King’s Research Portal DOI: https://doi.org/10.1007/978-3-030-42653-8_18 Link to publication record in King's Research Portal Citation for published version (APA): Vigano, L. (Accepted/In press). Explaining Cybersecurity with Films and the Arts. In Imagine Math 7 Springer Nature Switzerland AG. https://doi.org/10.1007/978-3-030-42653-8_18 Citing this paper Please note that where the full-text provided on King's Research Portal is the Author Accepted Manuscript or Post-Print version this may differ from the final Published version. If citing, it is advised that you check and use the publisher's definitive version for pagination, volume/issue, and date of publication details. And where the final published version is provided on the Research Portal, if citing you are again advised to check the publisher's website for any subsequent corrections. General rights Copyright and moral rights for the publications made accessible in the Research Portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognize and abide by the legal requirements associated with these rights. •Users may download and print one copy of any publication from the Research Portal for the purpose of private study or research. •You may not further distribute the material or use it for any profit-making activity or commercial gain •You may freely distribute the URL identifying the publication in the Research Portal Take down policy If you believe that this document breaches copyright please contact [email protected] providing details, and we will remove access to the work immediately and investigate your claim. Download date: 04. Oct. 2021 Chapter 1 Explaining Cybersecurity with Films and the Arts Luca Viganò Abstract There are a large number of movies, TV series, novels, short stories and even plays about cybersecurity and, in particular, about hackers. Some are good, some are so-so, most are frankly quite bad. Some are realistic, most make cybersecurity experts cringe. In this paper, I discuss how a number of basic cybersecurity notions (and even several advanced ones) can be explained with the help of some well-known popular movies and other artworks, and some perhaps less obvious ones. I focus in particular on anonymity, pseudonymity and authentication, but similar explanations can be given for other security properties, for the algorithms, protocols and systems that have been developed to achieve such properties, and for the vulnerabilities and attacks that they suffer from. 1.1 Introduction Inspired by the Explainable Artificial Intelligence (XAI) program of the Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense, Daniele Magazzeni and I proposed a new paradigm in security research: Explainable Security (XSec). In [36], we discussed the “Six Ws” of XSec (Who? What? Where? When? Why? and How?, as summarized in Fig. 1.1) and argued that XSec has unique and complex characteristics: XSec involves several different stakeholders (i.e., the system’s developers, analysts, users and attackers) and is multi- faceted by nature, as it requires reasoning about system model, threat model and properties of security, privacy and trust as well as concrete attacks, vulnerabilities and countermeasures. We defined a roadmap for XSec that identifies several possible research directions. In this paper, I address one of these directions. I discuss how a number of basic cybersecurity notions (and even several advanced ones) can be explained with the Luca Viganò Department of Informatics, King’s College London, London, UK, e-mail: [email protected] 1 2 L. Viganò Who gives the explanation? Who receives the explanation? How to explain security? Who? What is explained? How? What? Explainable Security (XSec) Why? Where? Why do we need XSec? Where is the explanation? When? When is the explanation given? Fig. 1.1: The Six Ws of Explainable Security (from [36]) help of some well-known popular movies and other artworks, and some perhaps less obvious ones. I focus in particular on anonymity, pseudonymity and authentication, but similar explanations can be given for other security properties, for the algorithms, protocols and systems that have been developed to achieve such properties, and for the vulnerabilities and attacks that they suffer from. In [36], we gave a detailed list of who gives the explanations but also who receives them, and pointed out that the recipients of the explanations might be varied, ranging from experts to laypersons; in particular, non-expert users will need to receive an explanation of how to interact with a security system, why the system is secure and why it carries out a particular action. To that end, it will be necessary to explain the security notions, properties and mechanisms in a language, and in a way, that is understandable by the laypersons and does not scare them off. In practice, however, users are rarely given such explanations and thus end up being frustrated and disillusioned by security systems, which might lead them to making mistakes that turn the systems into systems vulnerable to attacks. Clear and simple explanations with popular movies and the arts allow experts to target the laypersons, reducing the mental and temporal effort required of them and increasing their understanding, and ultimately their willingness to engage with security systems. One way to do that would be to refer to the myriad of movies, TV series and books about hackers and cybersecurity in general, some of which are quite realistic in their depiction of cyberattacks (e.g., Sneakers [28], Live Free or Die Hard [40], The Girl with the Dragon Tattoo [25, 14], Mr. Robot [13]), some are more, let’s say, 1 Explaining Cybersecurity with Films and the Arts 3 “inventive”, giving hackers and code breakers almost superhero-like abilities (e.g., Fortress [15], The Net [39], Hackers [33], Swordfish [31] as well as Independence Day [12] in which humans are able to log into the network of the alien ships and infect them with a computer virus, as a fairly unrealistic reference to the way in which Martian invaders are killed by an onslaught of earthly germs in the 1898 novel The War of the Worlds by H.G. Wells [38], famously adapted for the radio by Orson Wells in 1938 and for the screen by Steven Spielberg and many others). In future work, I plan to conduct studies and surveys to quantify to what extent such quite technical movies can help in explaining cybersecurity to laypersons. My feeling is that these movies are mainly aiming to stimulate sympathy in a young and nerdie, tech-savvy audience and at the same time elicit a “wow” response in the non-expert audience. That is, they are trying to impress (and to advance the plot and our recognition of the hero(s) as the special one(s)), rather than trying to make the audience understand. In this paper, I will instead take a different approach and focus on popular movies and artworks, where cybersecurity is not the main theme or plot keyword, and show how even these can be used to explain cybersecurity notions. 1.2 Security properties explained Picture this. A battlefield, 71 B.C. The Roman soldiers have crushed the revolt of the gladiators and slaves led by Spartacus. Many of the rebels have been killed in the battle, while Spartacus, his right-hand man Antoninus and the other surviving rebels have been captured and are sitting in chains on a hillside. There is just one catch: the Romans don’t know who Spartacus is. So, the Roman general addresses the prisoners: “I bring a message from your master, Marcus Licinius Crassus, commander of Italy. By command of his most merciful excellency, your lives are to be spared. Slaves you were and slaves you’ll remain, but the terrible penalty of crucifixion has been set aside under single condition that you identify the body or the living person of the slave called Spartacus.” A beat. Spartacus stands up and opens his mouth to speak, but Antoninus (who was aptly sitting at Spartacus’ right) leaps to his feet and shouts “I’m Spartacus!”, quickly followed by the slave to Spartacus’ left. To the bewilderment of the real Spartacus and of the Roman general, soon each of the prisoners around Spartacus is insisting “I’m Spartacus!” (well, actually, everyone except Spartacus himself). This is probably the most famous scene of the movie Spartacus [19] and the original novel by Howard Fast contains a similar narration, but the script by Dalton Trumbo and the mise-en-scène by Stanley Kubrick turned it into a crisper and more powerful scene.1 1 So powerful that it has been imitated, referenced or parodied in several other movies, TV shows and even advertisements, such as in the “O Captain! My Captain!” scene in Dead Poets Society [37] although the reason for which the students climb on their desks is quite different from that of Spartacus’ rebels as the students want to salute their English teacher, Professor Keating, who has 4 L. Viganò What just happened? In order to protect Spartacus, Antoninus and the other prisoners have created what in technical terms is called an anonymity set: given that all the prisoners are claiming to be Spartacus, it is impossible for the Romans to identify who is the real Spartacus. In other words, Spartacus is anonymous as he is not identifiable within the set of the prisoners. One can of course give a formal definition of anonymity [26] — and this is what one would do in front of an expert audience, say in a talk at a conference or in a univer- sity lecture on cybersecurity – but the point here is that even non-specialists immedi- ately understand what Antoninus and the other prisoners are doing and why.