Tonight at the Los Angeles Film Festival, squeezed in between movies and red carpet events, a symposium on Cyber Security is being held at the Grammy Museum. It’s a topic that should be on everyone’s mind, and one that you’d think that Hollywood, in light of the infamous hack of Sony Pictures last year would be taking incredibly seriously.
Not so says security expert Ralph Echemendia, who will be presenting at the symposium and talking on the round table that follows. I spoke with Echemendia last week about how the big studios deal with what’s known as Operational Security (OpSec), and what he had to say shocked, but I can’t say completely surprised me.
My conversation with Echemendia started out with a story.
“A couple of years ago I went to speak at a conference that was specifically a Hollywood IT conference,” said Echemendia, “and security was part of the at conference. Interestingly they had a CIO panel and a CTO panel. So CIO’s, the Chief Information Officers of all the major studios, and then the CTOs—Chief Technical Officers—of every major studio. And it was the first time that the CTOs and CIOs had ever sat with each other. In the same place.”
My jaw dropped.
“Even from the same studio?” I asked.
“Yes,” said Echemendia.
Now if you’re not fully versed in the difference between a CTO and a CIO inside the studio system your jaw might not do what I did. Here’s the gist: CIOs are responsible for all the Information Technology infrastructure, everything from email to corporate intranet to that printer down the hall that never seems to have any blue ink. CTOs are concerned with the the technology that drives production and distribution of content.
“They look at technologies as disparate pieces of technology,” Echemendia said of the studios. “The technologies that are made to create content are different from the technologies that are used to operate.”
The past few years have seen more than just the infamous Sony hack—which dominated headlines this past winter and cost studio executive Amy Pascal her position. There have been compromises of big productions too—all those leaks of unfinished films and production assets come from somewhere. Sometimes that somewhere is a data breach.
Echemendia paints a picture of a house divided, with the studios seeing information security as a production company issue. If the filmmakers don’t want their work leaking ahead of time, the logic goes, they should put information security in the budget.
With that viewpoint firmly in mind, Echemendia says he talked with production companies.
“And their response was rather interesting, which is ‘Hey, it’s not our IP. We don’t own this intellectual property, we’re on;y being paid to create it. We’re not gonna put this in the budget, because if we have to take 100, 200, 300 thousand dollars—whatever it may be for that—then that’s 200 thousand dollars that we don’t have to make a movie. That’s how they see it.”
According to Echemendia the way that the studio system does business—it takes a lot of small contractors coming together to make a big movie—leaves holes in operational security. Little things like using personal emails and public services such as Dropbox can add up to big vulnerabilities. These can lead to leaks during production, which is one way we get everything from spoilers on Twitter to whole dumps of in-process films.
From what Echemendia has seen, the studios aren’t feeling the pain yet. He says executives are more concerned with piracy..
“But I see piracy as a post-distribution issue. How little interest there is in the pre-distribution aspect of this intellectual property blew my mind.”
Just what else is blowing Echemendia’s mind will be up for discussion at tonight’s Steed Symposium on Cyber Security. The event is open to passholders of the Los Angeles Film Fest.