Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

How TV gets cyber wrong

Hackers and cyber attacks feature in many films and television programmes, but are these portrayals accurate? Hecham Mrabet, cyber security specialist at NHS Digital, gives us a behind-the-scenes look at how a cyber security centre runs in real life.

Cyber security is fascinating, high-tech and critical to the world as we know it. However, the reality is often very different to how it is portrayed in movies and television.

As intriguing as it looks, green characters cascading down a black screen only happens in films like The Matrix. At NHS Digital, we have six large screens with dashboards on a big wall and a couple of monitors on our desks – it’s high tech, but it’s not the Minority Report.

Here’s a few more examples of when television and movies got cyber wrong – and what actually happens in a cyber security centre.

A computer hacker sat in front of a screen, yesterday

Two people on one keyboard spells disaster, not success

One of the most ridiculous portrayals of cyber security experts comes from the TV show NCIS. As soon as the characters see that hackers have broken through the NCIS firewall, two of them jump onto one keyboard. I imagine nobody has ever successfully typed an email – never mind stopped a cyber-attack – by inviting someone else to type with them simultaneously on the same keyboard.

As silly as this example is, cyber security is a collaborative process. We work closely with health and care organisations to provide a range of specialist services so they are prepared and ready to respond to cyber threats. These services include a cyber security support model, assessment and support, and threat advice and intelligence. We’re also promoting our Keep I.T. Confidential campaign to embed good cyber security habits as an everyday part of the behaviour of staff in health and care.

We also have a number of strategic partnerships. One of these relationships is with the National Cyber Security Centre (NCSC), who provide threat intelligence related to the health and social care sector and a key supporter to incident management when it becomes widespread. They also provide advice, guidance and best practice guides which help organisations, including NHS Digital, to strengthen their security posture.

The drama is rarely over in 30 seconds flat

For example, in the 2003 version of The Italian Job, one of the characters hacks into the traffic control centre in Los Angeles, takes control of the traffic lights in the city and causes chaos. Then, as quickly as the attack begins, it’s over.

In real life, our projects keep us busy over long periods of time. If it all happened like it did in the movies, we’d have very little to do in between dramatic cyber attacks.

We use threat hunting activities to proactively search through networks for cyber threats every day and apply blocks to ‘indicators of compromise’ (unusual activity or data that indicates a potential cyber attack).

Our early detection work helped prevent further infections to reduce the impact to the NHS estate.

The Cyber Security Operations Centre (CSOC) at NHS Digital has detected and blocked a number of malicious malware and trojans over the past few years using these techniques. Recently, we detected the TrickBot trojan, a powerful credential stealer originally developed in 2016 as a trojan for banking applications. Since its creation, TrickBot authors armed their malware with many additional capabilities (modules) that allow silent propagation across the network, evasion of anti-virus, and communication with command and control (C2) servers, to harvest and exfiltrate a range of sensitive data. Our early detection work helped prevent further infections to reduce the impact to the NHS estate.

It's not usually a smash and grab job

In Jason Bourne, an attacker seemingly ‘walks into’ the CIA’s computer system to steal data with little to no effort, downloading everything she needs in one go.

Real-life organised crime groups play the “long-game” – they generally use a slow-burner approach to remain undetected. Of course, this doesn’t create the high impact drama that viewers want to see on television or in the movies, but copying large volumes of data in one go is much too obvious.

We have to 'play by the rules' – everything we do needs to be legal and ethical. Criminals do not care about either of these things.

Real criminals know this, so they go for small amounts of data which could go unnoticed more easily. For example, they might start a phishing campaign which contains a malicious file that is downloaded on to an end user’s computer. It could sit dormant for weeks or months before someone takes a simple action, like opening a particular file, which then causes the malicious file to execute and either:

  • propagate a piece of malware across the network
  • lock you out of your infrastructure until a fee is paid (ransomware)
  • exfiltrate sensitive information to another location

How do we stop them? We also have a slow-burner approach at the CSOC. This is partly due to limitations in capability, visibility and resourcing – criminals spend all their efforts looking for one weakness to exploit, whereas we need to take a holistic view of the overall system. We also have to “play by the rules” – everything we do needs to be legal and ethical. Criminals do not care about either of these things.

Our team is full of highly-skilled personnel to provide protective monitoring. We have threat hunters that look for indicators of compromise each day, We also have a multi-view of the NHS estate which is fed into the Security Incident and Event Management Tool (SIEM), and end point protection (different from anti-virus software), a vulnerability management tool which scans against known vulnerabilities that have the potential to be exploited.

That's a wrap

Cyber security professionals are problem-solvers and investigators, and we do most our work behind the scenes to ensure the systems on which our patients and healthcare professionals rely on run safely and securely.

Read our other cyber security blogs by Dan Pearce and Charlotte Roe.


Related subjects

Cyber security still has an out-dated image of being a masculine profession. Charlotte Roe, Cyber Security Apprentice at NHS Digital, talks about her job and why women are needed in the world of cyber.
NHS Digital's Peter Robinson takes us through his journey from apprentice to professional within the Cyber Security team.


Last edited: 7 September 2021 12:37 pm