GPWA Times Magazine - Issue 25 - June 2013

Improving cyber security and how it relates to iGaming By Gus Fritschie O n February 12, 2013 President Barack Obama issued Executive Order 13636. Among other items, this order recognized the need to improve cyber security, directed the National Institute of Standards and Technology (NIST) to create a framework to be fol- lowed and encouraged sharing of infor- mation between private companies and the government. One week later gaming stakeholders and interested parties convened in Las Vegas, Nevada for the iGaming North America (IGNA) conference. While there was much talk of liquidity, state rights and the possibility of federal reg- ulation, there was precious little discus- sion of information security. What can the iGaming industry learn from the current federal initiatives in cyber secu- rity and how can it avoid the mistakes that have been made before? Cyber security is in the news, from the advanced persistent threat (APT) and attacks from China to social network- ing services, such as LinkedIn and Evernote, being compromised. Even the Federal Reserve of the United States had a recent security breach. The media have jumped on these stories for a variety of reasons, and yes, sensation- alism has been one of them. The iGaming sector is an area that the mainstream media (and for that mat- ter the information security news out- lets) have ignored. This is not because it is safe from threats; one only needs to read sites, such as TwoPlusTwo, that focus on gaming and poker to realize that there have been security breaches in the past. If iGaming is to succeed in a highly regulated environment in the United States, it has to learn from and address security issues that were en- countered in the past (for example, the Absolute Poker/Ultimate Bet backdoor, and Cake and other sites not imple- menting encryption and SSL correctly). The gaming industry understands this, and the various regulatory bodies have standards, including security, which the sites must meet. Unfortunately, each regulatory body has adopted dif- ferent standards that operators and players must adhere to. Often these standards are not as strict as they need to be. Compare this to the above-men- tioned executive order, which gave NIST the authority to create a frame- work for all critical infrastructure or- ganizations. Here we have a central authority that is responsible for setting and enforcing standards. Of course, regulation and compliance enforcement are not the silver bullets that will eliminate security breaches. There are plenty of companies and or- ganizations that have been tested for meeting compliance with security stan- dards that have had their security com- promised. The primary reason is that these companies set their security goals and activities to comply with stan- 41 Improving cyber security and how it relates to iGaming