Improving Critical Infrastructure Cyber Security and How it Relates to iGaming

On February 12, 2013 President Obama issued Executive Order 13636.  Among other items, this order recognized the need for improvement in cyber security, directed the National Institute of Standards and Technology (NIST) to create a framework to be followed, and encouraged sharing of information between private companies and the Government.  One week later gaming stakeholders and interested parties convened in Las Vegas, Nevada for the iGaming North America (IGNA) conference.  While there was much talk of liquidity, state rights, and the possibility of Federal regulation, there was precious little discussion on the subject of information security. What can the iGaming industry learn from the current Federal initiatives in cyber security, and how can it avoid the mistakes that have been made before? One thing that is clear is that cyber security is in the news, from the advanced persistent threat (APT) and attacks from China to social networking services, such as LinkedIn and Evernote, being compromised. Even the Federal Reserve of the United States had a recent security breach.  The media has jumped on these stories for a variety of reasons, and yes, sensationalism has been one of them.  The iGaming sector is an area that the mainstream media (and for that matter the information security news outlets) have ignored.  This is not because it is safe from threats; one only need to read sites, such as two-plus-two, that focus on gaming and poker.  If iGaming is to succeed in a highly regulated environment of the United States, it has to learn from and address security issues that were encountered in the past (for example, the Absolute/Ultimate Bet backdoor, and Cake and other sites not implementing encryption and SSL correctly).

The gaming industry understands this and the various regulatory bodies have standards, including security, which the sites must meet.  Unfortunately, each regulatory body has adopted different standards that the operators and players must be adhered to.  Often these standards are not as strict as they need to be.  Compare this to the above mentioned executive order where NIST was given the authority to create a framework for all critical infrastructure organizations.  Here we have a central authority that is responsible for setting and enforcing standards..  Of course, regulation and compliance enforcement are not the silver bullets that will eliminate security breaches.  There are plenty of companies and organizations that have been tested for meeting compliance with security standards, such as those established by PCI and FISMA, but have still been subjected to security compromises.  The primary reason for this is that these companies limit their security goals and activities to compliance with standards.  The same trend has already been observed in the iGaming space.  I recently had an individual from one of the major testing labs tell me that they have to be careful only to test to what the standard requires, no more.  Unless the sites begin to go above and beyond what the regulations require, they will suffer the same fate that many companies in other sectors who just view compliance as checking a box.  Regulation alone can't make the sites secure, but it is a necessary starting point.

An interesting part of the executive order was the section encouraging information sharing between commercial entities and the Federal government.  While this is part of the order that some critical infrastructure organizations are not fond of, I believe it does make sense.  Perhaps not as damaging as an attack against critical infrastructure, a significant breach against one of the iGaming sites may have dire consequences for the entire industry.  Imagine if one of the online poker sites suffered an attack where player’s hole cards could be viewed.  Even though only one site was affected, the general public’s perception of the safety and integrity of the overall industry could be greatly compromised.  I am not suggesting that competitors give away their trade secrets, but sharing information in certain areas would have its benefits.  For example, if operators were to share distributed denial of service (DDoS) threats and attack vectors, or if they discussed how they were detecting the latest bots and collusion attempts,  the industry would become more mature and respected due to its greatly improved security posture.  Perhaps this type of activity already takes place and you have Poker Stars, for example, sharing security information with Bodog, but I doubt it.  Before critics claim that this does not happen in other industries, I am here to tell you that it does.  For example, one of my customers is in the railroad industry, and the major railroad’s heads of security meet on a regular basis to discuss what each is doing and learn what improvements they can make.

I am not going to lie, security comes at an expense.  The $64,000 question is: Would players pay more for using a site that they knew took extra steps to verify and ensure the security of the gaming platform and environment?  Unfortunately, often businesses look at this additional cost and, because they do not see an immediate return on their investment, it is one of the first items to get cut. This does not occur just in gaming.  Under competitive pressure to cut sometimes security becomes the victim.  The more visionary site owners do take security seriously, and I have had gaming customers come to me because they don’t want to just comply with regulations and minimum internal control standards, but make sure their systems are actually protected.  Would customers be willing to pay ten cents more in rake if that meant that the code was undergoing security reviews on a regular basis, that monthly vulnerability assessments were occurring, and that other security mechanisms were in-place?  I am not sure, and the argument can be made that they should not have to.  However, unless these types of continuous monitoring approaches are mandated, I don’t believe it will be done unless a portion of that cost can be passed on.  Even though operators should realize that they are only going to get one chance.

Securing iGaming has only gotten more complicated over the past few years.  The games and applications are more complex, they are being offered on new platforms, such as mobile, and the stakes have never been greater.  I do believe that the iGaming industry needs to borrow the right concepts and plans from other verticals, including the Federal government, and at the same time learn from the past mistakes that have been made both within and outside gaming.