The original Ghost in the Shell (GitS) movie was practically compulsory material in the hacker subculture of the late 90s, early 2000s. The original touched on themes that all geeks can appreciate, including robotics, sentient AI, human augmentation, active (“thermal-optic”) camouflage, transferring human consciousness to a machine, and more. The main protagonist was a hacker called the Puppet Master, and the idea of hacking technically augmented humans was ahead its time (the Internet of Things wasn’t even a “thing” then). This is probably why GitS imagery and themes have been iconic in hacker culture (like this GitS-ish t-shirt).
As a fan of the complete Ghost in the Shell franchise (manga, TV shows, sequels), I was excited for the live-action remake of the movie, despite my wariness for “reboots” in general. I imagined how 22 years of cinematic and CGI evolution could enhance this such a technological story. Turns out, stunning visuals can’t make a bad script palatable. Unfortunately, the new movie is a mere specter of the original, cowering in a stunningly decorated, but ultimately empty shell.
That said, there’s no reason why we still can’t extract some value from this ham-handed remake, if at least to redraw attention to the exemplary original. If you’ve only seen the new live-action film, I highly recommend downloading the original, which is much better. In either case, this article covers six cyber security lessons you can learn from GitS (mostly from the original, but also from the remake).
1. Old hacks still work and provide false flags
In the original anime, Major Kusanagi and Batou talk a lot about a fictional “HA-3 virus” that The Puppet Master used in various attacks. By the way, The Puppet Master was the antagonist of the original series, and was a mysterious and sophisticated hacker (very different from the new movie’s storyline). Batou wondered why such an advanced hacker used such an old and basic virus. The Major proposed that the hacker may have been using this threat as a decoy, to throw them off his tracks, and make them suspect someone else. In the real world, this is something known as a false flag
As it turns out, modern malicious hackers use old attacks and methodologies all the time. In my company’s recent Quarterly Internet Security Report, we found plenty of evidence of macro-based malware, PHP webshells, and old Linux trojans, which are all very old-style malware and attacks. These old tricks still work, so you need to make sure to continue protecting against older attacks.
We even found sophisticated nation-state attackers sometimes use old techniques. The report specifically highlights a very basic (though obfuscated) PHP webshell used in the alleged Russian political hacks. The webshell was originally created by a “normal” cyber criminal but seems to have been used in a major political attack. We don’t know if the attackers intended it as a false flag, but we do know these old-style attacks are still quite common. The lesson to learn: don’t just focus on new attacks. Keep your protections and awareness for older cyber threats up to date, since those threats will surely return.
2. Car Hacking has gone from Sci-fi to reality
In 1995, the idea that you might hack and take control of a car seemed ludicrous. In fact, cars from that era lacked many of the drive-by-wire and computer systems of modern automobiles, which would make it possible for hackers to affect your braking or steering in the first place. Nonetheless, the original GitS movie prophetically had Major Kusanagi take-over steering of a car digitally, through her computer connected brain. As a teenager, this futuristic idea seemed astounding and exciting. As an older security professional, it seems terrifying without the right security mechanisms.
The lesson here is that Sci-fi has become reality (minus the “brain” control, at least so far). Cars really have become computers on wheels, often with wireless Internet connections. Researchers have already proven many times that hackers can take-over a car remotely, and cause it to do some pretty dangerous things. We need to realize the “cyber” danger cars now pose and continue to pressure the industry into securely designing these new connected automobiles. Otherwise, The Puppet Masters of the future might digitally take over our wheels.
3. A basic firewall is not enough
The original GitS movie touched on a ton of interesting topics in its short (1:22:00) runtime, and it did so subtly, without forcing long unnatural narratives (unlike the new movie). For instance, throughout the original anime, the protagonists talked about their enemies “hacking through high-level barriers” to get to certain things. They never really explain “barriers,” but you can guess they’re probably the analog for firewalls.
The lesson here is sophisticated attackers seemed to always get past these basic barriers. In our modern threat landscape, a traditional firewall is nowhere near enough protection. Persistent and motivated attackers have shown they can often find ways to bypass your basic protections. This doesn’t mean firewalls are useless, but it does mean that you should bolster your firewall with other layers of security (IPS, antivirus, advanced malware protection, etc.) to make it harder for bad guys to burst your barriers.
4. Smart cities and building automation have privacy repercussions
Though not referred directly in the narrative, the art in both the old and new GitS movies paint a picture of technological advancement and a “connected” world. For instance, the new movie depicts holographic, interactive marketing everywhere. In the original anime, you get the sense that “New Port City” is a Smart city, where the authorities can digitally track cars, aircraft, and people.
The original anime subtly coalesces this point in a scene in a parking garage. A Section 9 agent, Togusa, asks building security to get the weight from the pressure sensors under two cars in the garage, which leads him to realize that more people had snuck into the building than first suspected. On the surface, this scene shows a cool way for Section 9 to figure out a mystery, but it also subtly illustrates some of the repercussions of a hyper-connected world.
As we have more network-connected sensors, cameras, and devices, we’re sharing more data with the world than we may realize. For instance, did you know when you stop at some red lights, there is a pressure sensor under your car that wirelessly communicates with the network that runs the street lights?
Sharing this data has inconceivable privacy implications, especially as more and more things get connected. Sure, you might believe that only the good guys will use this data to make our lives better. The problem is, history shows us bad guys use it too. Beyond the privacy issues, these growingly complex technological systems pose new vulnerabilities. For instance, did you know researchers already found vulnerabilities in that wireless traffic light system I mentioned before?
The lesson here is it’s fine to embrace technology — it can be used to make life better — but try to stay aware of all the privacy and security repercussions of our increasingly connected world.
5. AIs make the best hackers
Ok, spoiler alert for anyone that hasn’t watched the original anime. As I mentioned before, The Puppet Master was the main antagonist in the original movie, and the story was quite different than the remake. In the original, The Puppet Master seemed like an almost god-like hacker that could do things others couldn’t. In the end, it turned out The Puppet Master wasn’t human, or even cyborg—he was an AI that had become sentient. With this perspective, many of the seemingly amazing hacks he’d done before became more realistic once you realize he was a computer distributed on “the net.”
As fictional as sentient AI seems today, the idea that machines might be able to hack better, or at least quicker than humans is totally realistic. At the last DEF CON security conference, DARPA ran a Cyber Grand Challenge competition that pitted team-built AI systems against one another in a hacking challenge. These systems had to automatically find vulnerabilities in their own applications and either patch them or write exploits to attack others.
In short, challenges like these clearly show that machines can find and attack network and computing weaknesses faster than humans. Imagining a GitS-like future, where nation states might program AI to launch cyber-attacks is more realistic than it might seem. The lesson? Fight machines with machines. The security industry is already starting to leverage AI and machine learning systems for defense. You should start paying more attention to these solutions as they become available.
6. Secure IoT before connecting our brains to computers!
The one core theme that survived both movies was the idea of putting our brains (ghost) into a machine. You literally saw this in the opening shot at Hanka Robotics, when we see a chip covered brain placed into a robotic Scarlet Johansson body. To most, this concept probably feels very Sci-Fi, but it too may be closer than we imagine. While replacing human bodies is doubtlessly decades away, smart scientists and entrepreneurs have been working on merging the human brain with computers for a while now. In fact the visionary, Elon Musk, who’s responsible for popularizing electric cars and taking the space race private is already at work on this type of concept with a stealth project called Neuralink. Having brain-controlled computers may not be far off.
If this sort of thing does come to pass, I hope we learn from the prophetic warning in the GitS movies. In both movies, computer augmented humans get hacked. While this idea is totally fictional today, the more we connect ourselves to devices, the more real this might become. Just look at the Internet of Things (IoT). Right now, the industry can’t get security right for basic webcams, medical devices, or DVRs. Hackers have already taken over many of these devices and leveraged them in attacks. Until we can get the security right for our basic consumer products, I suggest we avoid too closely connecting our brains to a computer.
‘The net is vast and infinite’
The original anime ended with Major Kusanagi’s line, “The net is vast and infinite.” As a human in a computer, she probably meant that as a hopeful thought for her potential future. However, the infinite vastness of technology can also result in boundless complexity, which is the enemy of security. That doesn’t make technology bad, but it does mean we need to remain aware of the complexities and risks that our modern, evolving world introduces. Make sure to put up your barriers before our world becomes too much like Ghost in the Shell.