If you want to protect sensitive military secrets, start by keeping zombies off your lawn.
Rick Doten is two things: He is the Chief Scientist at the Center for Cyber Security Innovation at Lockheed-Martin, and he is also a self-admitted “huge fan” of PopCap’s utterly charming tower defense game Plants vs. Zombies. Those are two things that you wouldn’t ever think would really coincide. On the one hand, Lockheed-Martin is part of the Defense-Industrial base – contractors who support the US Department of Defense – and they make make planes, ships, electronic and space systems, “and all sorts of cool stuff,” says Doten. On the other, Plants vs. Zombies features potato landmines and cartoon zombies in wetsuits riding undead dolphins.
So one can only imagine the look of confusion on the faces of PopCap’s legal department when Doten asked the casual-games maker for permission to use its living dead in an upcoming presentation about Lockheed-Martin’s cyber security. What could Plants vs. Zombies and military-industrial cyber security possibly have in common?
Some time ago, Doten had been playing PvZ on his iPhone while flying to a cyber security conference in Boston, he told The Escapist. With the game fresh on his mind, said Doten, he had been discussing the title with a colleague at the conference – and he made a surprising mental connection. “I said, ‘You know, it’s a lot like cyber security. You know, it’s exactly like cyber security!'”
In both cyber security and Plants vs. Zombies, defenders must deal with “a persistent adversary,” explained Doten. “They will escalate their attacks as time goes on and as you improve your defenses. So when you think that all your defenses are suitable to completely protect yourself, they try something new to get around your control.” Where Plants vs. Zombies introduces advanced adversaries – bungiejump zombies that can pull a plant out or Zamboni-riding zombies that crush your defenses – the enemies faced by the Department of Defense will try a new tactic.
The main difference between the enemies that Doten and his department deal with and normal cyber-criminals, he said, is that the cyber-criminals will focus on “what’s easiest to do” for monetary gain. They don’t care necessarily what they’re doing as long as it’s an easy way to make money. “In my world, it’s not what’s easiest – they’re goal-oriented.” Like the zombies are out to eat your brains, Doten’s adversaries are after something very specific: They want to learn about military secrets, whether that means blueprints, schemata, or mission data. “They know we have good defenses and so they have to keep stepping it up.”
In order to maintain a good defense (whether against zombies or hackers out to steal state secrets), the first key is understanding the capabilities of your adversary – and sometimes that means having your initial defenses breached. “The first time you play PvZ and the digger zombie comes up and starts eating your plants, you freak out. But you figure out what it takes to beat him, you identify that, and you go forward.”
Similarly, Doten and his department use a kill-chain methodology with multiple layers of defense. “Our adversary has seven gated steps to go through,” from initial recon to the eventual exfiltration or corruption of data. “If I can block them at any one of those stages, then they cannot achieve their objectives.” In other words, you can lose a plant or two but still be golden as long as the zombies don’t eat your brains.
[page]
By identifying new exploits and malcode not seen in the wild and sharing information on how to defeat them with colleagues, they can thwart intrusion attempts – but they always have to be mindful that defeating one threat doesn’t mean defeating them all. “It’s like the dancing zombie,” said Doten, “he’s spawning backup dancers. You need to get the root so your enemies stop spawning.”
It isn’t just about throwing all the newest and fanciest tools at the problem either, said Doten, who compared it to a second playthrough of Plants vs. Zombies after the player has unlocked all of the plants. “Even though you are provided with all of the tools after you’ve gone through the game, you’ll fail if you don’t use them right.” Similarly, if you don’t manage your budget right, you’ll fail. You can’t rely on a technology alone but you need a methodology – you need to plant your seeds in a planned sequence.
You also need to prioritize. “If a digger starts coming in but eating plants away from the house, I don’t need to worry so much about him as I do the balloon guy who’s floating over everything and will get me.” This is the mindset you need while acting under a stressful environment against advanced and agile threats – and the “real fundamental of the game as analogy” is that you need to be able to fight through attacks. If someone is attacking your communications infrastructure, you can’t just halt your operation while you deal with the attack, he said. You need to be able to do things simultaneously, just as you need to keep acquiring sun power and planting seeds even when under attack by zombies.
Even with all these parallels, though, why reference a videogame of all things in a presentation to defense contractors? Had the audience even heard of Plants vs. Zombies before? “I expect to [present] to a non-technical audience,” said Doten. “You don’t need to be an expert in cyber security to understand these concepts – and how you behave affects the security of everyone else. If my grandma’s Windows XP gets compromised and turned into a botnet, it impacts the security of the rest of us. Since everyone looks at these concepts as so scary and intelligent, you need to explain how fundamental it is by relating it to something they understand.”
“It’s not uncommon to use videogames to train people in different disciplines.” The military does sims all the time, air-traffic controllers use a game for training, and even free Windows games like Minesweeper and Solitaire taught early PC adopters how to point and click and drag-and-drop, respectively.
The cyber security industry has a defeatist attitude about the whole thing, said Doten, and he wanted to come up with an effective comparison that would illustrate the importance of controlling a battlespace and disrupting the enemy intrusion. “[Our enemies] need to be right every single step of the way,” he said. “We only need to be right once. I was sick of the industry crying in their beer about it.”
“If you’ve played the game, you totally get it. If you haven’t, you want to play it,” explained Doten, mentioning that a woman from the Department of Defense told him she’d get her people playing the game after hearing his presentation. “I’ve been trying to look for a good analogy for years and I kind of tripped over this one.”
