My heart broke last week when NCIS jumped the shark in its 2014 season premiere, “Twenty Klicks”.
SPOILER ALERT: If you haven’t seen the season premiere yet, you may want to watch it online. Then again, those who do may never watch another NCIS episode again.
I felt bad when actress Cote de Pablo (Ziva David) left the show last season, but I had some hope for Ellie Bishop, who seemed to be a cross between genius-probie McGee and straight-arrow Kate with a dash of Abby sweetness. Besides, we still had Abby, everyone’s favorite problem solver and perky goth. Then the scriptwriter introduced a computer virus as a plot device and managed to break every rule of rational computer science ever invented. And sweet, brilliant Abby Sciuto was left looking like a technology fool.
As a professional computer geek and aspiring writer, I’d like to use this episode as a roadmap for everything not to do when introducing a computer virus into your plot. For comparison, I’d like to use the real-world Stuxnet / Flame malware which attacked the Iranian nuclear program in 2009/2010.
Malware Attacks Favor Secrecy
When the virus hit NCIS, the computer screens all over the office went wild. This is perhaps the classic symptom of a Hollywood computer virus, and it is totally absurd. Unless this symptom is the intent of the malware in question, the best way for malware to spread is to remain hidden. Since this would make for a boring episode, I can understand why scriptwriters ignore it, but it’s still annoying.
For comparison, the Flame malware stayed hidden for a significant period of time, spreading slowly from machine to machine until it reached its eventual target, computers loaded with software that was used to program the high-speed centrifuges in the Iranian nuclear program. Only then did its presence become obvious, and even then the attack was subtle: it caused the centrifuges to shake themselves apart during use in a manner that could have been misinterpreted as a hardware failure.
Malware Attacks Need an Attack Vector
In the season premiere, Abby triggers the virus by loading data from a memory card onto a laptop. The laptop is isolated from the network, and has even been placed in a Farraday cage to prevent it from connecting to WiFi, but somehow it escapes over the power cord (!) and spreads to the rest of the building.
Ignoring, for a moment, the fact that laptop computers generally have a battery and don’t have to be plugged in to operate, this is perhaps the most absurd misapplication of technology I have ever witnessed. You cannot transmit malware unless the recipient computer has a defect that causes it to execute the code somehow. This can be done by human engineering (i.e. a trojan horse), by being attached to a piece of shared data (i.e. a virus), or by transmission over the network (i.e., a worm). Unless you are using specialized network hardware to piggyback LAN traffic on top of your power cabling, malware can’t travel through the power cord, and even then it can’t use the powerline network unless it is physically connected to your computer. Sorry, the malware might have mangled Abby’s lab PC, but it would have stopped there.
For comparison, Flame was transmitted on the ubiquitous USB keys people use these days to transfer large quantities of data between computers. Since Microsoft Windows has an annoying habit of executing everything it sees as if it were a legitimate application, these systems were vulnerable to attack over this vector. I still want to scream every time I get a new USB key and Windows wants to load a “driver” from the device. Linux doesn’t do this, and while it implies that people who use Linux have to be able to load their own drivers when they need them, it’s a whole lot safer.
Malware Can’t Attack Everything
When the virus attacked NCIS, not only did the computer screens go wild, but the office lighting suddenly went dark, and the phone system failed. Even if they use VOIP for their phone system and have a centralized system to manage their lighting, this still wouldn’t really make sense. The reason? Any normal business has separate systems to handle these three distinct functions, and they are generally implemented with different technology stacks. The only way this virus could have affected computers, lights, and phones would be if they were all vulnerable to the same exploits — but if NCIS knew about these exploits (to write the virus), wouldn’t they have already patched their own computers to protect against a similar attack? Moreover, why would the NSA allow NCIS to connect to its secure network when they were under an apparently unstoppable malware attack?
The Moral of the Story
When possible, protect yourself from malware by using less-vulnerable operating systems like Linux or OS X. Practice safe computing by keeping your computers currently patched, and use antiviral software like ZoneAlarm or Kaspersky on your PC. And don’t believe everything you see on TV.
Beyond this, if you are a writer who wants to include malware in your stories, the following process may be useful to insure that you don’t invent a Hollywood virus like the one that sank NCIS:
- Decide first what your villain wants the malware to attack. There are plenty of targets, and the number will only increase as our homes and vehicles get increasingly connected to network monitoring and control systems. At the same time, any given attack will typically affect only one kind of computer system and people who use a different one won’t be affected.
- Decide how the malware is going to affect the computer systems it attacks. Once you have broken into a target system, it’s relatively easy to make it crash or operate more slowly, so these kinds of effects might come from a young programmer just learning about malware. Tools that collect and return security information to your villain (e.g. keyloggers) might come from organized crime, because it takes a more sophisticated group of programmers to develop them. And the really advanced techniques are probably coming from national governments with the money and power to fund these software teams.
- Decide what vector(s) the malware might use to break into the computer system in question. Most successful attacks will require one or more human errors to be successful: a defect in SQL Server, for example, might go unpatched because of a bad business decision, leaving data exposed to the attacker. Or someone might introduce a trojan horse into your network by opening an attachment in an email, which subsequently transfers itself as a worm inside your corporate LAN.
- Once you’ve designed a plausible bit of malware, set it loose on your protagonist, and tell the tale.
There are a lot of bad people out there coding bad software, so we shouldn’t have to stretch our reader’s suspension of belief to include a nasty bit of malware into our plots — but you have to do it right.
 There are technical differences between the a trojan, a worm, and a virus. All are malware. People who get picky about the difference between a worm like Stuxnet and a virus like nVIR are being pedantic, so I don’t care that they called the attack a “virus” in the season opener.
 Well, the lights, phones, and computers are all plugged into the power grid, so maybe the magic power cord exploit was used on all three.