Mainstream TV rarely gets cyber right, so I sat down to watch CSI:Cyber with very low—very low—expectations. And a BINGO card. I wasn't disappointed.

Akamai security researcher Patrick Laverty posted the BINGO card on Twitter before the show aired, and it shows just how low the expectations were for the new crime drama on anything related to hacking and cyber-crime. The middle square is "Mispronounced Tech Speak." Two other squares worth noting were, "Attempted Tech Talk That Makes No Sense," and "Computer screen show active hacker activity." On the other hand, maybe high expectations killed the possibility of having a BINGO, as the card also had boxes for SCADA and DDoS.

Despite the name, CSI:Cyber has nothing to do with the crime scene investigation unit but rather members of the Cyber Crime Division within the Federal Bureau of Investigation. Talk about discontinuity from the rest of the franchise! The team consists of Special Agent Avery Ryan, a former behavioral psychiatrist, Agent Elijah Mundo, "an expert in battlefield forensics," and three hackers, including Daniel Krumitz, "the best white-hat hacker in the world," and Brody Nelson, a black-hat who Avery wants to turn towards the good guys. The final hacker, Raven Ramirez, doesn't seem to really have a role other than to show females can be hackers, too.

The crime: criminals exploit a bug in an Internet-connected baby monitor with video capabilities to monitor babies and then kidnap them. "There was an electronic device involved," says Special Agent Avery. "By definition, that's cyber."

As we've seen over the past year, it is possible to break into a baby monitor—many of them are essentially poorly secured IP cameras, after all.

The Pluses:

The show used cyber only six times—that I counted—in the entire 40-something minute episode. That's a sign of restraint on the part of the writers.

I enjoyed the bit about Friend Agenda (aka Facebook) being a great investigative tool for law enforcement. That's true! Don't share so much about your life online!

The Minuses:

Krum and Nelson start examining the parents' devices, and the users see lines of green code against a black background. "All I got is green code here," Nelson says. Suddenly, there are lines of code in red. "Oop. There's malware," Krum says. I admit it. I laughed. Is that all it takes? Look for red lines of code?

Time makes no sense on this show. Krum hops over to Chicago, finds a bug in the source code, returns to DC, and there is still time in the day for more police work. Source code review is not a quick ten minute job, even if you are the best white-hat in the world.

My Problem With CSI:Cyber

There were no crazy scenes of our hero working on a laptop in a moving car, with a USB cable connected to an airplane. (Yes, Scorpion has scarred me for life). In fact, despite the name, the show was actually lighter on actual hacking and computer forensics than I expected. It was primarily old-fashioned police work, although I don't know many law enforcement types who can successfully shoot at a guy fleeing on a speeding dirt bike. With just a handgun, no less.

I was disappointed the show didn't even take a line or two to speculate how the remote access Trojan even got on the mom's laptop. They have throwaway explanations like that on Criminal Minds and NCIS all the time.

My biggest problem with the show was the sensationalism. We have lines like "Buy babycam to protect your child - very thing that gets it abducted." The baby monitor itself was tangential to the actual kidnapping. "CSI:Cyber claimed it wasn't going to spread FUD. They lied," Errata Security's Robert Graham wrote on Twitter.

Is CSI:Cyber going to show—and hopefully educate—mainstream audiences what cybercriminals can do? I fear that it's going to just spread more misinformation and blow things out of proportion. Plenty of people have a very lopsided understand of how CSI forensics work because of these shows. Thanks to CSI:Cyber, I guess we will see more of that when it comes to information security.

And no, I am not tuning in next week, not even for the hijacked roller coaster.

Further Reading

Security Reviews