The media and entertainment business is built on what it offers its viewers: programming, sports, news and other live events. While language purists may balk at the current use of the word “assets” instead of “programs,” it does convey the value of the material—both creative and commercial—shown on TV channels and streaming services. They are valuable commodities and have always needed to be protected. Unfortunately, the move to file-based production, with everything on computer servers and network or cloud access, has left assets—and their owners—extremely vulnerable.
This was starkly illustrated by the 2014 hack of files and data from Sony Pictures, which included staff details, emails, corporate information and copies of at-the-time unreleased films. Calls for heightened security in the aftermath of the breach ultimately led to the creation in 2018 of the Trusted Partner Network (TPN) by the Motion Picture Association (MPA) and the Content Delivery and Security Association (CDSA), with the MPA taking full control of TPN in 2021.
Early Moves
The MPA issued its first best practice guidelines for content security in 2009, in collaboration with member companies and consultancy Deloitte. Updates and revisions followed between 2011 and 2018, with authorship moving exclusively to the MPA and its membership.
Automation can reduce the effort to maintain a consistent security posture in large-scale systems and to recover after an attack.”
John Footen, Deloitte
Deloitte published its own report on the subject in 2018, highlighting the digital transformation of content in all its forms. Among its recommendations for securing material were digital fingerprinting, encryption, blockchain (a digital ledger for recording transactions and events), watermarking and plugging the “analog hole,” where programs are copied from legacy sources.
John Footen, managing director of Deloitte Consulting, acknowledges that the situation continues to evolve but says new technologies are now being used with established practices to further tighten security.
“Automation can reduce the effort to maintain a consistent security posture in large-scale systems and to recover after an attack,” he explains. “We’re also seeing greater integration of media technology with enterprise security systems. More products can work with single sign-on in zero-trust environments, for example. At Deloitte, we’re applying AI for cyber defense, not only for well-established uses such as detecting anomalous behavior and interdicting threats but also for assessment and visualization.”
The changing nature of the threat— hackers developing new viruses and ways of infiltrating systems—calls for content owners to be ever vigilant. This is reflected in the MPA/TPN Best Practice Guidelines, which have been updated on an annual basis (sometimes twice in a year) since 2018. The most recent revision appeared in August this year, with new guidance on working from home and remote access to data centers, plus minor updates to cloud specific controls.
The recommendations from Crystal Pham, vice president of operations and product management for TPN are fairly universal no matter the process: Ensuring that content owners and facilities have secure connections— including not logging into applications from unsecured networks; keeping applications updated and patched; using strong passwords and authentication mechanisms; not sharing accounts or credentials; always installing applications from trusted sources; and adhering to MPA Best Practices, as well as completing an annual TPN assessment.
Pham characterizes the security issue in M&E as “always evolving” and can be influenced by new technologies, the shortening of release windows and emerging threats.
“Change is a constant,” she says. “I do think there’s more awareness about security, with better understanding of the constant change and the need to get ahead of it when possible. I believe it’s becoming more embedded in the process of creating, distributing and consuming content. It’s also becoming more ingrained in our culture.”
New Methods Needed
The ever-shifting landscape is summed up by Asaf Ashkenazi, chief executive of Verimatrix, who observes that as technology advances, so do the techniques used by pirates to illegally obtain, distribute and monetize content.
“DRM and other traditional security methods are no longer as effective against today’s savvy hackers,” he says. “New real-time detection and prevention systems that are layered on traditional protection methods are needed to combat modern piracy efforts—especially those that leverage AI/ML and cloud infrastructure to exploit at scale.”
To counter such threats, Verimatrix has developed Streamkeeper, which combines multi-DRM, forensic watermarking and “Counterspy,” which Ashkenazi describes as a “motion sensor” or “alarm” that detects piracy as it happens. “The goal, however, should not be to completely eliminate piracy but to disrupt the pirates’ business models,” he comments. “By increasing costs beyond potential profits, the motivation for piracy diminishes. Real-time detection, prevention and rapid response are key.”
Among the ways of disrupting the activities of pirates is to track down purloined programming to the sites where it is being offered illegally and shut them down. Another company providing such monitoring enforcement services is Friend MTS, which does this using both fingerprinting and watermarking technologies.
“A customer will give us a clean reference feed of their playout and we fingerprint that,” explains Nik Forman, vice president of marketing for the U.K.-based company. “This allows us to uniquely identify that clip of video. If the monitoring systems— which are all automated and crawling the web—then find a suspicious web site is playing that content, we fingerprint it so we can compare them.
“If they match, we know it is an illicit player and the client can send an enforcement notice or a takedown order,” Forman continues. “If they also take our watermarking services, the content is marked invisibly and basically sits like a QR code in the actual video. When we find the illicit content and we identify it, we match it with a fingerprint and can then say it is one of our watermarks and we extract that payload of subscriber information.”
‘Never Trust, Always Verify’
While the Sony hack made the M&E sector painfully aware of its vulnerabilities, the threats have only increased since then due to otherwise innocent technological developments. The threat landscape has evolved with emergent technologies such as the Internet of Things, 5G connectivity and advanced generative AI capabilities, according to Eric Elbaz, principal strategic engagement manager at Akamai.
“We’ve also seen state-sponsored attacks become more brazen,” he said. “Nation-state actors are believed to be behind some of the most sophisticated and persistent threats seen to date.”
This was the suspicion surrounding the attack on the supply chain of software company SolarWinds in 2020, while, as Elbaz points out, ransomware attacks have increased “dramatically.”
A recent example of this is the breach of MGM Resorts’ systems in Las Vegas, which reportedly cost the company approximately $100 million. But Elbaz does see progress in dealing with the threats: “On the defensive side, we’ve seen major strides being made across threat intelligence, a paradigm shift from ‘trust but verify’ to ‘never trust always verify’ architectures, which is zero-trust security. Deeper public-private sector collaboration and information sharing, as well as a catch up in privacy laws, regulations, and standards are also helping.”
The threat shows no signs of going away and future attacks are likely to be even more cunning and sophisticated. According to “Variety,” in 2022, hacking of popular entertainment content rose 18% YOY compared with 2021, with the U.S. having the largest share of film and TV demand (i.e., illicit streams, downloads and the like), with more than 13.5 billion visits to piracy sites.
But the tools to combat it are there and, when it comes down to it, the greatest weapons are probably vigilance and common sense.
