Why Video Game Publishers Must Adopt Enforceable Security Standards

Video games have been under attack at an unprecedented rate since 2012, with cyber criminals playing an increasingly significant role.

Matthew Cook, Co-founder, Panopticon Laboratories

December 9, 2016

4 Min Read
Dark Reading logo in a gray background | Dark Reading

The video game industry’s business model has changed significantly over the past 20 years. In the 1990s, video game publishers sold physical cartridges for $30 to $60 each, making it easy to forecast revenue. In the early 2000s, the Internet paved the way for video games to move online, expanding the revenue stream by introducing monthly subscription fees. Around 2009, the business model changed forever when video game publisher Zynga established micro-transactions. This led to the "freemium"  model in which gameplay became free, with revenue driven primarily from in-game purchases of virtual items and virtual currency.

Overall, the evolution of the video game business model has been beneficial for players and lucrative for publishers. In fact, analysts project the industry to surpass $100 billion in annual revenue in 2017. However, success often comes with unintended consequences. For the video game industry, these consequences come in the form of cyber attacks in which hackers have followed the money from banks and big box retailers to online video games.

Cyber attacks on video games now an epidemic
Recently, Trend Micro issued a report on the cybercriminal roots of selling online gaming currency. The report concludes that, "the increase in cybercriminal activity related to online games can be attributed to the huge potential for revenue, the ease of hacking a game account, and the lack of severe penalties or criminal prosecution for such cybercrimes."

Since 2012, video games have been attacked at an unprecedented pace. One of the most notable video game hacks targeted the highly popular League of Legends, published by Riot Games. From 2012 to 2014, the game was compromised, exposing tens of millions of user records to cyber criminals. In late 2015, one of the world’s largest online video game platforms, Steam, admitted that 77,000 of its gamer accounts are hacked every month through special malware called Steam Stealer. Just a few months ago, the worldwide phenomenon Pokémon Go was hacked multiple times within its first week of existence. Then, just a few weeks ago, a large-scale Distributed-Denial-of-Service (DDoS) attack on Blizzard Games brought down three of the world’s most popular titles: Overwatch, World of Warcraft, Hearthstone and Heroes of the Storm. This marked the fourth DDoS attack targeting Blizzard’s game client, Battle.net, in a few week period.

Is video game cybersecurity regulation inevitable?
Recently, the U.S. government has placed utmost importance on cybersecurity with the passage of the Cybersecurity Act of 2015 and the Cybersecurity National Action Plan (CNAP) in 2016. While no federal agency has yet to step in on the U.S. video game industry, other countries have begun regulating video games – but with only minimal or no success.

On the state level, the Washington State Gambling Commission recently ordered the video game developer Valve to stop allowing the transfer of gun skins for what they defined as "gambling purposes." Washington state cited $1B in illegal revenue generated as a result of such activity. The practice of sharing gun skins - or any virtual items for that matter - is no more than a mask for players to exchange virtual currency on gray market websites for real world dollars. 

Abroad, the South Korean government passed a series of regulations on the video game industry. It is unclear if the South Korean laws had their intended effects, but some unintended consequences emerged. In fact economically, the devastation has been profound. A country that just five years ago had 30,000 game developers, now has less than 15,000.

The challenges posed by cybercrime in online video games will gain the attention of the Congress and the Federal Trade Commission sooner or later, unless the industry comes together to develop its own set of enforceable cybersecurity standards and guidelines that can protect players and publishers alike.

A model forward
Recognizing the advantage of self-governance, the advertising industry has created a group by which the video game industry can take heed. The Advertising Self-Regulatory Council is a successful “system by which the advertising, marketing, agency and media industry set voluntary rules and standards of practice that go beyond their legal obligations.” There is also precedent for self-regulation in the video game industry. In 1994, the Entertainment Software Ratings Board (ESRB) was formed to “assign ratings for video games and apps so parents can make informed choices.”

Considering the increasing frequency of cyber attacks against the game industry and its players, it is time for industry leadership to proactively work together to define and enact enforceable cybersecurity standards that protect the gaming experience before the government gets involved. 

Related Content:

 

About the Author

Matthew Cook

Co-founder, Panopticon Laboratories

Matthew Cook is a veteran security and risk professional and a lifelong gamer. He is currently the co-founder of Panopticon Laboratories, the first and only cybersecurity company for video game publishers.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights