Security Mavens' Reviews of the Movie Firewall

The annals of popular culture are rife with depictions of security professionals as villainous lackeys in the service of unscrupulous corporate leaders. Think Silkwood, The Firm, The China Syndrome and last year's season of the Fox Network hit show 24, in which the CSO of an L.A. high-tech business seeks to protect the corporate reputation by deploying his own private SWAT team to kill counterterrorist agent Jack Bauer. That's a pretty harsh job description!

So when we heard that the new movie Firewall would star Harrison Ford as Jack Stanfield, the heroic CISO of a midmarket Seattle bank, we were eager to see this presumptively positive portrayal of a security executive. We also invited some of our friends in the business to see the movie on its opening weekend and send us their reviews.

IRA WINKLER: I went to Firewall with really low expectations. The reviews kind of sucked, and most movies that focus on security and computers are filled with complicated technological terms that make no sense to the average person, the idea being to make the hero sound like a technological genius. At the same time, real technological geniuses are confused, because it's actually a bunch of random acronyms the writers have stuck together. Of course, it usually ends up being some obscure technological genius who saves the world from an evil corporation.

Since I couldn't be disappointed, I actually liked this movie. I know that CSO wanted me to focus on how "real" the movie is with regard to security, computer crime, and the job of a security manager. I also assume that many readers might know that I perform penetration tests against banks, investigate crimes against banks, and help to develop security programs for banks. That said, Firewall is about as real for banking security as XXX was for the NSA and the Star Wars movies were for space travel.

In Firewall, the criminals basically develop a software program that will clean out bank accounts automatically, and they need the hero to identify large accounts and execute the program to actually clean out the accounts. As you can anticipate, the hero, bank security manager Harrison Ford, does this to save his family (held hostage by the bad guys) but then steals it back to turn the tables. While the movie gives you the impression that the bad guys are supervillains, in the real world of banking criminals, they would rank slightly above Wile E. Coyote.

In the real world, $100,000,000, sent to five specific accounts in a four-minute time frame, would be easily tracked and retrieved. The bad guys left tracks all over the place, including in people's memory, but make it seem trivial to delete them. The reality is that organized criminals regularly steal millions of dollars from banks and get away with it. They don't have to resort to exposing themselves to charges of murder, extortion and blackmail.

However, the most unbelievable aspect of the whole movie, that approaches science fiction standards, is that all of the techies in the Seattle area wear suits to work. Harrison Ford doesn't even take his tie off throughout the entire movie, despite chasing the bad guys all over Washington state.

I could pick this movie apart point by point from a technical perspective. However, the movie is a movie and should be seen as intended, for entertainment. There is a slight mention about a firewall at the beginning of the movie, but it is really just a movie title. The film was originally titled The Wrong Element, but I guess that didn't sound cool enough. Overall, this is a really good movie.

Despite the lack of reality, it's easy to buy into the suspense and the action. Hey, if you can believe that Indiana Jones is a real archaeologist, you can believe that Ford's character is a real bank security manager. If you are a fan of the TV show 24, you might think, from time to time, that you are actually watching that show — Mary Lynn Rajskub, who plays Chloe, CTU's most gifted geek, co-stars as Ford's executive assistant.

At the very least, your friends who see Firewall might start to think you're cool!

BIO: Ira Winkler is an information security consultant and author (most recently of the book Spies Among Us, a call to action over the alarming vulnerabilities in security and intelligence systems). He often speaks and writes on infosecurity topics, but still finds time to go to movies.

PAMELA FUSCO: All in all, Firewall isn't bad. Come on, Harrison Ford was in it, so it couldn't be a bomb.

But is it a reality? Well, if you take out the made-for-movie drama (exploding car, guns and ammo, and a fabulous house that a vice president of information security could never afford), yes, it could happen. But not easily.

To pull off a caper such as this, the majority of the security OSI stack has to be violated: 1.) physical; 2.) personal; 3.) logical (hackers, identity theft, etc.); 4.) social engineering; 5.) friends and family; 6.) the human-habit element (ordering pizza every X night of the week); and 7.) surveillance.

Harrison Ford portrays Jack Stanfield, a bank CISO with true grit. Many of us who have had the honor and privilege of developing, designing, implementing and managing a security operations team take great pride in what we do. We believe in the work and the people who are part of our teams. This movie hits that part of it straight on. Because of Jack's dedication to his corporation, team, customers and family, he becomes a target of ruthless thieves. I could project myself into the middle of this since I, too, have great pride and integrity when it comes to my profession. Fiction is fast becoming a reality. Biometrics, federated identity badges, the piecing together of shredded documents, etc. This is all real.

Perhaps the next mandatory level of defense that security professionals should undertake and learn is "self defense." Having security and using security are two different things, and you must do both. For instance, the Stanfield family's home security system was disabled when the fake pizza delivery (really the bad guys) arrived; logging onto the bank's systems with a single badge (true corporations do have this level of access, but it's usually coupled with another level of authentication, such as a PIN or fingerprint scanner). This just shows that even the most intelligent and paranoid security professionals can let their guards down when their organizations and operations begin to flow smoothly.

Security is and always will be a 24/7 activity, and it will always require human intervention. Therefore, it will never be 100% assured!

BIO: Pamela Fusco is executive vice president and head of global information security for Citigroup. She has formerly held infosecurity leadership positions with the pharmaceutical giant Merck and with Digex, an Internet service and hosting provider now a part of MCI.

DENNIS TREECE: Bottom line upfront: The research the crooks did on Jack failed to turn up that in the '30s, he went by the name Indiana Jones!

Firewall is a moderately entertaining movie that treats the bank's head geek with a truckload of respect while falling into the standard movie "appearance" of computer genius, probably because the real thing would never appeal to movie audiences.

Firewall drags a bit in the middle, like most movies, but overall I was entertained and pleased with the death of the bad guys and the relatively happy ending. There's nothing like virtue being rewarded after a battle between good and evil.

That said, it did ring hollow in a number of areas, both social and technical.

The first things that don't ring true are Jack's incredible house (as Pam Fusco also notes), his obvious money, and his seniority in the bank. We just don't see network security chiefs with this lifestyle. If we did, we'd have them under intense investigation!

Another Hollywoodism, aside from the perfect life and family, was how everyone interacted with computers. While most interaction these days is by GUI, Hollywood insists on everything being typed, the faster the better. When was the last time you saw a hacker movie that even showed a mouse? Remember Swordfish? Enough said.

And let's assume for a moment that it was the modem card he pulled out of the fax machine, that he was able to cobble together with his daughter's iPod and some cabling, then plug into the network down in a server room, and have it instantly recognized and talking on the network. Yeah, that'd happen!

Later, Jack apparently takes the SIM card out of a cell phone and plugs it into his secretary's laptop and — Whoa, Nelly! — not only did that guy's cell phone take 20-mega pixel-quality pictures off a monitor (at an angle yet) but Jack is back on the bank network again, reversing the bank's losses at $20M a pop. This guy is good! And he has the requisite blindingly fast and error-free typing skills, without even looking at the keyboard, which Hollywood demands of its geek heroes. Once again: Nah, I don't think so.

Then there's an early scene where Jack establishes his bona fides as a White Hat computer genius. He looks at a screen for a few seconds, the guy at the terminal tells him that some hacker is cruising through modest accounts. Jack tells the tech to move aside. He proceeds to, according to the dialogue, "change a few of the rules to slow him down." My experience with banking networks, slim as it is, reminds me that nobody changes rule sets on a live bank network. Such changes have to be vetted off-line, by a team dedicated to that task, lest some unintended consequence kill your ATMs in Norway or freeze mortgage accounts in Boston.

The most remarkable thing of all, however, is the way Jack can go a day and a half in the same suit, through several complete soakings in Seattle rain, multiple bloody fights, roll around in the dirt while dispatching Bad Guy Numero Uno, and still manage to look like Harrison Ford, who maybe took a nap in the suit and loosened his tie in the process!

BIO: Dennis Treece is director of corporate security for the Massachusetts Port Authority, which is responsible for Boston's Logan Airport and other regional shipping and transportation facilities. He is a former Army colonel with more than 30 years' experience in a variety of security roles, both domestically and internationally.

BRUCE BONSALL: I was excited about the opening of the new movie Firewall because the story is set in the world I've called my own for the past 18 years, the world of information security. Also, I like Harrison Ford as an actor, so I really looked forward to the movie. Most of all, a night at the movies for me also means a night out with my wife. So I was feeling pretty upbeat about the evening's prospects.

After appetizers and libations at a local bistro, my wife and I arrived at the theater in time for coming attractions. A quick look around revealed that most of the audience were close in age to the sexagenarian Ford. Ford plays the head of security for a bank about to merge with another company. He and his family are set upon and held captive by a gang of robbers intent on using his inside position to loot $100 million from the bank. The plot is predictable, as were many of the standard clichés, like the fast-typing rebellious computer genius who saves the day.

The movie started slowly, but once the pace quickened and the thunderous sound system in the theater kicked in, my pulse stayed cranked up right to the end. Between the music, the rapid-fire events and the ruthlessness of the villains, my adrenaline pumped and my interest was sustained.

The plot isn't great. Nor was the acting worthy of any awards. But I found the movie entertaining, nonetheless. Sure, parts of it are improbable — for example, a guy Ford's age taking such a beating and still whipping the much younger bad guys. And the idea that, with a few furiously typed keystrokes, the senior IT security guy can throw quick rule changes into production to slow down the infiltration of a probing hacker. The security executives I know, myself included, are far removed from actually making technical changes, let alone making them on the fly and in production mode.

We're also a bit removed from the plush lifestyle of the Stanfield family. Until the dialogue revealed that Jack's wife was a successful architect, I was wondering how in the world he could afford the multimillion-dollar digs on a security exec's salary. On the other hand, many security executives do wear suits, except not in Seattle.

I most enjoyed Jack's resourcefulness. In particular, his MacGyver routine with his daughter's MP3 player and the scanner bar taken from a fax machine. Very clever. Just what I would have done, given the same circumstances.

Robert Patrick, of Terminator 2 and The X Files, put in a respectable performance as Jack's new boss. The part of Jack's wife, Beth, played by Virginia Madsen, was unremarkable. The one character I did find mildly interesting was Jack's assistant, Janet, played by Mary Lynn Rajskub. Rajskub is just quirky enough to make a character interesting but not distracting.

As for the head villain, played by Paul Bettany, I found him to be cold and mechanical, just the way a good villain should be.

Although the movie didn't deliver when it came to either realistic security or security executives, it did deliver on entertainment. Spend the $9.50. And if your date happens to be an architect, spring for her ticket, too. It will pay off in the long run.

BIO: Bruce Bonsall is chief information security officer of MassMutual Financial Group. He has 17 years of experience managing large-scale information security programs. Despite this, he looks — and is — a lot less grumpy than Harrison Ford's character, Jack Stanfield.

Related News and Discussion:

This story, "Security Mavens' Reviews of the Movie Firewall" was originally published by CSO.

Related:

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon