The Wisdom of 'WarGames'
What a film from 1983 teaches us about cybersecurity today
Thirty-five years ago, “WarGames” wowed the world with the story of a high-school hacker who inadvertently put us all on the brink of nuclear destruction.
It’s a classic piece of Cold War cinema and a showcase of early-'80s computer gear: eight-inch floppy disks, big, boxy monochrome monitors, acoustic couplers and mainframes the size of refrigerators. But hidden among all that old hardware is a movie loaded with lessons about modern cybersecurity.
Here, to celebrate the film's anniversary, we broke down its salient cyber scenes and asked a crack team of experts to weigh in on why "WarGames" still matters.
The lesson: Computer networks are only as secure as the people who use them.
The scene: David, waiting in the principal’s office, sneaks over to a computer desk and pulls out a writing drawer (See? We told you this stuff was old.) There's a list of crossed-out words, then a new one at the bottom: PeNciL. Later, we learn these are the passwords to the school's report-card database, and that David has been hacking in to keep from failing biology.
Analysis: A textbook case of poor cyber hygiene.
It's good to change passwords regularly. And it's really bad to write them down and keep them at the computer. (You've all stopped doing that, right?) Just like that, anyone who knew where to look could log on and hack their way onto the honor roll.
Which brings us to data integrity. Notice how David doesn’t steal information or plant malware – he just changes his grade. Often, messing with data is all hackers really want to do. (Side note: David changing his grade from an F to an A probably would have gotten him caught; even back then, the computer could have flagged it, or his teacher would have noticed. Rookie move, kid.)
What David did is known today as "credential theft," and while it's more common than it was in 1983, the methods are only slightly more sophisticated. In California, for example, police say a modern-day David spearphished his way into his school’s grading system, emailing his teachers a link to a fake login page that stole their usernames and passwords.
Then there's password-cracking software – a favorite tool of the team that plays as the bad guys in the National Collegiate Cyber Defense Competition, an annual event sponsored by Raytheon that draws some of the country's top talent in cybersecurity.
“The first thing the red team will tell you is they’re breaking passwords with modern software tools within minutes of the game going live,” said Bill Leigher, Raytheon’s director of government cyber solutions. “It’s a big change in hacker technology.”
A simple but effective defense: Multi-factor authentication, which requires something beyond a password, like a temporary code on a hardware token. Beyond that is behavioral analysis, a type of multi-factor authentication that takes into account things like typing speed and patterns of activity.
"We all have different signatures in our behavior," said Meg King, director of the Wilson Center's Digital Futures Project. "If you look at that picture, it tells a story."
The lesson: The more we say about ourselves, the more vulnerable we are.
The scene: David sees an ad for new video games and decides to hack the developer. The ad says the company is located in Sunnyvale, California, so he looks up nearby area codes and tells his computer to scan for other machines connected to the phone lines.
Analysis: Look at what a motivated hacker can do with just a scrap of data. While the company, Protovision, couldn’t reasonably keep the location of its corporate offices a secret, they could have at least left that information out of an ad targeted to the people most likely to hack them.
Today, open-source information is more plentiful than ever – and attackers have never been sneakier about using it. In a recent breach of a power company, the intruders found a photo on a human resources website that revealed information about piece of control-systems equipment. That picture gave them a new target, not to mention a plausible ruse for spearphishing emails.
“You can do a lot of open-source mining with Facebook, with LinkedIn, with a company’s webpage, and you can find all those hints and build your attack profile,” Leigher said. “It doesn’t matter if you’re a hacker trying to download a game or if you’re a nation-state. The process is eerily similar.”
The solution: Operations security, the old military idea of controlling information that could be useful to adversaries. Taking stock of open-source information is an important first step, Leigher said.
“It’s not just in the data,” he said. “It’s in knowing what’s connected to your network – it’s both the information space and the physical space.”
The lesson: Determined hackers will find a way in.
The scene: David, while scanning for Protovision's computer, finds a machine that doesn't identify itself but does display a list of games. Unable to guess the password, he seeks help from hacker friends who tell him it's a military system – and that he'll never get in. (“That system probably contains new data encryption algorithms!”)
Undeterred, David drops some serious cyber wisdom: “I don’t believe any system is totally secure.”
Analysis: True then, true today.
“It’s still the same problem,” Leigher said. “Either because of shortcuts in programming, poor configuration, any number of reasons, there have just been abiding things that have always created the same kind of weaknesses.”
The problem is worse today thanks to a proliferation of internet-connected devices and all the security flaws and software patches that follow. Things were a little simpler in 1983, said Todd Probert, vice president for mission support and modernization at Raytheon. He oversees Raytheon’s work at the North American Aerospace Defense Command Cheyenne Mountain Complex, where much of WarGames’ action takes place.
“The cyber environment was largely dictated by the physical construct: the phone line. Somewhere in the last 10 years, that’s changed,” he said. “Every time there’s an update to your cell phone, there’s some bad guy looking to see if there’s an exploitation that can happen. And that goes for hardware too.”
That’s why resiliency, or designing systems to contain breaches and withstand attack, is just as important as preventing intrusions in the first place.
The lesson: It pays to work with people who think differently.
The scene: As David tries and fails to sign on to the mystery computer, he gets a visit from his friend, Jennifer, and shows her all his research on the system's designer, Stephen Falken. Right away, she focuses on the tragic track of his life, giving David an idea that leads him right to the password.
Analysis: We’ll admit, this one is a stretch. “WarGames” is hardly a celebration of diversity. But the point here is still valid: Sometimes another perspective is all you need to solve a hard problem. In cybersecurity, that means considering things like psychology and behavioral science when designing systems and making policies.
"All these things are interrelated. You just can't separate them," King said.
The lesson: Some things should not be online. Things like artificially intelligent war simulators with control of the nation’s nuclear arsenal.
The scene: The WOPR computer, unable to distinguish between reality and the missile-strike scenarios it was designed to simulate, is cracking the launch codes as David and Falken frantically try to show it that any attack would be futile.
Analysis: Leigher puts it simply: “There was no reason to connect a system like that to the internet.”
In the movie, they explain it by saying the phone company left the WOPR exposed to outside lines. OK, but why give the computer that authority to begin with? This is one of the central themes in "WarGames": we can't simply hand everything over to technology.
The good news is that none of this would actually happen. If WOPR were a real-life NORAD system, it would have a much smaller scope, Probert said.
“NORAD’s mission is missile warning. NORAD’s mission is not nuclear command and control,” he said. “It is and always has been a very segmented chain on purpose, with people in the loop and gaps between the battle-management systems.”
So while “WarGames” gets hacking right, it’s safe to say its portrayal of missile command is pretty pure Hollywood.
Well. We’ve been at this a while now. We’d say it’s time for a break.
How about a nice game of chess?