Cyber-noir: Popular cultural influences on cybersecurity experts

In a recent article in Contemporary Security Policy, James Shires draws on film noir to discuss portrayals of cyber in popular culture.

In his testimony to the House of Representatives sub-committee on cybersecurity in 2013, Kevin Mandia, a cybersecurity CEO and former U.S. government official, emphasized that “cyber remains the one area where if there is a dead body on the ground, there is no police you call who will run to you and do the forensics and all that”. This was of course a metaphor, as there was no literal dead body in the Chinese cyber-espionage cases his company were known for. Nonetheless, he portrayed his role exactly like the start of a film noir: an absent police presence, a violent act and a dead body, and a self-reliant private investigator. Was this just a figure of speech? Or is there something else going on–something more fundamental to cybersecurity itself? 

A foundational problem in cybersecurity is drawing a clear dividing line between legitimate and malicious activity. This is difficult because cybersecurity is an environment swamped with data, where identical tools and tactics are used for different ends, and where social and economic structures linking offensive and defensive action compound technical similarities. These obstacles to distinguishing between legitimate and malicious cyber activity are well recognized by both practitioners and scholars.

In a recent article for Contemporary Security Policy, I highlight another factor that is rarely discussed but no less important: popular cultural influences on cybersecurity experts. Cybersecurity expert practices are infused with visual and textual influences from broader discourses of noir in popular culture, including dystopian science fiction, fantasy, and cyber-punk: a phenomenon I call “cyber-noir”. These influences produce cybersecurity identities that are liminal and transgressive, moving fluidly between legitimate and malicious activity. To paraphrase a neat description of film noir leads, cybersecurity experts see themselves as “seeming black and then seeming white, and being both all along”.

In the article, I examine two forms of popular cultural influences on expert practices: visual styles and naming conventions. I suggest that these influences create a morally ambiguous expert identity, which in turn perpetuates practices that blur the legitimate/malicious boundary.

First, due to its relative novelty and digital basis, many concepts and objects in cybersecurity have no obvious visual association. This gap means that, as Hall, Heath, and Coles-Kemp suggest, many techniques of cybersecurity visualization deserve further critical scrutiny. Through code images signifying illegibility and technical sophistication, and pseudo-geographic “attack maps” emphasizing constant threat, cybersecurity is portrayed as a dark and uncertain world where simulation slips easily into reality and reality into simulation. A range of threatening identities using images of noir characters, various coloured hats, and hooded hackers add to this atmosphere. These images and visual styles use noir aesthetics and palettes to convey transgression, danger and moral ambiguity. Although light and dark shades are classically associated with good and evil, in cybersecurity–as in noir–both “good” and “bad” entities occupy the same place in the visual spectrum.

Second, naming conventions are infused with popular culture, through direct references and quotations and in their style, sound and visual aspect.  Many company names and analysis tools in cybersecurity evoke a popular culture crossover between noir, science fiction, fantasy and cyber punk. Vulnerabilities receive names that could be straight from dystopian fiction, like “Heartbleed,” “Spectre,” “Meltdown,” and “Rowhammer”, while others highlight a darker aesthetic, such as “Black Lambert” and “Eternal Blue”. Although these are clearly strategic decisions, they also shape the identity of the individuals who work in these organizations and the organizations themselves. Consequently, names with popular cultural influences and associations not only enliven the working day for cybersecurity experts, but constitute the moral orientation of their world.

In 2017, British youth Marcus Hutchins became well-known among cybersecurity experts, following his portrayal as the person who singlehandedly stopped the devastating WannaCry virus that affected the UK’s National Health Service. However, Hutchins’ fame enabled other cybersecurity experts and U.S. law enforcement to follow a trail of domain names, malware names, and handles on hacker forums, including “ghosthosting,” “hackblack,” “blackshades,” and “blackhole,” to the creation of an illegal banking virus named Kronos. Hutchins was arrested months after his public appearance and sentenced to time served in July 2019 for his role in distributing this virus. Hutchins’ case is an extreme example of the relationship between noir aesthetics and transgressive practices. As his story illustrates starkly, many cybersecurity expert identities are constituted in such a way that practices like hacking back, undercover intelligence collection and participation in “grey” or “black” hacking forums seem to be a normal, even necessary, set of activities.

The article concludes that the fragile distinction between legitimate and malicious activity in cybersecurity expert discourses is not merely a question of technological similarities, exacerbated by particular economic and institutional structures. Instead, experts themselves perpetuate uncertainty over what is legitimate and malicious in cybersecurity. Their adoption of popular culture adds to the explicit obstacles confronting cybersecurity experts, suggesting that the task of separating legitimate and malicious is much more challenging than commonly thought. Consequently, the deepest difficulty in maintaining the legitimate/malicious binary–and therefore constructing a stable foundation for cybersecurity itself–is not the range of technological, social, and economic pressures explicitly recognized by cybersecurity experts, but their implicit embrace of cyber-noir.

James Shires is an Assistant Professor at the Institute for Security and Global Affairs, University of Leiden. He is the author of “Cyber-noir: Cybersecurity and popular culture”, Contemporary Security Policy, Advance Online Publication,  available here.

Leave a Reply

Your email address will not be published. Required fields are marked *