Everything I need to know about cybersecurity, I learned from Shadowrun (1994). No, I don’t mean the travesty that was the first-person shooter released only to get people to buy Windows Vista. Nor do I mean the Super Nintendo game that got the storytelling right and all the systems wrong.
I mean the pure FASA gaming goodness of the Genesis title. Like Streets of Rage, this game never gets old. It puts you in the shoes of a lone surviving brother out to determine why his sibling’s final run went pear-shaped and left his mates scattered like drek on the wind. It’s got dragons, magical elves, decker elves, snooty elves, grumpy dwarves and some of the most relevant hacking gameplay this side of Netrunner.
Employees Are Terrible Gatekeepers
The easiest way to get into a secure system is to ask. No, seriously. Employees are at fault for three of the biggest data security risks in both Shadowrun and the real world. They create easy-to-determine passwords, forget keycards in glove boxes or desk drawers, and can even give away sensitive info when drunk, intimidated or grateful. Employees are by far the weakest link in almost any cybersecurity enterprise. They send unsecure messages and have no concept of information security or risk management.
Playing through Shadowrun gives you a new perspective on the salaryman, whether he’s paying you to sabotage his co-workers, requesting an extraction from his current job or attempting to stand in your way as you go after vital data. You begin to realize just how important the little guys are, and how the right words to a janitor can unlock doors that no CEO would open for any amount of money. They don’t always teach that in the big universities; it’s a lesson from the school of hard knocks.
Skilled Hackers Don’t Shoot First
It’s fun to think of hackers digitally bashing and smashing their way through intrusion countermeasures (IC), like the White and Black IC that is your biggest threat as a computer expert in Shadowrun. But the smart ones don’t. When a skilled hacker makes a run, he leaves as few traces as possible and takes as much as he can get before he’s noticed or has to get out due to time or security threats. Your best tools are Analyze, Deception, Relocate and Sleaze. Keeping a solid Attack program in your deck is still a smart move, however. Just in case.
The difference between network security and cybersecurity may not matter much to hackers, but to those protecting the network, it’s like building a moat and leaving the drawbridge down. While you may not have these programs in the real world (and we’re not about to tell you which ones really exist), as a network specialist your job is to keep them out. You are the IC, active IC with built-in Analyze, Tar Paper, Trace and Attack. It’s your job to build, maintain and monitor the system that will keep those creeping chummers out and trace them down when you find them.
Remember that the ones who come in guns blazing are the easy opponents, in both the game and real life. DDoS attacks can slow down and even shut down operations, but they’re preferable to losing control of sensitive information. The former can cause interruptions for a day; the latter can kill a company.
All Data Has Value
Paydata: that’s what we call the random files you can steal from almost any storage node in the Matrix of Shadowrun. In the real world, all data is paydata. Shadowrun teaches you that work schedules, maintenance logs and shipping manifests are invaluable when you need to find someone or something. It’s no different in the land of flesh and bone. This means that anything not posted on a signboard in the lobby should be protected against external threats.
Anything less can provide outsiders with an avenue inside the building or the network and the company’s trove of secrets and confidential information. On top of that, data security in industries such as healthcare and manufacturing is paramount. In Shadowrun, you likely hacked into Renraku to get info on an experimental artificial heart. Back then it was science fiction, but we’ve already had a vice president with one. It’s the cybersecurity professional who keeps medical records and cutting-edge discoveries safe.
Taking the lessons of white-hat hackers and cybersecurity professionals to heart, it becomes apparent that gear matters. You don’t run the high-security systems in Shadowrun with a Master Persona Control Program at level one, and you shouldn’t expect to protect your network in the real world with a stock OS firewall. The bleeding edge of the cybersecurity arms race is already here. Developments escalate the state of the art every day.
The best thing you can do as a hacker in Shadowrun is keep your gear up to spec for the next challenge. You don’t go sinking every nuyen you get into the biggest and baddest Fairlight Excalibur you can get your hands on, though. You build up to it step by step. Similarly, a cybersecurity expert doesn’t convince a small business to buy up the latest and greatest corporate-espionage level IC in the real world. The professional plans, and budgets, for the threats the company faces now with an eye toward their evolution in the future.
In Shadowrun, experience points are called Karma, and they drive your abilities. In the real world, you usually have to go to school, find an internship or just really luck out with an employer who sees your level of interest and competency and is willing to give you the opportunity you need to learn cybersecurity.
You almost always need a bachelor’s degree in a related science to even get a shot at that opportunity. A master’s degree is almost a foregone conclusion these days. Whether you’re grinding Karma by hassling Halloweeners or getting real-world experience through one more midterm, remember that what you learn and how you apply it is what gives you the real edge. Oh, and don’t forget to put points into Body. A sharp mind benefits from a strong body, and no one can use an expert who shows up sick or a shadowrunner who can’t take a punch.
Never Deal With a Dragon
The final takeaway from Shadowrun on the Genesis is one that all runners learn at some point in their careers. Either as a warning from the more experienced or through painful experiences of their own. Never cut a deal with a dragon. In the real world, there are no dragons, but there are plenty of people gunning for the assets you protect. They’re hoping you’re one of those weak-link employees.
Maybe they think offering you a job with a bigger firm will be their key, but they’d never trust someone who already betrayed an employer. Maybe they’ve got some sort of social grudge against your boss; it may even be a cause you support, but never deal with a dragon. No one who comes after a cybersecurity professional with honeyed words and promises of a better job in exchange for access of any sort has your career interests at heart. Show your integrity by facing down the beast and guarding that gate. That’s what will impress your real career prospects and keep you from being eaten by someone with ruthless ambition.