Too many secrets, not enough trust
The movie Sneakers recently turned 30! After recovering from the shock of its age, rewatching it made me consider how much has changed since 1992. Not much, it turns out.
Many articles have been written about its popularity and continued relevance, but I thought it would be interesting to envision what a 2023 reboot of Sneakers would look like, since reboots are Hollywood’s obsession these days (sigh). If you haven’t seen the original, I suggest dropping everything you are doing right now and watch it, especially if you work in tech. It is one of those films that just gets better with age.
Though the movie features the concepts of cybersecurity and cryptography, the real focus is on exploiting weaknesses, with social engineering being prominent — not much different than the challenges faced by today’s cybersecurity professionals.
As we imagine a Sneakers reboot, let's assume there is still a physical component that needs to be stolen. I would think a completely virtual, network/internet-based Sneakers version two would be quite boring, even with Robert Redford leading the pack.
The black box is a quantum computer
The core of the movie centers around a mystical “black box” that can break the encryption of any system, exposing critical services like the Federal Reserve and Air Traffic Control (why are these even available publicly?). The Sneaker's job is to steal it before it gets into the wrong hands. In a presentation, the mathematician Janek talks about groundbreaking algorithms that perform magic. It’s scary stuff, potentially allowing the villain to “bring it all down,” as he says.
The encryption of traffic in motion and sensitive data at rest underpins internet security. Quantum computing promises to pose a real threat to that, being able to break asymmetric cryptography in moments, which would otherwise take “millions of years” on today's computers.
Replace 1992’s answering-machine-sized black box with a quantum computer, have Janek lecture about quantum theory, and you have a nice contemporary (and believable) storyline.
Social engineering
People are always the weakest link in a secure system. (No need for a source, everyone knows this 🙂) and in 1992 Sneakers already relied heavily with its social engineering themes.
Distractions at a security front desk to gain physical network access within an office would still be in the reboot. Phishing and/or smishing attacks would be featured also, probably along with fooling a telco’s customer service agent to clone a SIM card in order to receive SMS MFA text messages. All are fairly simple means to defeat measures put in place to secure enterprises around the globe.
Biometrics, credentials, and authentication
The Sneakers need to break into the office containing the black box, but it’s protected by a physical card with an imprint of the resident's voice stored on it (MFA in 1992!). The protagonist's ex-wife is tasked with recording the victim saying the words, “My voice is my passport, verify me” – not the exact phrase but each word separately during the conversation so as not to arouse suspicion, with another Sneaker’s job to stitch the recorded words together to help bypass the security in the climactic scene.
Today, there is no need for such fooling around. Simply record a few minutes of the victim talking, or download a video of the victim from YouTube, and let AI recreate the spoken passphrase to break the voice recognition security (just as has happened in real life). Though remarkable, this approach might be pretty boring compared to the original movie’s plot.
Perhaps instead, the Sneaker drugs the victim, then makes an intricate mask for a biometric face scanner securing the office. Maybe something more tech-like, like cloning a victim’s smartphone, combined with a cast of the victim's thumbprint to unlock the phone in order to use the Bluetooth beacon app to enter the office? That might work.
The later film “Demolition Man” featured a victim’s extracted eyeball on top of a metal stick to defeat biometrics. That made for great entertainment, but we’ll skip it as we don’t want an R rating for our reboot, preferably.
Breaking into the network
The “network” is such an old movie trope that I’m sure film buffs are getting sick of. CIA, NSA, and even CTU are able to break through firewalls in seconds in order to access sensitive information. How boring!
An interesting story path for a 2023 version of Sneakers might feature infrastructure and applications protected by zero trust principles, as opposed to traditional perimeter-based security.
The network in a zero trust environment becomes irrelevant, used only as a transport mechanism for encrypted traffic. Policies formed around ZTA principles reduce the likelihood of successful social engineering, phishing attacks, and intrusions through zero-day vulnerabilities.
Phrases like “It's impenetrable, there is nothing exposed,” “there is zero attack surface,” and “they don’t even have a password,” would be exclaimed throughout.
That said, I’m not sure a movie featuring a truly zero trust environment protecting the proverbial crown jewels would work. Maybe it would be too boring, with hackers unable to discover and steal anything of value. Or maybe the movie would be really interesting, due to the lengths and ingenuity required to defeat the defenses protecting those jewels.
In a circular, time-traveling plot twist, the Sneakers could bring the quantum-crypto black box back from a future time where they have already stolen it, so they can steal it in the present. Wow, the potential!
Call my agent
The catchphrase used throughout the original movie was “too many secrets,” linking the power of encryption to the protection of information. If a new movie was made during the era of zero trust, where everyone is absolutely intent on verifying every request or action, perhaps a new catchphrase along the lines of “Too much distrust” or “Not enough trust” would work. Hmm, maybe I should start on that script…
What to read next