I came across a report entitled Video Games as a Training Tool to Prepare the Next Generation of Cyber Warriors by the Software Engineering Institute. While out for a year, it still worth reading. The authors are part of a project at Carnegie Mellon University and suggest that the coming cybersecurity skills gap will be critical and require some non-traditional methods to fix. Their thesis is that we have to turn to video games to heighten some new interest, and to start with young children. By grabbing kids’ attention and building a solid foundation of skills and infosec knowledge, the games could help motivate a passion towards finding a career cybersecurity later in life.

One of the reasons why games make sense for cybersecurity is that they are designed for multiple players; promote team building and scenario-based problem solving. All of these are very valuable when it comes to responding to digital attacks and other IT-related situations.

Plus, under the category of unintended consequences, getting kids involved in security-related games could help narrow the gender gap as well: nearly half of gamers are girls, who have been historically under-represented in the cybersecurity field. And with more than 175 million gamers in just the US alone, there is a wide pool of potential recruits.

The idea isn’t new: the sci-fi series “Ender’s Game” by Orson Scott Card and the movie “The Last Starfighter” both have had a similar plot line — and both are from decades ago. In the real world, the modification of the game Doom by the US Marines has been out for decades as well. When it was first developed in the early 1990s, it cost about $25,000 and took about six months to develop. It proved to be so popular with the soldiers that they would queue up in the evenings to get a chance to play. Since then, the US Army released its own game, called America’s Army, that was designed as a recruitment and public relations tool but migrated into helping new enlistees learn about the state of weaponry and tactics that they would be learning in basic training exercises.

But what is new is that there are a number of video games, include one from a CMU-affiliate, that can help bridge the gap. The report reviews several of them. These include games for children, such as MySecureCyberspace and CyberCiege; Control-Alt-Hack, a card game targeted at teens; Cyber Awareness Challenge and Cyber Protect, two games created by the DoD several years ago; and Watchdogs, a game for various consoles that has been out since 2014. Some of these games get pretty deep into things such as understanding appropriate IT policies such as setting strong passwords and implementing biometric access to sensitive data. Think about that for a moment: when was the last time you could learn about setting a firewall rule with a tactic in some first-person shooter game? Card’s Ender was ahead of his time.

Sadly, none of these games is really optimally suited for the proposed task of training cybersecurity defenders. It is a fair assessment, since none of them really had that as an original design goal. The authors state that it is “time to invest in a cybersecurity training video game that can be used to prepare the next generation of cyber-warriors and infosec professionals.” The report is well worth reading.