Cybersecurity in 007’s world

What do James Bond and his Secret Intelligence Service colleagues know about cybersecurity?

The recently released No Time to Die lowers the curtain on the Daniel Craig era. With that in mind, let’s run through all five of his Bond outings from a cybersecurity perspective — you’ll be shaken, but hopefully not stirred, by our findings. What unites the movies, aside from Craig himself, is a complete lack of understanding of cybersecurity basics by the movie’s MI6 employees.

Whether the oversight is deliberate (highlighting the outdatedness of Bond and the whole 00 section concept) or due to the incompetence of the scriptwriters and lack of cyberconsultants is not clear. Whatever the case, here’s a look at some of the absurdities we spotted in the films, in order of appearance. Spoiler alert!

Casino Royale

In Craig’s first Bond movie, we see the following scene: Bond breaks into the house of his immediate superior, M, and uses her laptop to connect to some kind of spy system to find out the source of a text message sent to a villain’s phone. In reality, Bond could only do that if:

  • MI6 does not enforce an automatic screen lock and logout policy, and M leaves her laptop permanently on and logged in;
  • MI6 does not enforce the use of strong passwords, and M’s passwords are easily guessable;
  • M does not know how to keep her passwords secret from her colleagues, or she uses passwords that were compromised.

Any one of these scenarios spells trouble, but the third is the most likely one; a little later in the story, Bond again logs in remotely to a “secure website” using M’s credentials.

Bond’s password attitude is no better. When he needs to create a password (of at least six characters) for the secret account that will hold his poker winnings, he uses the name of colleague (and love interest) Vesper. What’s more, the password is actually a mnemonic corresponding to a number (like the outdated phonewords for remembering and dialing numbers on alphanumeric keypads). It is effectively a 6-digit password, and based on a dictionary word at that.

Quantum of Solace

The least computerized of the last five Bond movies, Quantum of Solace nonetheless  includes a moment worthy of attention here. Early in the film, we learn that Craig Mitchell, an MI6 employee of eight years — five as M’s personal bodyguard — is actually a double agent.

Of course, that’s an old-school security issue rather than the cyber kind. However, M’s carelessness with passwords, as seen in the previous film, suggests MI6’s secrets may well be in the hands of cat-stroking supervillains the world over.

Skyfall

At the other end of the cyberspectrum lies Skyfall, the most computerized of the five. Here, information security lies at the very heart of the plot. The cybermadness is evident from scene one. For convenience, we’ll break down our analysis chronologically.

Data leak in Istanbul

An unknown criminal steals a laptop hard drive containing “the identity of every NATO agent embedded in terrorist organizations across the globe.” Even MI6’s partners do not know about the list (which moreover does not officially exist).

The very idea of such a drive is already a massive vulnerability. Let’s assume that the database is vital to MI6 (it is). What, then, was it doing in a safe house in Istanbul, protected by just three agents? Even if the drive is, as we’re told, encrypted and alerts MI6 of any decryption attempt?

Cyberterrorist attack on SIS

The first real cyberincident crops up a bit later: a cyberterrorist attack on the headquarters of the British Secret Intelligence Service. The attacker tries to decrypt the stolen drive — seemingly, according to the security system, from M’s personal computer. The defenders desperately try to shut down the computer, but the evildoers blow up the SIS building on the bank of the Thames.

The ensuing investigation reveals that the assailant hacked into the environmental control system, locked out the safety protocols, and turned on the gas; but before doing so, they hacked M’s files, including her calendar, and extracted codes that make decrypting the stolen drive a question of when, not if.

Let’s assume the alert from the stolen drive on M’s computer represented an attempt at disinformation or trolling (after all, the drive could not have been in the building). And let’s ignore questions about the building’s gas supply — who knows, maybe MI6 corridors were lit with Jack-the-Ripper-era gas lanterns; Britain is a land of traditions, after all.

In any case, hacking the engineering control systems is perfectly doable. But how did the engineering control systems and M’s computer — supposedly “the most secure computer system in Britain” — end up on the same network? This is clearly a segmentation issue. Not to mention, storing the drive decryption codes on M’s computer is another example of pure negligence. They might at least have used a password manager.

Cyberbullying M

The perpetrators tease M by periodically posting the names of agents in the public domain. In doing so, they are somehow able to flash their messages on her laptop. (There seems to be some kind of backdoor; otherwise how could they possibly get in?) But MI6’s experts are not interested in checking the laptop, only in tracing the source of the messages.

They conclude it was sent by an asymmetrical security algorithm that bounced the signal all over the globe, through more than a thousand servers. Such tactic may exist, but what they mean by “asymmetrical security algorithm” in this context is about as clear as mud. In the real world, asymmetric encryption algorithm is a term from cryptography; it has nothing to do with hiding a message source.

Insider attack on MI6

Bond locates and apprehends the hacker (a former MI6 agent by the name of Silva), and takes him and his laptop to MI6’s new headquarters, unaware that Silva is playing him. Enter Q: nominally a quartermaster, functionally MI6’s hacker-in-chief, actually a clown.

Here, too, the reasoning is not entirely clear. Is he a clown because that’s funny? Or was the decision another consequence of the scriptwriters’ cybersecurity illiteracy? The first thing Q does is connect Silva’s laptop to MI6’s internal network and start talking gobbledygook, which we will try to decipher:

  • “[Silva]’s established failsafe protocols to wipe the memory if there’s any attempt to access certain files.” But if Q knows that, then why does he continue to analyze Silva’s data on a computer with such protocols installed? What if the memory gets erased?
  • “It’s his omega site. The most encrypted level he has. Looks like obfuscated code to conceal its true purpose. Security through obscurity.” This is basically a stream of random terms with no unifying logic. Some code is obfuscated (altered to hinder analysis) using encryption — and why not? But to run the code, something has to decipher it first, and now would be a good time to figure out what that something is. Security through obscurity is indeed a real-life approach to securing a computer system for which, instead of robust security mechanisms, security relies on making data hard for would-be attackers to puzzle out. It’s not the best practice. What exactly Q is trying to convey to viewers is less than clear.
  • “He’s using a polymorphic engine to mutate the code. Whenever I try to gain access, it changes.” This is more nonsense. Where the code is, and how Q is trying to access it, is anyone’s guess. If he’s talking about files, there’s the risk of memory erasure (see the first point). And it’s not clear why they can’t stop this mythical engine and get rid of the “code mutation” before trying to figure it out. As for polymorphism, it’s an obsolete method of modifying malicious code when creating new copies of viruses in the strictest sense of the word. It has no place here.

Visually, everything that happens on Silva’s computer is represented as a sort of spaghetti diagram of fiendish complexity sprinkled with what looks like hexadecimal code. The eagle-eyed Bond spots a familiar name swimming in the alphanumeric soup: Granborough, a disused subway station in London. He suggests using it as a key.

Surely a couple of experienced intelligence officers should realize that a vital piece of information left in plain sight — right in the interface — is almost certainly a trap. Why else would an enemy leave it there? But the clueless Q enters the key without a murmur. As a result, doors open, “system security breach” messages flash, and all Q can do is turn around and ask, “Can someone tell me how the hell he got into our system?!” A few seconds later, the “expert” finally decides it might make sense to disconnect Silva’s laptop from the network.

All in all, our main question is: Did the writers depict Q as a bumbling amateur on purpose, or did they just pepper the screenplay with random cybersecurity terms hoping Q would come across as a genius geek?

Spectre

In theory, Spectre was intended to raise the issue of the legality, ethics, and safety of the Nine Eyes global surveillance and intelligence program as an antiterrorism tool. In practice, the only downside of creating a system such as the one shown in the film is if the head of the Joint Secret Service (following the merger of MI5 and MI6) is corrupted — that is, if as before, access to the British government’s information systems is obtained by an insider villain working for Bond’s sworn enemy, Blofeld. Other potential disadvantages of such a system are not considered at all.

As an addition to the insider theme, Q and Moneypenny pass classified information to the officially suspended Bond throughout the movie. Oh, and they misinform the authorities about his whereabouts. Their actions may be for the greater good, but in terms of intelligence work, they leak secret data and are guilty of professional misconduct at the very least.

No Time To Die

In the final Craig-era movie, MI6 secretly develops a top-secret weapon called Project Heracles, a bioweapon consisting of a swarm of nanobots that are coded to victims’ individual DNA. Using Heracles, it is possible to eliminate targets by spraying nanobots in the same room, or by introducing them into the blood of someone who is sure to come into contact with the target. The weapon is the brainchild of MI6 scientist and double agent (or triple, who’s counting?) Valdo Obruchev.

Obruchev copies secret files onto a flash drive and swallows it, after which operatives (the handful who weren’t finished off in the last movie) of the now not-so-secret organization Spectre break into the lab, steal some nanobot samples and kidnap the treacherous scientist. We already know about the problems of background checks on personnel, but why is there no data loss prevention (DLP) system in a lab that develops secret weapons — especially on the computer of someone with a Russian surname, Obruchev? (Russian = villain, as everyone knows.)

The movie also mentions briefly that, as a result of multiple leaks of large amounts of DNA data, the weapon can effectively be turned against anyone. Incidentally, that bit isn’t completely implausible. But then we learn that those leaks also contained data on MI6 agents, and that strains credulity. To match the leaked DNA data with that of MI6 employees, lists of those agents would have to be made publicly available. That’s a bit far-fetched.

The cherry on top, meanwhile, is Blofeld’s artificial eye, which, while its owner was in a supermax prison for years, maintained an around-the-clock video link with a similar eye in one of his henchmen. Let’s be generous and assume it’s possible to miss a bioimplant in an inmate. But the eye would have to be charged regularly, which would be difficult to do discreetly in a supermax prison. What have the guards been doing? What’s more, at the finale, Blofeld is detained without the eye device, so someone must have given it to him after his arrest. Another insider?

Instead of an epilogue

One would like to believe all those absurdities are the result of lazy writing, not a genuine reflection of cybersecurity practice at MI6. At least, we hope the real service doesn’t leak top-secret weapons or store top-secret codes in cleartext on devices that don’t even lock automatically. In conclusion, we can only recommend the scriptwriters raise their cybersecurity awareness, for example by taking a cybersecurity course.

Tips