Hackers stalk TV networks

Cybercriminals target broadcasters up to 1,000 times a day. Raymond Snoddy investigates the growing threat.

A large broadcasting symposium will be held in New York at the beginning of next month, but the state of TV drama, the rise of Netflix or the impact of mega-mergers on the media landscape are unlikely to be mentioned.

This symposium, called by the North American Broadcasters Association (NABA), is devoted entirely to the growing threat that broadcasters around the world face from cybercrime and the hacking of their networks.

It is the highest-profile assessment of the current state of risk to be organised by the industry, and a sign of increasing alarm. Alongside speakers from the US networks and the European Broadcasting Union (EBU), the gathering will be addressed by Phyllis Schneck, deputy under secretary for cybersecurity and communications at the US Department of Homeland Security.

Also speaking will be Shawn Henry, President of CrowdStrike, the company that in June traced the hack – and leak – of sensitive documents from the Democratic National Committee in the US back to Russia.

Alexis Renard, a senior technologist from TV5Monde, will tell of the devastating 2015 attack on the French broadcasting network.

“The issue has kind of been sitting in the weeds for the past four or five years. It is now a pressing issue, a serious threat,” says Michael McEwen, Director-General of NABA.

Broadcasters are now facing attemp­ted hacks on their systems daily; ­McEwen claims they come in the thousands. The vast majority are little more than a nuisance, carried out by the curious or by recreational hackers.

A small number are much more professional and deadly serious. These cyberattacks could severely damage a major media organisation, as with those on Sony Pictures Entertainment two years ago and TV5Monde last year. The latter came close to destroying the station.

In the case of Sony, a hacker group calling itself the Guardians of Peace penetrated the company’s IT system. It gained access to everything from employee records, salaries and information about contracts to unreleased films. Famously, these included The Interview, a comedy about a plot to assassinate the North Korean leader Kim Jong-un.

Threats were made to carry out terrorist attacks on any cinemas showing the film. As a result, Sony cancelled the premiere and The Interview went straight to digital release, combined with a limited number of theatrical screenings. US security agencies concluded that the cyberattack had been organised by North Korea – which denied any responsibility.

Any large corporation could have suffered the fate of Sony, but what happened to TV5Monde has caused greater alarm among broadcasters. There, the broadcasting system itself came under a sophisticated attack that may have been planned for months.

New details have emerged recently of how all 12 channels of TV5Monde were taken off air on 8 April 2015 by a group calling itself the Cyber Caliphate. Staff had been celebrating the launch of a new channel when news came through that the station’s channels were disappearing.

Yves Bigot, Director-General of TV5Monde, recently told BBC security correspondent Gordon Corera: “It’s the worst thing that can happen to you in TV. We were a couple of hours from having the whole station gone for good.”

If the entire system had been corrupted there was a danger that satellite channels distributed by TV5Monde might have cancelled their contracts.

Because of the launch, engineers were on the premises that evening. One found the machine where the attack was taking place and disconnected it from the internet.

After the attack, TV5 employees had to return to using faxes for months. Even now, with the station reconnected to the internet, all external emails have to be rigorously authenticated. Bigot fears that the station will never be the same again.

The ‘Cyber Caliphate’

Security investigators believe the “Cyber Caliphate” claim was designed to provide cover for the true perpetrators, a Russian group of hackers. Their motive is not obvious, but British security analysts suggest it may have been a case of testing methods of cyber­warfare. These could be aimed at broadcasting networks anywhere ­during times of international tension.

Simon Fell, the EBU’s director of technology and innovation, says that the TV5 hack “was a wake-up call to those who haven’t already woken up to these things”. While the cyber threat is real, Fell believes that there is no need to panic. Most broadcasters are very well aware of the danger.

The kind of anti-penetration tests that were usual in IT departments are now being carried out in transmission or broadcasting technology departments.

There is so much at stake that many companies have been appointing chief information security officers (CISOs). These employees often have board-level access. This is something that simply would not have happened in the immediate past. One of the sessions at the New York symposium features a panel made up entirely of CISOs.

“Security is being taken extremely seriously at board level. Broadcasters have been slow to catch up but they are doing so now,” believes Fell.

Peter Collins, a media cybersecurity specialist, agrees that the main broadcasters are very much aware of the threat. He believes that it is best to be proactive, rather than wait for a serious attack to occur before taking action.

“You have to keep assessing potential threats in advance,” says Collins, “and keep up to date with what is happening in the world and learning from that. Global awareness is now necessary.”

For understandable reasons, broadcasters are reluctant to discuss their anti-cyberattack measures in any detail. All that the BBC will say is that the corporation is well aware of the dangers; full-time staff are devoted to protecting the integrity of its networks.

The embarrassment would be crippling if, for example, one of the BBC’s UK TV channels were taken down by hackers. More speculatively, what if a channel were erased and replaced by Islamic State propaganda videos?

Worse still are the business implications of criminals successfully penetrating encrypted pay-TV channels. Sky has an entire department devoted to protecting the integrity of its encryption systems. Ultimately, the satellite broadcaster’s multi-billion-pound business rests on these arrangements.

The economic impact of cybercrime is one of the reasons for the high level of concern from the US Department of Homeland Security, and the UK’s GCHQ. Increasingly, broadcasting, in all its forms, is seen as a critical utility that must be protected.

Very unusually, two “civil servants” from GCHQ came to speak under Chatham House rules (that is, off the record) at the Society of Editors’ recent annual conference in Carlisle.

Although serious crime has been part of GCHQ’s remit for some time, most of its surveillance has been directed towards foreign states and terrorist targets.

Now cybercrime is very much on its agenda, including the protection of all significant state and commercial communication networks in the UK. Official concern about the threat of cyber­attacks has grown over the past year. A new National Cyber Security Centre (NCSC) has just opened in London under the leadership of Ciaran Martin, previously Director-General of Cyber at GCHQ. According to GCHQ, the UK faces “a growing threat of cyberattacks from states, serious crime gangs and hacking groups, as well as terrorists. The NCSC will help to ensure that the people, public and private sector organisations and the critical national infrastructure of the UK are safer online.”

At the Society of Editors conference, one security specialist was asked about possible attacks on broadcast networks. “If someone was able to take a broadcaster offline, and essentially challenge one of our rights to free speech, that would not be the right outcome,” was the understated reply.

It is clear that GCHQ is interested in helping to protect the security and integrity of networks carrying every­thing from Olympics results to financial and markets information.

Helen Stevens, director of broadcast operations at ITV, chairs the UK’s Digital Production Partnership (DPP), which links UK broadcasters, distributors and equipment suppliers. She says that, with the growth in web–connected services and IP-driven production, broadcasters needed to focus on protecting their content “from increasingly frequent cyberattacks”.

But what can be done specifically about the daily threats that broadcasters face?

Last year, the DPP formed a strategic alliance with NABA to tackle cyber­attacks. And, in September, the alliance issued recommendations on best practice. The objective is to help manufacturers come up with products in line with the best cybersecurity standards and that are fit to be integrated into broadcasting facilities. The overall aim is to harden both IT and broadcast departments against attack.

Steve Plunkett, Ericsson’s chief technology officer for broadcast and media services, warns that all stages in the broadcast chain, from programme development to the point of transmission, must be designed to be robust and resilient and they must be properly tested.

Mark Harrison, the DPP’s Managing Director, notes that broadcasters have, in the past, complained that manufacturers have been reluctant to build security into their equipment. It might slow performance and put them at a competitive disadvantage. This is no longer the case.

“The other key thing that a lot of people are talking about is how to rid ourselves of hubris,” says Harrison. “We must be prepared to admit that we have been attacked and breached, and find a way of exchanging this information for mutual benefit – and to do it quickly.”

Industry-wide system

The DPP chief hopes, following the New York symposium, to see this kind of industry-wide system set up. He adds: “We need to create a neutral space in which people feel they can safely share their experiences and, over time, create an early-warning system.”

Harrison notes that the big players in broadcasting are already monitoring cyber activity in real time for themselves and their clients. But, he asks, “How do we make that more effective internationally and how do we collectively get the benefit of it?”

McEwen at NABA is realistic about the ability of broadcasters to deal with the most determined professional hackers.

“We know we won’t be able to stop the most serious hacks. What we want to do is mitigate the damage,” he says.

McEwen believes that most broadcasters have managed to create defensive trenches in the war against the new cyber enemy.

He hopes that, by staying alert, they will be as safe as they possibly can be in the trenches.

This article was first published in Television, the magazine of the Royal Television Society.