Insights and Impact

Ctrl + Delete

Hackers, criminals, nation-states, and the cybersecurity pros who fight them

people stealing data out of a building


Illustra­tion by
Taylor Callery

On a snowy February morning in 2015, US Director of National Intelligence James Clapper sat before the Senate Armed Services Committee to discuss the most pressing threats to American national security. Although President Obama's top intelligence official discussed a range of dangers—from ISIS to al-Qaeda, Russia to North Korea—it wasn't terrorism or espionage or nuclear weapons that topped Clapper's "grim litany."

"Again this year, I'll start with cyberthreats. Attacks against us are increasing in frequency, scale, sophistication, and severity of impact," Clapper said. "Cyber poses a very complex set of threats, because profit-motivated criminals, ideologically motivated hackers or extremists, and variously capable nation-states like Russia, China, North Korea, and Iran are all potential adversaries, who, if they choose, can do great harm."

The boogeyman of the twenty-first century, it seems, is a tech-savvy hacker; his laptop and Internet connection, the new weapons of mass destruction.

Tech historians generally agree that 1988's Morris Worm—the handiwork of Ivy Leaguer Robert Tappan Morris—marked the first Internet breach.

The worm used weaknesses in the UNIX system Noun 1 and quickly replicated itself, infecting computers across the United States and rendering them too slow to use. Morris, who claimed he was just trying to gauge the expanse of the World Wide Web, became the first person convicted under the Computer Fraud and Abuse Act. He was sentenced to three years of probation, 400 hours of community service, and a $10,050 fine. Today, the "reformed" Morris is a tenured professor of computer science and artificial intelligence at the Massachusetts Institute of Technology.

Although curiosity and ego drive some hackers—a few simply revel in the challenge of testing their skills and have no clue what to do once they've scaled the firewall—most breaches are driven by malice and greed. "Almost all company assets today are digital, which means everything is exposed. It's not like we lock the Coca-Cola formula in a safe," says Professor William DeLone, director of the Kogod School of Business's new Cybersecurity Governance Center, which opened in October.

Globally, 1 billion records were compromised in 2014, according to security firm Gemalto, proving that no one, from children (VTech Toys) to government workers (Office of Personnel Management) to adulterers (Ashley Madison), is safe. According to Time magazine, breaches cost the United States $300 billion a year; worldwide that figure is nearly $450 billion—or 1 percent of global income. And what price tag do companies put on creditability, brand reputation, and trust among customers, shareholders, and employees?

Morris might've been a nerd with too much time on his hands, but today's cyberattackers are criminals—terrorists in their own right. Our "new normal," the same terminology applied after 9/11 to full-body scans at the airport and bomb-sniffing dogs on the subway, consists of phishing scams, corrupted hard drives, and offers for free credit monitoring services after a seemingly benign trip to Target.

"Cyberwar is the battlefield of now," Geoff Livingston, author and president of Tenacity5 Media, said in a 2014 Pew Research Center report on cyberattacks. "Don't kid yourself. Battlefields in Sudan, Afghanistan, and Syria are real, but there is a new battlefield and every day wars are won and lost between individuals, businesses, and countries."

Craig Stronberg, CAS/BA '95, CAS/MA '96, is on the front lines of this new war, which is being fought not with pulls of a trigger, but with strokes of a key.

Stronberg, director at PricewaterhouseCoopers (PwC) in McLean, Virginia, is a trained historian who spent 20 years in US intelligence before landing at PwC in 2012. He led the 10-member team that developed the digital Game of Threats, which simulates a real-time cyberattack.

Aimed at C-suites (CEOs, CIOs, and the like) and boards of directors, the game is the only security solution of its kind on the market. Written for the least technical person in the boardroom, Game of Threats was born out of executives' desire to do more than just talk about the ever-snowballing problem of cyberattacks.

According to PwC's 2015 US State of Cybercrime report, 76 percent of the 500 business executives, security experts, and government officials surveyed admitted they are more concerned about cyberthreats now than in the previous 12 months—up from 59 percent in 2014. And for good reason: 79 percent of respondents said they detected a security breach in the last year.

"People know there's a problem and they want to understand it. PowerPoint is not enough. You need to take clients through an experience to help them understand it at a visceral, human, emotional level," says Stronberg, one of Fast Company's "most creative people in business" in 2015.

The game, played by more than 125 companies worldwide since its 2014 release, lasts 20 to 25 minutes (brevity is key to holding participants' attention). Two teams of five—one plays the threat actor, the other, the unassuming Acme Corporation—battle for 12 rounds. Each team has 90 seconds to make a move, such as beefing up IT staff or deploying funds for antivirus software. Feedback—a crashed server or a disgruntled customer's tweet—pops up instantly on the shared screen, and competition is encouraged by Stronberg, who often moderates the sessions.

"There is an emotional distance that exists between human beings, even human beings that work together every day. When you sit down at a conference table, it's there," Stronberg says. "The game evaporates that distance immediately because people are invested in winning. I have seen boards that are far better educated than me trash talk each other like they're back in junior high school. That's what we want—the entertainment value is increasing the learning."

The game's intense pace and ticking clock are intended to replicate the pressure companies feel in the midst of a breach. If a team can't reach a consensus by the time the clock runs out, they lose a turn, making it difficult to win the game. ("It's a reminder that if you have a misstep while fighting a breach, you're not likely to be forgiven.")

Speaking of "winning," Stronberg says victory is never clear-cut—in the Game of Threats or in the face of a real one.

"If you're the threat actor and you lose by points but throughout the course of the game, you've embarrassed the company publicly, taken critical intellectual property, stolen credit card information, and all of that becomes public—who won that game? In my mind, the company lost.

"Conversely, the threat actor may win on points but they don't embarrass the company, they don't actually steal anything, and throughout the course of the game, the company makes some critical decisions. They've laid the groundwork for a good, long-term solution. If the game was 24, 36 rounds, the company would win. It's not just the points that matter, it's the impact of the attack. What's the level of damage that you can sustain?"

Game of Threats is based on table-top, small-group exercises that Stronberg, then an analyst with the Defense Intelligence Agency, began conducting with senior government executives nearly 20 years ago. The goal: to ensure the country's top brass entered no crisis unprepared.

"Imagine your crisis du jour. The president, secretary of state, secretary of defense—they have all gone through that crisis. They have played the threat actor, they have won, they have lost, and they turned out OK.

"When that crisis actually hits, they have a degree of confidence about what to do and where the forks in the road are, which increases their reaction time and the likelihood that they're going to lead us out of it properly."

Although games designed around warfare or a cyberattack have far graver implications than a round of Monopoly (where the worst you can do is go bankrupt), all are examples of social impact play.

According to Lindsay Grace, director of AU's Game Lab, an innovative collaboration between the School of Communication and the College of Arts and Sciences, games can augment our understanding of complex situations within a safe space. Chess, for example, frames war; Simon Says helps children develop impulse control; and flight simulators train pilots to land planes without actually crashing one.

Social impact play—or gaming, the focus of Grace's research—builds on the educational benefits of play and nudges people toward certain behaviors (think MindLight, a video game that helps kids overcome fears and anxiety—not Minecraft). These kinds of games can also harness elements of cooperation and competition to promote creative problem solving.

"The goal is to design a game you'd want to play, even if you weren't learning something," Grace says. "Rather than make the learning more palpable, you design an engaging experience from the start."

Grace likens social impact play to chewable vitamins, basically a healthier version of gummy bears. And Stronberg's Game of Threats is loaded with benefits.

"The game often leads to long time-outs when we're able to talk about how things happen in the real world," Stronberg says, noting that it's not uncommon for players to go three hours without touching their iPhones—a true measure of engagement. "The 'aha' moments that come with gaming, they happen every single time we do this."

When it comes to a cyberattack, damage can take forms far beyond the financial.

On November 24, 2014, Sony Pictures employees fired up their computers to find a picture of an ominous red skull and a warning that the Hollywood studio's "top secrets" would be spilled if unspecified demands weren't met.

Over the next few weeks, hackers calling themselves the Guardians of Peace (GOP) leaked confidential Sony data, including 170,000 emails, executive compensation, celebrities' contact information, and copies of unreleased films. The company's Twitter account was hijacked and the GOP warned of a 9/11-style attack if Sony released The Interview, a buddy comedy about a plot to assassinate North Korean leader Kim Jong-un. Sony canned the film—its big picture of the Christmas season—and sent the flick straight to digital release.

Soon after, the FBI officially fingered North Korea, calling the cyberattack unprecedented in its "destructive" and "coercive" nature. (The North Koreans have yet to take credit for the attack, which cost Sony an estimated $35 million.)

"Sony changed the game," says Kogod's DeLone. "Not only did they steal information and embarrass company officers, but they destroyed everything left behind. In the old days, people would come and rob your house. Now they rob your house and burn it down."

And the flames are nipping, no matter where you turn.

You picked up a new grill at Home Depot: your credit card information has been compromised. You visited one of 30,000 websites corrupted daily: your computer's infected with botnet crimeware. You applied for a secret clearance: your mental health history and fingerprints are now in the hands of criminals. You went for an annual check-up: your Social Security number has been stolen.

(And forget about Facebook. In 2011, the social network said it was the target of 600,000 cyber attacks per day. The admission garnered so many dislikes from users that the company has ceased publicly reporting those figures.)

San Diego-based nonprofit Identity Theft Resource Center (ITRC) compiles an annual report of US breaches across a variety of sectors: banking, retail, education, government, and health care. From Main Street (Main Street Federal Credit Union, 300 records compromised) to Wall Street (Morgan Stanley, 350,000 records stolen), ITRC estimates that 169,068,506 records were exposed in 2015—at an average cost to the company of $154 per record.

And those are just the numbers we know. Browse ITRC's online database, all 197 pages of it, and you'll discover that most of the breaches—Citibank, Safeway, American Airlines, Rite Aid, Cigna—list the number of records exposed as "unknown."

"The breaches that we know about are the tip of the iceberg," DeLone says. "We tend to focus on those breaches that reveal citizens' data and credit cards, but there are many more that aren't publicized.

"It's not a matter of if or even when. It's a matter of yes."

It might seem an unwinnable war, but the Chicago-born Stronberg isn't easily deterred. "[Cyberattacks] have been a problem as long as we've had networks. On the flip side, more companies are aware than ever before of the danger and the risk. Archduke Ferdinand was assassinated in 1914 and African leaders were assassinated in 2010, but a bullet still killed them," says Stronberg, ever the historian. "This is technology that evolves extremely rapidly and it can be very difficult for companies to keep up with vulnerabilities."

Difficult. But not impossible.

It's not enough to understand today's threat; companies need to anticipate tomorrow's threat. Game of Threats, Stronberg says, helps them move from reactive to proactive in their approach to hackers, insiders, criminal organizations, and even—gulp—nation-states. (Lest you think that cyber espionage is just the stuff of a Bourne flick: according to Time, China is responsible for 70 percent of America's corporate intellectual property theft and Russia employs a 400-person "troll army" under the umbrella of its Internet Research Agency, which waged a huge misinformation campaign in support of its invasion of Ukraine.)

"Threat actors in the real world can be defeated if you anticipate where they are going," Stronberg says. "The game can teach you how to make the place really secure so that by the time the threat actor gets there, every door is locked and the cost of picking the locks is too high. It's as much about people and processes as it is about the technology.

"Companies can be proactive, but it's a different way of thinking that isn't natural. People aren't like me, they don't walk around thinking game theory all day," he continues with a laugh. "But they begin to think proactively and they see it's possible to outfox people that they thought were pretty unbeatable. It can be done."

Stronberg—now head of gaming innovation for PwC—and his team of computer experts, ex-military, and hackers are hard at work on new games around an array of business issues, some crises, some not.

"We have found something as a firm that the market really likes and that they want to keep doing," he says. "Gaming is hard. Taking an issue and breaking it into its component parts is a challenge that I like very much. It's not one that I anticipated as a historian, but it's tapped into this nexus of business, analysis, and technology that's interesting and fun."

It's also scored major points with Stronberg's 10-year-old son Mateo.

"I did counterterrorism for a long time. I did some pretty heavyweight stuff and he could not have cared less," Stronberg laughs. "I walked into school last year to pick him up and a second grader came up to me and said, 'Did you make Call of Duty?'"

President Obama proposes allotting $19 billion for cybersecurity in 2017—a $5 billion increase from the current budget. Research firm Gartner estimates global spending on information security will top $100 billion by 2018. In that time, the threat actors will grow more savvy and more sinister, their ranks deeper and their damage more catastrophic.


Last year, Stronberg and his team brought Game of Threats to a Midwest company. At one point, the CEO made a move that he immediately realized was a mistake.

"We stopped that game and had an impromptu discussion about what they'd really do if this happened, and they realized they didn't know," Stronberg says. "If not for that one move in one round of one game, they might not have figured that out until the breach happened. They're now aware they have a gap in knowledge and they're fixing it."

Stronberg is working hard to stay one step ahead of the bad guys in this high-stakes game that he knows isn't really a game at all. Every day in the shadowy cyberworld, war rages on.