET (Aug. 12, 2017), https://www.cnet.com/news/hbos-got-attack-shows-hackers-love-preying-on-hollywood.

14. Lily Hay Newman, High-Profile Extortion Hacks Aren’t Paying Off, Wired (May 18, 2017), https://www.wired.com/2017/05/high-profile-extortion-hacks-arent-paying-off.

15. Paul Goldstein, Intellectual Property: The Tough New Realities That Could Make or Break Your Business 1 (2007).

16. Michael Sulmeyer, What the Rise of Russian Hackers Means for Your Business, Harv. Bus. Rev. (May 12, 2017), https://hbr.org/2017/05/what-the-rise-of-russian-hackers-means-for-your-business.

17. Brian Barrett, That Orange Is the New Black Leak Was Never Going to Pay Off, Wired (May 1, 2017), https://www.wired.com/2017/05/orange-is-the-new-black-leak.

18. Andy Greenberg, Meet OurMine, the “Security” Group Hacking CEOs and Celebs, Wired (June 27, 2016), https://www.wired.com/2016/06/meet-ourmine-security-group-hacking-ceos-celebs.

19. Daniel Bukszpan, Disney Hacking Shows Why Companies Shouldn’t Succumb to Digital Blackmail, Experts Say, CNBC (May 21, 2017), https://www.cnbc.com/2017/05/21/disney-hacking-shows-why-companies-shouldnt-succumb-to-digital-blackmail-experts-say.html.

20. Id.

21. Elle Hunt, Don’t Pay WannaCry Demands, Cybersecurity Experts Say, Guardian, May 15, 2017, https://www.theguardian.com/technology/2017/may/15/dont-pay-ransomware-demands-cybersecurity-experts-say-wannacry.

22. David Ng et al., supra note 4.

23. Mike Snider, Vevo Suffered a Huge Hack from a LinkedIn Phishing Scam, USA Today, Sept. 15, 2017, https://www.usatoday.com/story/tech/news/2017/09/15/vevo-plays-despite-hack-accessing-3-12-terabytes-internal-data/669749001.

Keisha M. McClellan

Keisha M. McClellan is the former head of creative for The Oprah Winfrey Show and an award-winning television producer. She is currently a second-year law student at Chicago-Kent College of Law with a deep interest in the intersection of intellectual property, digital media, and data privacy; a member of the Moot Court Honor Society; and a founding member of the Cyber Security and Data Privacy Society. She also holds an MA in broadcast journalism from the University of Missouri.

H. Drew McClellan

H. Drew McClellan is chair of the cinematic arts department at the renowned Los Angeles County High School for the Arts (LACHSA). He holds an MFA from the University of Southern California’s Graduate School of Cinematic Arts, has studied global media industries in Beijing, China, at Peking University/London School of Economics, and is an accomplished writer, director, and producer whose work has aired on Netflix and Viacom, as well as at the NYLA International Film Festival.