Fact or Fiction: A Discussion on the Catastrophic Cyber Events Depicted in Leave the World Behind

The public imagination regarding the potentials of a cyber-related disaster have taken many shapes—perhaps one of most recent depictions is the Netflix adaptation of Rumaan Alan’s novel, Leave the World Behind, starring Julia Roberts, Mahershala Ali, and Ethan Hawke. The story of Leave the World Behind follows the Sangford family who travels to Long Island, New York for a holiday, staying at a short-term vacation rental property. Shortly after the vacation begins, the host family, G.H. and his daughter Ruth, return to their Long Island home unexpectedly on a tip that a war is impending. A series of unexpected events unfolds, each of which amount to war with a distinct cyber character.

This article is an interview with Markel’s Kelly Castriotta, Global Executive Underwriting Officer, and Sam Hansen, Senior Cyber Risk Solutions Specialist.  Kelly and Sam discuss the themes of the film and the real-world impact of such fictional events. Note that there are spoilers included within.

Shortly after the Sangford family arrives at the vacation home in Long Island, cable and internet service is disrupted. At first it seems innocuous, but in the follow up events, it’s implied that critical infrastructure has been attacked by hackers (which are later thought to be government actors). How can this happen? Is this likely to occur?

Sam Hansen: A typical internet outage that we have all experienced is most likely not the result of a cyber-attack. However, attacks against critical infrastructure are becoming more of a reality and are either perpetrated by those who seek to cause disruption and harm (nation states), or those who seek potential monetary reward (ransomware groups). Historically, ransomware groups focused on monetary awards have deliberately avoided attacking critical infrastructure to keep a lower profile from law enforcement agencies. Mistakes do happen, but it is known that certain groups ban their operators from targeting hospitals, for example, where disruption could result in care being unavailable.

We have examples of nation states with the resources to perform cyber warfare on critical infrastructure. It has been reported that a Russia-affiliated group targeted Kvivstar, the largest communications provider in the Ukraine servicing around 24 million people (about the population of Texas), deployed wiperware (a destructive malware that seeks to render systems unusable with no option to reverse the impact) in December 2023 to disrupt Ukrainian communications–both military and civilian. The internet outage lasted (at least partially) for a few days. The forensic analysis identified that 1) initial access was achieved around May 2023; and 2) full access–to the point where they could impact most of the organization–was achieved around November 2023. This was a targeted attack in cyber warfare. In January 2024, a Ukrainian-affiliated threat group “hacked back” a Russian internet service provider, M9com, and similarly destroyed a significant amount of data causing an unreported amount of internet outages. These events are plausible to happen across the globe.

The Cybersecurity and Infrastructure Security Agency in the United States, the National Cyber Security Centre in the United Kingdom, and other similar organizations across the globe are putting more emphasis than ever on protecting the critical infrastructure of their respective countries. The Department of Homeland Security in the United States has been granted one billion dollars to be awarded to state, local, and territorial governments across the United States through grants to assist with the costs associated with implementing a cybersecurity program.

Kelly Castriotta: We don’t know a lot about the details of what caused this infrastructure outage in the film, but there’s much implied. One of the characters is getting mobile service and news alerts that hackers have caused an outage. The services are not restored over several days of the story. We don’t know how extensive this outage is from a geographic perspective other than it extends to Manhattan where the host family, G.H. and his daughter, Ruth, were recently.  Certainly, outages are normal and occur based on many things, including naturally caused physical perils like storms, fires, earthquakes—even vermin. (By the way, a typical Cyber insurance product doesn’t respond to these types of perils.) In the movie, there’s an implication that the servers were intentionally knocked out by malicious actors so that the intended victims are not able to communicate with each other. This has serious disorienting consequences: it effectively destroys a community’s ability to cooperate as well as creating panic.

Further to Sam’s observations, such real-life attacks have been somewhat underwhelming and nowhere near the scale implied in the film. The 2015 cyberattacks on the Ukrainian power grid left 230,000 people without power for six hours.  This is small potatoes compared to what is implied to be happening in the film (all of Long Island and some NYC Boros without power) and compared to what happens in real life from natural catastrophes, like Hurricane Ida leaving 430,000 households in Louisiana without power for over a week, or Superstorm Sandy causing power outages for 8.5 million customers over 21 states.

So, since much of this is Hollywood-driven storytelling, what can we take away? We can think of a helpful analogy here. If this were to happen on a smaller scale—say to an enterprise—we can draw a lot of parallels. For instance, what if a company’s network went down because of a cyber-attack? It’s very likely that even the highest levels of the organization will not be able to communicate with each other on traditional forms of internal communications such as email. So, now, they are forced to contact each other via other means. This is a basic note but an important one and part of any proper incident response plan.

It’s also interesting that there is a limited institutional response characterized here in the film. We don’t see police officers or local politicians coming around to houses in the community in any attempt to restore order. All the characters have is the standard emergency response warning on the television. I suppose the implication here is everyone, including key government officials, may be in the dark about how to react and what the next steps are.  This raises an interesting question: is it possible to execute on a grassroots or top-down disaster recovery plan for something like this type of event?  That’s an idea that is maybe relatively untested in a digital age. Perhaps there is need for an organized response to a digital catastrophe that we shouldn’t take for granted how to respond. However, notably the US has emergency response mechanisms, like FEMA, for disasters. We see nothing like this type of response in the movie. And therefore, I find the scenario described as somewhat unrealistic.

I will note that at this point of the film, without the knowledge we gain later, whether this would be a covered ‘cyber’ event for companies and individuals under typical insurance policies, the answer is ‘maybe’ or even ‘not likely.’ It depends on several aspects of the attack. Assuming this was a confirmed attack and not an outage, there’s a waiting period involved because the policy is intended to be triggered at a certain severity point, not for a rudimentary outage. And certainly, the outage as described may not satisfy a typical waiting period.

At one point, Clay, Ethan Hawke’s character drives toward town looking for presumably people or better-quality communication about what is happening.  His car is bombarded with literature that appears to have Islamic writing on it.  How does this type of attack fit into a protracted cyber-attack?

Sam:  Initially this literature is the only piece of literature that the characters in the movie are aware of. However, in a later scene, it is revealed that Kevin Bacon’s character, Danny, is aware of similar fliers being dropped in San Francisco in Korean. This is the first indication that we get as viewers that there is a disinformation campaign associated with the assumed cyber-attacks. A disinformation campaign is a tactic used to spread false information or propaganda to advance the goal of the adversary. To me, a disinformation campaign on this scale with a physical aspect would be atypical for a cyber-attack. Disinformation in cyber-attacks is typically used to mask the identity of the original perpetrators. Nation states have been reported to build threat actor groups to cause confusion around attribution and association.

In the film, we see several extraordinary catastrophes. It is implied that because of hackers, an airplane falls out of the sky and a large ship is grounded. Then dozens of autonomous vehicles crash into themselves, blocking a major egress out of the area. Can these events happen as a direct result of cyber-attacks, intended or not? Have these ever occurred in the past?

Sam: As we’ve been saying, the events in the movie are dramatized for the sake of the narrative. It is certainly plausible that the supporting infrastructure for planes, air traffic control, scheduling, airport terminals, could be disrupted by a cyber-attack. However, planes would likely not drop from the sky as if there were no pilots in control, and they are designed to operate without this supporting infrastructure available. All technical systems on planes are physically on each plane, and while in some instances they receive information and act from external information, I am unaware of capabilities to have a remote widescale attack on seemingly all planes across different airlines.

As to autonomous vehicles causing a pile up, it is harder to speculate on this issue. Since the increase in technology forward vehicles (infotainment systems, autonomous driving, remote start, etc) car hacking has become an area of focus for security researchers. In early 2023, it was proven that you could remotely exploit a car to turn off the lights, honk the horn, activate the windshield wipers, and make changes to the infotainment system. These vulnerabilities have since been patched by Tesla, who also assured the researchers that they could not have steered the wheel or turned the car on or off. At this point, we have no public evidence to suggest that this is happening.

There are many character-driven theories about who is attacking New York, but nothing is confirmed.  The decentralization of a cyber-attack makes it terrifying per se because this would make it difficult to determine who was responsible and how to stop an attack.  Is this truly the nature of cyber incidents?  Are we able to discern who is doing what?

Sam: It is my opinion that attribution during a cyber-attack is not important until after the incident has been resolved. Successful resolution of a cyber incident involves containment, eradication, and recovery. Knowing who is responsible has minimal impact on how you would stop a cyber-attack. Likely, attribution would occur after the attack(s) are recovered from. 

Kelly: To me, what Sam is describing—the response to and/or reversibility of an attack—is distinct from attribution.  As to attribution, there are often clues, both technological and nontechnological, that identify the nature of an attack to the threat actor. In fact, this happens readily.  It takes expertise, time, and effort, but it is not impossible to ascertain. It happens all the time. 

Now, ‘official’ attribution or attribution from a legal or political standard perspective is different. That concept is more about how what we as a society have decided or failed to decide what it means to make a declaration of attribution: who has the authority to make attributions, how we come to that conclusion, how we communicate that, and how the legal system accepts that determination, assuming that a legal system is involved in the course of the incident or claims administration in connection with a Cyber insurance policy.

Towards the end of the film, there’s a scene where a character is looking out on the Manhattan skyline. We can hear gunfire. Is the world at war? What is your take on this?

Sam: If we accept the assumption that the sophistication and resources required to execute the cyber-attacks across critical infrastructure at the scale in the movie requires a nation state to be involved, I will argue that the United States and the unknown adversary in the movie is at war. The evidence we are given suggests that civil war is happening in Manhattan, and not a physical invasion.

Kelly: To me, this scene did not imply that there was a physical invasion alongside the cyber-attack. Regardless, this has happened before in history, such as the case of the hack of ViaSat, which occurred about an hour before Russia physically invaded Ukraine. Rather, it seems to me that in the film, citizens have turned on each other. This seems to be at least one of the ways in which a disinformation campaign succeeds when taken to an extreme.

But if you accept Danny’s (Kevin Bacon’s) narrative, then we are in a three-stage military campaign. We don’t know, however, if Danny is reliable. He’s one of those guys in a movie with a very defined point of view. He’s prepared for this day, he has weapons; we are led to believe that this guy lives in Machiavellian state. He’s made some assumptions, too, just as the other characters have, about who has perpetrated the attack. Without official messaging from an authority figure, we don’t know what’s true and what’s not.  So, again, this theme of decentralization recurs. And as I stated before, companies who experience something like this can abate that feeling of panic and distress for their employees by implementing an incident response plan.

Suppose that we accept the scenario underlying the movie: that multiple nation states conspire to attack a part of the United States’ critical infrastructure perhaps as a prelude to some sort of modern-day war.  What is the feasibility of something like this?  Would there be any governments capable of organizing in this way? How costly would this be?

Sam:  Unfortunately, the capabilities to attack critical infrastructure by sophisticated nation states already exists. This is evidenced by reports coming out of the recent conflict in the Middle East regarding Israel, who is a leading cyber power, and the Russia-Ukraine conflict. It is difficult to estimate how costly these attacks would be. However, we can assume that the costs would be significantly lower than a physical invasion. Like the movie suggests, an unprovoked attack on this scale would likely be considered an act of war – that act could be organized and perpetrated by a nation and its allies.

Kelly:  I disagree to an extent. Cyber has played a part in recent warfare, and we can assume that modern day war will continue to be multi-dimensional. But we must pay attention to whether it has played a significant role in military warfare and by how much. If we look to recent wars, some studies have reported that Russia’s cyber operations has not made much impact in the war, nor have they amounted to any significant strategic gains.  This is not to say that cyberwarfare won’t play a more prominent part in future war, but the reality is there is a high cost to cyberwarfare and that the impact may not be worth the cost, especially when kinetic attacks are proven to be longer-lasting  (whereas cyber-attacks are readily reversible). Certainly, a real-life example of a coordinated, multi-nation state cyber-attack is not something of which I am aware.

Any final takeaways about the scenarios described in the film?

Sam: It is an interesting exercise to dive into the details, suspected attribution, and plausibility of the events that took place in the film. But that’s what it is, an exercise. The films narrative outlines a scenario where each event happens in a cascading and coordinated order to create chaos in the United States. The film invokes a fear that these events could happen in the real world. And while a few of the scenarios in the film are farfetched for dramatization, we can take the fear invoked in the film and turn it into a positive for both critical infrastructure and commercial risks. 

Cybersecurity is both a technology problem and a people problem. If you pull just one of the plausible scenarios from the film, the basic principles of having a proper cybersecurity risk management program still apply. Cyber-attacks are no longer an “if”, but a “when” and “how much”. Organizations, both large and small, critical infrastructure or not, need to take the necessary precautions to protect their environment from intrusion and minimize lateral movement should intrusion take place.

Kelly: I agree—it is an interesting exercise and presents a fact pattern that highlights a lot of the themes that insurers and policyholders have been grappling with over the course of the past several years. Specifically, what should we, as providers of risk transfer solutions, do about managing widespread cyber events and the impact of such events for affected commercial policyholders?  Additionally, there are typical exclusions in the policies that speak to major aspects of the events here: infrastructure attacks, war (nation state attacks), natural perils (animals), bodily injury, property damage. As discussed earlier, a downstream impact of an attack on critical infrastructure is not covered, with certain exceptions, including for those companies that constitute critical infrastructure or those where the affected technology is under an insured’s direct operational control.

I do want to be clear that the film is very dark. What we are talking about is a highly imaginative set of scenarios. There are certain aspects of the fictional events that are interesting to comment upon as they touch upon some key issues that underwriters think about while strategizing around cyber risk. It would be unusual for an insurance company to model losses to this level of disaster given the unfeasibility and unlikelihood of the event sets, as well as the potential coverage implications. But it should make commercial organizations generally aware of its potential role in this complex ecosystem of cyber risk.

A final point: cyber is a developing risk but it is not without physical, monetary, legal, societal, and other practical constraints. We must be careful about the risk and some of its unprecedented consequences, but we also must temper the imagination and ground ourselves in the data and information we do have about past and developing events.

Meet the Authors