In USA Network's "Mr. Robot," a disaffected cybersecurity worker teams up with a group of Internet anarchists calling themselves "fsociety" to take on giant corporation E Corp. Or, as the hacktivists dub it, Evil Corp. This week's premiere of the show's second season brought that conflict to new heights with an all-out attack on the fictitious company's computers.
The plotline might be high drama, but the hacking techniques are real. That's in part because the show's creator, Sam Esmail, and the writers rely on consultants like Ryan Kazanciyan and Andre McGregor of cybersecurity firm Tanium to keep things accurate. Kazanciyan, who is chief security architect at Tanium, specializes in breaking into computer systems to find their weaknesses. McGregor, director of security at Tanium, formerly worked with the FBI responding to intrusions on government computers.
The two say they've been thrilled to see their technical tweaks keep the show realistic. They also hope the compelling story line will get regular people to start paying attention to the security of personal data and to push government officials and companies to act.
CNET spoke with McGregor and Kazanciyan about the value of making hacking simple enough for TV and why they had their fictional hackers use ransomware to take on Evil Corp.
Q: In "Mr. Robot," you're balancing storytelling with realism, and hacking can be complicated. What are some of the hardest things to portray?
Kazanciyan: The amount of time and research and planning that go into targeted attacks. There's usually weeks of planning, of reconnaissance, of examining your target and figuring out exactly what your approach is going to be. And then there's a lot of trial and error where the first 10 or 15 things you try might fail in some way. That exploration needs to get simplified down to a quick scene with a couple seconds of on-screen activity.
McGregor: You're told, This is the hack that we want to do. We need to develop the actual command-line prompt, and you only have three seconds of time that it'll be on air.
What value do you think dramatizing hacks has in educating viewers?
Kazanciyan: The reality of today's zeitgeist is a hack is in the news every day or every week. If it's Ashley Madison or the Democratic National Committee or Sony Pictures or a hospital being shut down because of ransomware, the story lines are inescapable. The important thing to realize is that everyone has data of value to someone with a nefarious use for it. That awareness of exposure can help inform smart decisions about what you do online. And in the corporate world, it's top of mind for every single executive and every single member of a board of every company now. No one wants to be the next ones in the headlines.
McGregor: To have a show that can dramatize it in a way to make it personal gives a bit more ownership to viewers, so they don't feel like they're numb to hacking anymore. If I could get every member of Congress to watch "Mr. Robot," I think we would finally have the level of government cooperation and research that we need in cybersecurity.
Is there a danger of overwhelming people with how scary hacking is and making them tune out?
Kazanciyan: One of the things that makes the show work is that hacking is a core part of how the story drives forward, but it is not the whole story. The story lines, independent of the technical side, resonate with a lot of people. One of those things in the show is this theme of independence, an antiestablishment tone, that has obviously been an undercurrent in our political discourse for quite a while. It's very real to people. Those elements of the story end up being compelling and real, wholly independent of the hacking side.
McGregor: If we can get everyday, average citizens to realize that you want to ask those questions of companies where you're doing businesses -- how are you protecting my data? -- then everyone wins.
When you think about your friends and family who aren't cybersecurity experts, what are some of the biggest things you'd want them to take away from "Mr. Robot"?
McGregor: Update, update, update software. Every exploit that we show on "Mr. Robot," as well as the ones that are being used by criminals today, leverages vulnerable applications. So instead of clicking, "Remind me later," or trying to disable automatic updates to Flash and Java, have those set to automatically update. Don't think about it; just do it. That will make you a lesser target. You are no longer a low-hanging fruit.
Kazanciyan: In season one, there's a scene where Elliot is first getting into Tyrell Wellick's email, and he talks about how Evil Corp is vulnerable to Shellshock. It was a very publicized vulnerability that, by the time the show came out, had been out for a while. Someone I was watching with was saying, "Yeah, I don't know if I believe that a high-tech company like Evil Corp would still be vulnerable to something that high profile." And I just chuckled. That's incredibly realistic. Attackers don't need to use the best card in their deck.
The show featured a ransomware attack in the season two premiere. That kind of attack has become a huge problem over the past few months. Did you and the show creators know that was going to happen when you planned the scenes?
McGregor: We had a completely different hack for that scene. The scene setup was, we want to have a major impact where we take down the computers of the Bank of E. We had designed that back in January, and then Ryan and I were both at [major cybersecurity conference] RSA and I got a phone call from [writer Kor Adana] to walk through the hack. We realized that what we had decided to do was no longer feasible.
So, I'm with Ryan. We're at a sushi restaurant in San Francisco, and I'm like, OK, I need to get this to Sam in the next hour. And Ryan's like, "We should do ransomware. It's topical, happening right now in front of everybody." Sam said, "Great, get me something in an hour." It was like, "I'm eating at Blowfish right now! This is some of the best sushi in San Francisco!" So, the brainchild of sushi, we turned it in that night.