HBO's hit series Game of Thrones is now history, but it will live on in the hearts, minds and social media interactions of its followers for some time to come. Before now the only thing GoT fans wanted besides a juicy spoiler was to know who would take the Iron Throne. How it all ended was something hackers spent significant time and effort trying to find out.
And while many (myself included) will continue to debate what the show "means," and will continue to speculate and analyze the significance of a misplaced coffee cup, I have for some time been more interested in the cybersecurity ramifications of a spoiler-free finale.
Because I own a cybersecurity firm and write about cyber issues every week, I tend to see most things through that lens. That said, I found it easy to draw a number of parallels (and/or object lessons) from the show's plot to the not-exactly-obvious realm of cybersecurity. (And, I am not alone at all.)
Consider the similarities: On the one hand, you've got a massive wall of ice that serves to protect the realm against hostile invaders and zombies defended by an underappreciated force of guardians who are doing all they can to hold the line. On the other, enterprise firewalls assailed by cyber-attackers and botnets, and there's an equally beleaguered staff tasked with keeping out the bad guys.
You don't need to be a GoT fan to grok the parallel. As for the implied cyber situation here, I was less concerned about the plot than I was with the production of that plot (specifically the protection of its secrets). GoT's finale was, rightly so, one of the most tightly-guarded secrets in the entertainment industry.
Without underestimating the lure of intrigue, violence, and gratuitous nudity, the series became a hit in large part because of its wild unpredictability: major and minor characters alike were often and unceremoniously killed in shocking plot twists. After the first season saw the show's protagonist beheaded, each successive season one-upped the unpredictability factor with fan-favorites and villains alike being stabbed, burned alive, executed, hanged, poisoned, and even resurrected once or twice. This became even more the case once the show outpaced its source material, a series of novels by author George R. R. Martin, at which point even long-time readers had no idea what was coming next.
This unpredictability is arguably what turned the GoT into HBO's flagship series, which made the need to keep plot twists secret positively pivotal to the show's ongoing success and survival. And as with any company's most sensitive data, an illegal market emerged for any information that could spoil the next big twist.
Hackers and Leakers?
Hackers gain prestige (and can earn a king's ransom) by displaying their ability to break into networks. Like a severed head, stolen data is the proof of success in this arena. Case in point: the hacking group Lulzsec's 2011 hack of the U.S. Senate web serve: rudimentary information was posted to prove they had penetrated the network. They even left a message referring to their activities (that carried penalties between 5 and 20 years in prison) as being "a small, just-for-kicks release."
This obviously isn't the case for hackers who engage in nation-state espionage or hold hospital networks hostage for ransom (for them we should reserve a special place in Hell), but when it comes to your garden-variety hackers and leakers, they share the same DNA: It doesn't matter what data is being released (compromised databases, celebrity cell phone photos, pre-released films, plot spoilers) so much as who managed to gain access to it first.
A Market for Leaked Data
It shouldn't come as a surprise that HBO has been fighting a losing battle for years to keep a tight lid on its upcoming plot twists. The market to get the proverbial goods on the show means instant attention for the successful hacker, and meteoric traffic for the website that manages to feed the insatiable demand for more details on what's to come. Spoilers from consistently reliable sources immediately hit the front page of major websites, that in turn want the attention (and ad traffic) reserved for whoever is first on the scene.
The object lesson is that it's hard to protect data when there's a strong demand for it. This applies as much to a business's confidential information as it does to whichever character doesn't live to see the end of a television series.
The Supply Chain
A large part of the appeal for the GoT series has been the spectacle of it; each season boasted exotic locales, elaborate costumes, magical creatures, and epic battles between massive armies. A legion of people made it happen, including film crews in different countries, thousands of extras, CGI animators, editors, writers, producers, and countless other logistical players.
Each person on the job represented a potential source for compromise. Every step of a season, from its planning to its execution, is at some point vulnerable to this or that detail getting into the wrong hands and from there going viral. The more people involved, the greater the likelihood of that happening. Welcome to the world of supply chain vulnerabilities.
If the number of people working on Game of Thrones sounds daunting, consider the number of people with access to information or data at a small- to mid-sized company. Every single employee, ex-employee, freelancer, or contractor at one point or another has access to at least a piece of its data. Consider then, the number of people involved in the development of any software used by that organization. The attackable surface of a company grows exponentially with all these vectors of vulnerability. Every access point has the potential for a breach, be it from an unprotected drive, a re-used password, an irresponsible click, a compromised cell phone or a bad player. The longer the chain of employees, the more vulnerable a company becomes.
A company's data might not have a Game of Thrones-sized target on its back, but as we've seen from near-daily breaches and leaks, there's always a market for data.
What HBO Has Done Right
Given the scope of the show and the near-feverish demand for details about it, it's surprising that it hasn't had more leaks. While protecting data is a pass/fail proposition, businesses could benefit from a consideration of what HBO has done to protect against spoilers.
The network has made a point of making anyone with any kind of access to information sign an extremely restrictive non-disclosure agreement. This even extended to the fiancé of one of the actresses on the show. While the average business has neither the time nor resources to deal NDAs willy-nilly to its employees, the takeaway is that HBO turned nearly everyone with access into stakeholders, and placed a premium on keeping data secure. It put culture before strategy. Being held personally accountable for carelessness when it comes to data is strong motivation, and emphasizing the importance of keeping it secure in the first place is a hallmark of good cyber leadership.
When push came to shove, GoT operated in a zero-trust environment, with actors learning their lines in real time through an earpiece.
A Losing Battle?
The valuable data for this Game of Thrones had an expiration date, i.e., when the final credits rolled. And that's where it differs from the information many companies are tasked with protecting. While the stakes might not always be as high for a small to medium sized company as it was for HBO, there are lessons to be learned from its paranoia. The most important one: there really are people out there who are out to get you.