The Next Big Fear: What Digital Games Really Teach Us about Information Security
For over three decades, audiences have enjoyed watching the exploits of hackers on film and television. What began with films like Tron (Kushner & Lisberger, 1982) and War Games (Goldberg et al., 1983) has led to television shows like Scorpion (Woodrow et al., 2014) where hackers take down international criminals every week. While Hollywood has made great strides in accuracy in recent years, most depictions of hacking are comically inaccurate. Academics and the popular press have written broadly about this issue. Unfortunately, given how little most people know about information security, and that there are very few systematic efforts to educate youth about this topic, popular media may be the only exposure that some people have.
To a somewhat lesser extent, digital games have also depicted hackers and computer hacking. Interestingly, games often allow players to engage in simulated information system attacks. One of the first of these games was Hacker (Activision, 1985). In the game, players break into a computer at the Magma company, take control of a subterranean robot, and attempt to recover pieces of a shredded document for the U.S. government. The game combines many elements of information security and espionage, making it a notable first entry into the genre.
Games have advanced significantly since the days of CGA graphics and floppy disks. A more recent game to enter the hacking genre is Watchdogs (Ubisoft Montreal, 2014). Set in a futuristic version of Chicago, players can explore and hack the open world environment while unraveling the story. Using his cell phone, the protagonist Aiden Pearce can hack into the ctOS (central operating system) that controls everything from street lights to soda machines. This allows Aiden to access information about characters he encounters and even other players online. He can use this information to wreak havoc, prevent crimes, or advance the narrative. Political commentator, Glenn Beck has expressed concerns especially about Watchdogs and the dangers of inviting this type of thought (yazakchattiest. 2015). His comments are reminiscent of the ongoing debate about the link between video games and violence that has consumed so much academic effort (Anderson & Dill, 2000; Anderson & Carnagey, 2009; DeLisi et al., 2013).
At the same time, government agencies and educators have continually examined the value of game-based education on information security topics. CyberCIEGE (Naval Postgraduate School, 2004), a game developed by the Navy and other government partners, aims to train civil servants and military personnel on information security issues (“CyberCIEGE,” n.d.). Although the game now looks like a dated version of the Sims (Maxis, 2000) as characters flap their arms mindlessly in cubicles, it uniquely forces players to consider real-word scenarios and the tough calls that personnel and IT managers must make (Irvine and Thompson, 2004). In 2010 the United States Air Force contracted with Wombat security to develop an anti-phishing game for $750,000 (Bart, 2010). The Office of the National Coordinator for Health Information Technology's (ONC) Office of the Chief Privacy Officer (OCPO) also recently released CyberSecure: Contingency Planning (2013) and CyberSecure: Your Medical Practice (2013). Not surprisingly, such games are complemented by an ever growing body of research on games in education (Gee, 2003; Egenfeldt-Nielsen, 2005, McClarty, 2012). This presents an interesting scenario in which the public fears the impact of simulated hacking in games made for entertainment, while government agencies and private corporations produce games that feature hacking in order to train stakeholders.
Shoot the Firewall! And Other (Un)Realistic Hacking Methods
One way to better understand this situation and its real implications may be to analyze the procedural rhetoric of some recent games. Bogost (2008) proposes the term procedural rhetoric to refer to “the practice of effective persuasion and expression using processes” (p. 125). Unlike other forms of rhetoric, procedural “arguments are made not through the construction of words or images, but through the authorship of rules of behavior, the construction of dynamic models” (p. 125). Bogost emphasizes the value of procedural rhetoric as a method for analyzing and designing games. He also illustrates the way procedural rhetoric functions in both games designed for entertainment and education, drawing examples from Animal Crossing (2001), The McDonald’s Video Game (2006), America’s Army (2002), Bully (2006), and Spore (2008).
Let us consider, for example, the game Dex (Dreadlocks, 2014). In this game, players assume the role of a hacker named Dex who is pursued throughout Harbor Prime by a secret and powerful organization called Complex. With the help of other hackers named Raycast, Decker, Tony, and Niles, Dex sets out to destroy the GSV 2 (Grid Security Virus 2), a virus that aims to contain a rogue computer AI named Kether. After destroying the virus, Dex is captured and learns from Raycast that she is a clone with implanted parts from Kether--this explains why she can connect to the c-space network without a jack implant. Raycast wants to stop Complex from controlling humans as they transition to a post-human cyborg reality. Ultimately Dex meets Crow, the leader of Complex, who reveals that Dex is the chosen one and able to integrate with Kether—this has been Crow’s goal all along. At the end of the game, Dex has the choice to destroy Kether or merge with it. The game also includes many alternate story lines about prostitutes and even a mother who needs a spleen transplant.
The game is a mix between a side-scrolling platform action game, a role-playing game, and 2D overhead shooter. As players explore the world, the story is revealed through spoken dialogue with prompts for choosing Dex’s dialogue. At times, players must use their mouse and keyboard to kick, punch, shoot, and grapple with violent non-player controlled characters. Players receive both skill points and experience points for performing certain tasks in the game and can also purchase augmentations for a Neureoweave that allows other skills.
Hacking is an especially notable part of play. To do this players enter augmented reality mode, which is a top down 2D mode where they shoot various representations of network components. For example, a player must shoot lasers at a glowing red firewall that actually shoots fire. There is also a persistent danger of viruses coming to attack the player. To remind players they are supposed to be in a computer world, exits are marked with the word Logout.
Procedurally, the game presents players with a dystopic future where technology permeates everyday life and even augments our bodies. The relationship to this technology can be viewed alternately as a way to liberate humanity or another method to enslave it. As with other role playing games, much of the labor of the game revolves around acquiring goods—capitalism, technology, and weapons are certainly the way to succeed. Also, important to this analysis is the fact that the world is connected by a web of technology that grants or doesn’t grant access. By requiring players to continually hack the systems in the game, player are taught through the procedural rhetoric that information systems can be overcome with good hand eye coordination and the ability to effectively shoot glowing red circles.
To contrast Dex, the educationally focused game CyberSecurity Lab (NovaLabs, 2014) aims to help visitors transition from watching science on PBS to participating in it by “completing a series of cybersecurity challenges” (NovaLabs, 2014). Upon clicking the play button, users are presented with a screen to choose an avatar and one of four fictional social media companies. The next screen shows a conversation with a cat who tells the player that the company site is launched, after which there is an incoming cyberattack. The game starts with a virus then moves to vulnerability probing and other types of attacks. The narrative of the game centers around conversations with this cat about attacks and methods for addressing these attacks as the user base for the company grows. There are also conversations with other characters as part of training challenges.
The game is played by spending virtual coins on different defense mechanisms for the network. These can range from software solutions to training. When the battle button is clicked the users can witness a simulation of an attack with colored lines representing different strength attacks. The defense mechanisms are shown as walls that block these attacks. A report on the attack is then offered with hyperlinked definitions about types of attacks. Players can also complete coding challenges, password cracking challenges, and social engineering challenges to earn stars that can be traded for coins. Progress is linear with new areas only being opened after challenges are completed. Score is kept according to the number of users on the fictional site; this number increases as challenges are completed and network attacks are defended.
As depicted in the game, websites are often launched before the people running them are fully prepared to handle the security problems that can arise. What follows procedurally is a series of efforts to educate oneself while at the same time protecting the information system. As the user base grows in popularity and size, it draws more attention and requires different skills. The procedural argument of the game is that training leads to preparedness, which in turn can mitigate risks but often never provides full protection against ever increasing and persistent threats.
At the most basic level, we can see that both games, regardless of their motives aim to engage and entertain players; this is a direct result of their nature as games. Whether or not there are explicit stories or developed plot structures, there are narrative events that are logically linked to create a context for playing the games. When combined, both play and narrative elements work in nuanced ways to present users with meaningful systems that react to player input. As users interact with these systems or are conditioned by them, they are engaging with a new form of argument unlike the more classical written forms many are accustomed to. Games that are designed primarily to entertain audiences like Dex (or Watchdogs) typically have narratives with well-developed stories and plots, violent action sequences, and robust economies. The play elements relating to information security are often metaphorical in that images are used to represent technical concepts and simply pressing a button or shooting the representation of a firewall grants a user network access. While these games procedurally make players aware of the vulnerability of an interconnected world, they do not teach hacking skills. However, they do an excellent job of preparing players with a hacking mindset. This is tempered with narrative contexts that link hacking to real world consequences ranging from financial gain and heroism to death, alienation, and despair. Games designed to educate audiences like CyberSecurity Lab seem to lack the richly developed narrative contexts that make hacking so meaningful in entertaining games. The opportunities for play are also restricted to carefully scripted scenarios, unlike the creative hacking engendered by entertaining games. While educational games similarly feature persistent threats, the moral imperative is to defend the network and learn about vulnerabilities and not to wrestle with the ethics of hacking.
In short, public fears that digital games of any kind will usher in a new generation of super hackers are unfounded. At best, such games are a platform for introducing basic information security concepts. And yet, the fact that all of these games seem to highlight our inability to secure systems in an interconnected, technology rich, society points to a much larger cultural fear and problem. Perhaps this is what we are truly worried about when we worry about games and information security.
For a list of References, please click here.
Nate Garrelts is an Associate Professor of English at Ferris State University. He has edited three collections of essays on digital games: Digital Gameplay (2005), The Meaning and Culture of Grand Theft Auto (2006), and Understanding Minecraft (2014).