Future Tense

Cybersecurity: The Lame Game

The U.K. uses a game to try to identify cyber talent—but it’s perplexingly boring and buggy.

U.K. Cyber Security Challenge game screenshot.
The author’s avatar for the U.K. Cyber Security Challenge game.

Screenshot via Cyber Security Challenge

It can’t be easy to design computer games for the very paranoid. At various points while trying out the U.K. Cyber Security Challenge games, which were designed to identify and train cybersecurity professionals, I managed to convince myself that the whole point of the game was to see whether I was stupid enough to download whatever files I was being instructed to download, that the designers were intentionally providing incorrect passwords to those files to see whether I could find another way to access them, and that the games were nothing but an elaborate ruse to undermine my personal device and network security. It’s not easy for the very paranoid to play computer games either, apparently.

I was drawn to the games by the announcement last week that the U.K. Cyber Security Challenge had unveiled a new “virtual skyscraper” called Cyphinx to serve as a portal for various cybersecurity-related games and competitions. The Cyber Security Challenge bills itself as a “series of national competitions, learning programmes, and networking initiatives designed to identify, inspire and enable more EU citizens resident in the UK to become cyber security professionals.”

Security industry professionals worked together with “young cyber enthusiasts” between the ages of 12 and 25 to develop the games. As someone who teaches computer security classes to college students in that age range and spends a fair bit of time thinking about both which skills those students most need and what will get them excited about the field, I was interested in the new gaming suite on several levels. For one, I was curious which kinds of skills the U.K. was looking for—or cultivating—in the youths it hoped would go on to form the core of its security workforce. For another, I wondered whether the gaming interface would, in fact, prove to be fun and engaging, whether it might even offer ideas for how to get teenagers interested in security. And finally, of course, I was also a little bit curious how I would fare against the British kids for whom the site was intended.

Other than a brief, intense Tetris-playing period in college, I have pretty much no experience with computer games and am not in any way qualified to review their graphics or animation or just about any other element of the game interface. I will say, however, that my avatar—with her bluish hair, dark blue skirt, and bright green tank top and shoes—did not really resemble any cybersecurity professional I’ve met. But then, perhaps the point was to make them look more like cool, young aliens rather than boring, old business people—perhaps that look tests well with the 12-to-25-year-olds in search of a career path that will welcome their neon green ballet flats.

Once I had created my avatar, it was time to explore the Cyphinx skyscraper. And however much the avatar design may have served to subtly suggest that cybersecurity was a hip, fun field, the Cyphinx building’s anonymous corporate setting more than counteracted that impression. You could almost hear my avatar wondering, as she stumbled from challenge to challenge, “How did a cool, young, blue-haired woman like me end up in such a stodgy, beige building with such unflattering overhead lighting?”

But the look and feel of the characters and the setting were not my primary interest in Cyphinx—I wanted to know what actual, concrete skills it was testing for. This turned out to be surprisingly difficult to get a handle on.

The first challenge I attempted was the “Schlep Reception Challenge,” which instructed me to download a password-protected zip file. To get the password needed to unzip the file, I was directed to this introduction video, which provided, at the end of the video, the following code to access the game: y*9tHn{23%. This password failed to unlock the zip file I had downloaded, and I couldn’t decide whether it was just a glitch or an intentional misdirection to see whether I could get at the contents of the zipped file even without being handed a password.

At that point I returned to the game’s instructions, which stated: “Once unzipped run the file ‘Game_1.exe’ to access the game.” This left me even more baffled—not only was I apparently supposed to download strange files onto my computer at the behest of this relatively unknown website, but now I was supposed to run executable files (that is, files with the .exe extension)—surely this couldn’t be right! One of the cardinal rules of computer security, after all, is that unknown executables are dangerous—you shouldn’t install anything on your computer without knowing what it is and where it came from. Who would conceivably hire for a cybersecurity job a person who cavalierly downloaded and ran executable files off the Internet? Could it be that the whole point of the game was to weed out the players foolish enough to blindly follow these clearly suspect directions?

U.K. Cyber Security Challenge game.
The author’s avatar in the U.K. Cyber Security Challenge game.

Screenshot via Cyber Security Challenge

The climactic line from WarGames—the 1983 movie in which Matthew Broderick tried to make cybersecurity seem cool—came to mind: The only winning move is not to play. If I went any further down this path, would it unmask me as a fraud, unfit to claim any knowledge of computer security whatsoever? But surely that was taking my paranoia a little too far, and so, sufficiently stymied by the combination of the incorrect password and the dangerous .exe files, I moved on to a new challenge, titled “The Enemy Within.”

The goal of this challenge was described as helping players “identify the means by which an insider may accidentally or maliciously leak organisational secrets via seemingly innocent files,” and it, too, required me to download a zip file. This one, thankfully, unzipped without the aid of a password, yielding 14 different files, of all different types, each related to a different quiz question.

The first file was an eight-slide PowerPoint deck titled “Year End Financial Report,” and tucked into the Notes section of the fourth slide was the text: “Including IBAN number for payment: GB82 WEST 1234 5698 7654 32.” Sure enough, the first quiz question asked me to identify the International Bank Account Number in the slide deck. (A “README” text file included in the zip file assured me that “all data contained within this zip is fictitious,” so I feel fairly confident that GB82-WEST-1234-5698-7654-32 is not, in fact, a real bank account number.)

The next question involved extracting a door access code from an .xml file in which it had been encoded in base64. The third involved extracting location information from a .jpg file. After failing to procure the correct password for the first challenge, I was somewhat relieved to discover that I could answer these questions correctly. I was also surprised by how quickly the trappings and graphics of the game fell away once you embarked on an actual challenge—the skyscraper seemed to be mainly just for show; the real security tasks involved examining files and security logs and did not really seem to benefit from, or even relate to, the gamified setting.

As best I could tell, the Cyber Security Challenge seemed to reward attention to detail and resourcefulness even in the face of somewhat repetitive and tedious data (think PowerPoint slides) rather than deep technical knowledge or understanding of computers’ inner workings. These are not bad skills to be seeking out for novice security professionals, and it’s possible that players’ technical expertise was tested in higher levels of the game—I only had the patience to play a few rounds of a few different challenges. But there would be so many more entertaining and engaging ways to assess them than providing fake financial reports.

The portrayal of security work as somewhat dull and monotonous at times is not inaccurate—but neither does it necessarily seem like the most effective way to lure in a new generation of security professionals. Strangely, I came away feeling like the game was actually less fun than real security work.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.