What to Expect – Video Game Cybersecurity in 2017

In our last blog post we looked back on 2016, making the argument that this year was finally the year in which the video game industry recognized its cybersecurity problems. With example after example of some of the world’s most popular video games succumbing to attacks, it’s hard to see any outcome other than one that encourages video game publishers to become more proactive in their cybersecurity. But only time will tell if that prediction comes true.

What we do know for certain, however, is that cyber attacks targeting video games won’t suddenly disappear in 2017. Instead, we’re likely to see threats continue to increase, as game revenue becomes even more tied to microtransactions and gamers spend incrementally more dollars to improve the game experience. So what can we expect in 2017? Here’s what we think will happen…

Potential Escalation of Regulatory Efforts

We’ve written extensively (click here to download or whitepaper on regulation) about potential ways that regulation could impact the video game industry should cyber crime continue to expand without appropriate industry countermeasures. While it remains to be seen whether or not the FTC or Congress would lead the charge, the recent news by Colorado Senator Cory Gardner, in which he has stated his intention to form a Senate committee on cybersecurity, suggests that the Upper Chamber might have a say. We’re also likely to see more demands from states, such as the one made by Washington State Gambling Commission, for publishers to stop actions from third-party websites that publishers do not sponsor. This might also have unintended consequences for fan and modding sites that add value to publishers and gamers, but technically operate in the “gray.” As legal requests from the states, and potentially the Feds add up, publishers’ executives will be forced to engage with an army of attorneys to figure out how to answer court orders and legal challenges. Don’t be surprised if we see a few fines issued by government institutions against video game publishers as well.

The Criminalization of End User License Agreements (EULA) Violations

Earlier this month, Korea became the first country to make circumventing video game EULAs a punishable criminal act. As Develop-Online stated, “This is a big step for gaming companies, who now won’t be forced to rely on obscure or indirect laws to try to punish makers and distributors of malicious programs.” While this may seem like a move that is favorable to publishers, it too is already having unintended consequences to both developers and players. Furthermore, it remains unlikely how successful this tactic will be.  EULA regulation is essentially a reactive security measure (we wrote about why that’s not good), meaning it is unlikely to stop professional fraudsters from doing their jobs. In 2017, we believe that the world’s lawmakers will look closely to Korea’s successes and failures with this law, to determine if it’s suitable for their country to implement, or if it’s actively harmful to the game development community, like the country’s Shutdown Law of 2011.

Hackers Take Advantage of Better Tools

Current hacks on video games are old fashioned. We’ve talked many times about how a lot of the same tools and techniques used against the banking industry 10 years ago are being used on games today. As video games become more of a target for sophisticated hackers, nation-states, and even cyber terrorists, look for the use of more sophisticated, yet readily available tools, such as IP/Geo spoofing and Man-in-the-Middle exploits that can easily defeat the amateur security protocols used by publishers. Adversaries haven’t needed to use advanced tactics up until now because the games didn’t push them to do so. But as security increases, even ever so slowly, hackers are already thinking 2 or 3 steps ahead.

Cross Pollination between In-Game and Out-of-Game Cybercrime

Finally, signs point to 2017 being the year in which video games are called out as money laundering vectors for larger organizations or institutions. We’re already seeing this with online gambling, and games, like FIFA, are making a concerted effort to distance themselves from any connections to casinos. See how daily fantasy football companies have rebranded as an example. The video game industry must prepare for when another industry’s regulators come knocking, seeking answers and trying to connect how its virtual items and currency was transformed into real-money that aided in a purchase of weapons or drugs. When this happens, publishers must show that they are aware of the situation and planning through ways to remedy it. They must be transparent in sharing information requested by agencies; but doing so in ways that protects crucial data, IP and business intelligence. The economic (trading of virtual goods and currency) aspect of video games must not be seen as the weakest link in the chain, because regulation addressing it could destroy the industry’s revenue model and hinder the player experience significantly.

2017 is a year in which the video game industry must continue to stride towards a more cyber-secure security posture. It must pay attention to how other countries are handling the epidemic and weigh solutions both as independent publishers and collectively as an industry. The option of doing nothing and staying par for the course would be catastrophic.