Though set in the future, HBO's "Westworld" works as an allegory for the present moment in cybersecurity.

Bil Harmer​, CISO & Chief Evangelist at SecureAuth

March 27, 2020

5 Min Read
"Your face doesn't matter--it's your actions that identify you." Source: AF Archive/Alamy Stock Photo

In the gunslingin' world of cybersecurity, there are threats everywhere. It can sometimes feel as dangerous to run a modern business as it was to run a saloon in the shadiest part of the Wild West.

Actually, the parallels between the cowboy days and modern cybersecurity issues are aplenty — and one need look no further for proof of that than HBO's standout series Westworld

If you haven't seen Westworld yet, here's the general gist (Note: spoilers ahead!): The story centers around a Western-themed amusement park populated by robots (or "hosts") who spend each day acting out the same storyline as the day before.

Visitors to the Westworld park interact with the hosts and are free to indulge their most hedonistic desires, spared from the consequences of the real world. But Westworld suffers from issues that are strikingly similar to the ones faced by cybersecurity professionals today. In fact, Westworld's flaws are a useful allegory for navigating today's most insidious digital threats.  

Identity
If your business struggles with verifying identities, you're not alone: The same issues exist in the Westworld park.

After all, we thought we knew who Charlotte Hale was — the executive director of Westworld's board — but it turns out that she was killed at the beginning of season two by a robot version of herself. And then there's Bernard. Who's actually Arnold, the creator of the hosts. Who's dead.

If you're confused by all of this, imagine how confused your systems are by the millions of access requests coming from both legitimate and illegitimate users, day after day.

Credentials don't cut it: They can be easily stolen in today's threat landscape. Instead, the best bet for accurately identifying users (or hosts) is to rely on a combination of validations like multifactor authentication, behavioral biometrics (such as voice recognition, typing patterns, mouse movements, etc.), and browser and IP information. 

If a system were to analyze Charlotte Hale during season two, it would discover that, even though she looks exactly like Charlotte, she's not. Similarly, even if an attacker possesses a single authentication, it's still nearly impossible for him or her to replicate a combination of validations.

AI Regulation
Part of Westworld's appeal is its examination of what makes us human. If our consciousness is the crux of individuality, what happens in a world when consciousness can be constructed, altered, downloaded, uploaded, and destroyed at will? It's the question that weighs on Arnold's conscience so heavily that it determines his own demise.

But while this wrangling of human and artificial consciousness isn't easily resolved in Westworld, it's no more cleanly handled in real life. In 2017, Elon Musk called for the regulation of artificial intelligence (AI) before it posed a risk to humanity. And yet regulation hobbles innovation, so Congress adopted a "wait and see" approach to AI legislation. The result so far has been a quantum leap of AI innovation — for proof, one need look no further than the proliferation of deepfakes that have been created using machine learning and AI — without stringent regulation, standards, or requirements.

I believe a practical approach to regulating AI would be to use existing data privacy laws and expand or replicate them to cover machine learning and AI.

Threats and Vulnerabilities
Even the most advanced hosts in Westworld are susceptible to malware. But what's most interesting about this, perhaps, is that the threats manifested in the show can easily be seen as allegories for modern cybersecurity threats:

  • Insider threat: A Westworld programmer, Elsa, finds a laser-based satellite uplink inside a robot host that someone has been using to smuggle data out of the park.

  • Advanced persistent threat: The robot host Maeve uses Felix, a Westworld technician, and other hosts to start an uprising — because someone has programmed her to take over Westworld and infiltrate the mainland in a pre-scripted insurgency.

  • Malware: Clementine, who works in the saloon, is updated with a new code that turns her into a walking virus. With only a thought sent through the mesh network, Clementine can force hosts to brutally kill each other.

  • Internet of Things vulnerabilities: In the season three premiere, Dolores hacks into the smart house of a billionaire, making the home no longer responsive to his commands. The show doesn't make it clear whether the smart home was compromised by insecure network services, ecosystem interfaces, or default settings, but Dolores is able to take control quickly.

What can we learn from the threats and vulnerabilities above, as well as the identity issues and the AI quandaries seen in Westworld? To take them seriously. It's tempting to think of cybersecurity as existing only in a vacuum, affecting only digital networks that can be ignored as soon as we step away from a computer. But the reality is that cybersecurity is tied to the real world, and its breaches have very real damage. Westworld shows us that issues can only be ignored for so long before they demand their time in the spotlight.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

About the Author(s)

Bil Harmer​

CISO & Chief Evangelist at SecureAuth

Bil Harmer is the CISO and chief evangelist of SecureAuth. He brings more than 30 years of experience in leading security initiatives for startups, government, and established financial institutions. He's CISSP, CISM, and CIPP certified — and is recognized for creating a trusted security audit methodology used by the SaaS industry through the introduction of the SOC2 in 2011. Prior to SecureAuth, Harmer served as CISO-Americas at Zscaler, CSO at GoodData, and VP of security and global privacy officer for the cloud division of SAP.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights