What To Expect - Video Game Cybersecurity In 2017

In my previous blog post, I looked back on last year, and made the argument that 2016 was finally the year that the video game industry recognized its collective cybersecurity problem. Looking through the list of news reports documenting how many of the world’s most popular video games succumbed to hacking, cheating, and fraud, I dearly hope that we will see increased budgets in 2017 supporting better, more proactive anti-cheating and fraud efforts, but only time will tell if that prediction eventually comes true.

What I do know, however, is that cyber attacks targeting video games won’t suddenly disappear in 2017. Instead, game publishers and operators will almost certainly be forced to weather increasing threats to their games' top and bottom lines. So what should the online game industry be on the lookout for in 2017?

Here’s what I think will happen…

Potential Escalation of Regulatory Efforts

I’ve written extensively about potential ways that regulation could impact the video game industry should cyber crime continue to expand without appropriate industry countermeasures (click here to download a recent white paper on this subject). While it remains to be seen whether or not the FTC or Congress would lead such an effort, the recent news by Colorado Senator Cory Gardner, in which he has stated his intention to form a Senate committee on cybersecurity, suggests that the Upper Chamber might have a say. Game operators are also likely to receive demands from state regulatory or law enforcement bodies (such as the one sent to Valve late last year by the the Washington State Gambling Commission) demanding they take action against third-party websites that the publisher does not sponsor, authorize, or control. Demands of this nature might also have unintended consequences for fan and modding sites that do add value to virtual worlds and players, but which technically operate in the “gray.” If states (or, potentially, the Feds), do escalate their oversight activities, publishers will likely have to deploy batallions of attorneys to head off or respond to court orders and legal challenges. Don’t be surprised if we see some very public announcements of fines issued by government institutions against video game publishers, as well.

The Criminalization of End User License Agreements (EULA) Violations

Earlier this month, Korea became the first country to make violating video game EULAs a punishable criminal act. As Develop-Online stated, “This is a big step for gaming companies, who now won’t be forced to rely on obscure or indirect laws to try to punish makers and distributors of malicious programs.” While this may seem like a move that is favorable to publishers, it actually represents the potential for major unintended consequences to developers and players. Furthermore, it remains to be seen how much this tactic will actually affect the activities of motivated, professional fraudsters and toolmakers. EULA regulation is essentially a reactive security measure (I wrote about why Proactive solutions are better back in August of last year), and the continued existance of bank, wire transfer, and ecommerce fraud, despite harsh penalties imposed against convicted financial criminals, strongly suggests that promising to jail or fine EULA violators is unlikely to impress the people doing the most damage: the professional programmers who build and sell cheats and hacks to players, as well as the fraudsters who develop cutting-edge botting and scripting tools. In 2017, I believe that the world’s lawmakers will look closely to Korea’s successes and failures with this law, then determine if similar legislation is suitable for their country, or if it would be actively harmful to game developers and publishers (as South Korea's own Shutdown Law of 2011 ultimately proved to be).

Hackers Take Advantage of Better Tools

Current hacks on video games are old fashioned. I’ve helped write several use cases describing how a many of the same tools and techniques developed to attack the banking industry 10 years ago are now being being used to attack online games. As video games become more of a target for sophisticated hackers, nation-states, and even cyber terrorists, are likely to look for even more sophisticated, yet readily available, tools to facilitate their activities, including IP/Geo spoofing and Man-in-the-Middle exploits that have been shown to be effective in defeating preferred solutions like multifactor autnentication. Criminals haven’t needed to use advanced tactics to attack gamers and operators up until now because the state of game security didn’t push them to do so, but history shows that as security increases, hackers are usually already thinking 2 or 3 steps ahead of where the Hive Mind tells us we should be.

Cross Pollination between In-Game and Out-of-Game Cybercrime

Finally, signs point to 2017 being the year in which video games, particularly larger organizations and publishers, will be called out by name as a vector for money laundering. We’ve already seen this with online gambling, and how publishers like EA have made concerted efforts to distance games whose virtual currencies are used to facilitate large volumes of real-money trading (think FIFA coins) from any similaraties to casinos. See how daily fantasy football companies have rebranded themselves as another example.

Unfortunately, the video game industry can't afford to wait for another industry's regulators to come knocking - they must prepare themselves to provide answers, and a thorough paper trail, in response to any potential accusation of facilitating money laundering (unintentionally, of course) from regulators or law enforcement, as well as clearly document their ongoing tactics and strategies used to prevent the unauthorized exchange of virtual items and currencies to facilitate real-money payments - money that supports a variety of criminal activities that extend well beyond online games according to an October 2016 Trend Micro report. They must also be fully transparent in sharing whatever information is requested by law enforcement or regulators, but in ways that always protect their games' crucial player data, IP, and business intelligence.

I hope that 2017 will be a year in which the video game industry continues to make tentative (but encouraging) efforts to move towards a more cyber-secure security posture, but in doing so, it must also pay attention to how other industries are handling the epidemic of cybercrime. Publishers and operators must pursue solutions that benefit them individually, as well as collectively for the gaming industry's - and the gamers' - common good. The option of doing nothing, and staying par for the course, would be catastrophic.