Cyberpunk 2077: Caution flag for video gaming

For a while, it looked like CD Projekt Red might have the last laugh on video game critics who mercilessly savaged the company’s release last December of Cyberpunk 2077 over its rampant security and quality bugs.

Not that the criticism was undeserved. A week after the release, Sony removed the game from its PlayStation Network. PlayStation and Xbox, along with GameStop and Best Buy, offered full refunds.

It rapidly became a punch line — many punch lines — thanks to glitches that ranged from maddening to hilarious. In one scene, a motorcycle rider went from sitting on the bike to standing on the seat wearing no pants.

It also didn’t work on multiple platforms. Yong Yea, a YouTube creator, said in a Bloomberg video documentary about the problems with the game, “On PlayStation 4, it’s as good as unplayable.”

Elizabeth Lopatto wrote in The Verge, “If there are two things I love, they are drama and chaos, and boy, does Cyberpunk 2077 offer both.” After which she urged readers to post links to their favorite glitches in the comments section.

A February post in Engadget began, “Another day, another Cyberpunk 2077 update to fix a critical issue.”

But in spite of all that, Cyberpunk 2077 made money — lots of money. It sold a record 13.7 million units before the end of 2020. Ars Technica reported in April that while returns, lost sales, and other expenses from the game’s problems cost it about $51.2 million, the company’s total revenue rose by almost four times in 2020, to $563 million, and it had a net profit of $301 million.

And Cyberpunk 2077 returned to the Sony PlayStation Store this past week, although it came with a caveat — Sony recommended against playing it on PlayStation 4.

No happy ending

Still, that doesn’t mean all is ending well — at least not yet — for Warsaw-based CD Projekt Red. Undermining the good news from Sony, the company acknowledged earlier this month that data stolen in a February ransomware attack by a criminal group known as HelloKitty, was being circulated online. That data includes the source code for Cyberpunk 2077, plus earlier games including an unreleased version of The Witcher 3.

And while the company has tried to prevent illegal distribution of the code through Digital Millennium Copyright Act takedown notices, by this month, as PC Gamer put it, “it seemed that anyone who wanted access (to the source code) could get it.”

Simir Shah, regional sales manager with the Synopsys Software Integrity Group and a gamer himself, said once the source code gets into the wild, hackers can reverse engineer the code and offer services to help players cheat.

“That means legitimate players are going to quit,” Shah said, “because there’s no way to win against people who can cheat.”

Indeed, included in the company’s update on the ransomware breach was this: “We cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach.”

So CD Projekt Red is now in the thick of what has become a fairly standard response to a major breach. Its statement said it has been “working together with an extensive network of appropriate services, experts, and law enforcement agencies, including the General Police Headquarters of Poland. We have also contacted Interpol and Europol. The information we shared in February with the President of the Personal Data Protection Office (PUODO) has also been updated.”

And it said it has taken “multiple measures to secure and harden our internal systems to protect against breaches like this in the future.”

Those include a redesign of core IT infrastructure; new next-generation firewalls with advanced antimalware protection; a new remote-access solution; stricter limits on privileged accounts; better protection of endpoints, servers, and networks; better event-monitoring mechanisms; an expanded internal security department; and cooperation with multiple external cyber security and IT specialists.

Too little too late

All of which are good, but all of which (as is frequently the case) sound like multiple versions of locking the barn door after the horse, or in this case the source code, has escaped.

And none of which directly addresses software security, which is one of the most fundamental measures necessary to protect not only products like games, but systems and networks as well. All are powered by software.

The irony — again typical of significant breaches — is that if even half of the $51 million the company lost due to quality and security failures had been spent on fixing those defects before the game was released, it very likely could have avoided the standard parade of horribles that accompany a successful cyber attack: Brand damage, lost sales and refunds, response and recovery costs, stolen intellectual property out in the open on the web, and potential legal liability — the company is the target of an investor lawsuit alleging that statements the company made about the game before its release were “materially false and misleading.”

In hindsight, the source of the current problems is obvious. The Bloomberg video summarized it as “a process marred by unchecked ambition, unrealistic timelines, and a focus on marketing at the expense of development.”

And security, it could have added.

Shah said Cyberpunk, which had been hyped for the better part of a decade and delayed multiple times, probably should have had thousands of developers working on it instead of several hundred, given the ambition and scale of the project — a role-playing game set in Night City, a sci-fi dystopia.

And based on the aftermath of one of the most disastrous game rollouts in video gaming history, with developers complaining of 13-hour workdays trying to meet unrealistic deadlines, it’s clear that this is one more of thousands of examples that when companies rush things into production, there isn’t time to fix mistakes.

Use the testing toolkit

Bloomberg reporter Jason Schreier wrote that one member of the development team “compared the process to trying to drive a train while the tracks are being laid in front of you at the same time. It might have gone more smoothly if the track-layers had a few months head start.”

Shah said it was obvious that “they spent hundreds of millions of dollars to release a complete piece of garbage. The quality issues were so bad because they didn’t run static analysis.”

Static application security testing is one of several automated tools on the market to help software developers find and fix bugs and other defects while they are writing code. Other standard tools in a secure software development life cycle include dynamic and interactive application security testing, along with software composition analysis, which helps developers find and fix known vulnerabilities and potential licensing conflicts in open source software components.

“I could’ve told the president of that company that he could solve the security and quality issues, which were massive, with static analysis because that’s what static analysis does. It looks at both security and quality issues,” he said.

The Cyberpunk 2077 story should also be a red flag for both video game makers and players. Because it may not be an outlier for long. Just a few weeks ago, hackers breached gaming giant Electronic Arts, maker of Battlefield, FIFA, and The Sims, and stole source code for FIFA 21 and related internal tools.

And Akamai Technologies has just released a report that tracked 246,064,297 web app attacks on the gaming industry worldwide in 2020, a 415% increase since 2018. The report also said credential-stuffing attacks increased 224% over 2019.

Statistics like that should be expected. Gaming is a massive, expanding, and lucrative attack surface, with 244 million (and growing) players in the U.S. who have made it into an estimated $64 billion industry in the U.S. alone. It has hit almost $180 billion worldwide, making it bigger than the movie and North American sports industries combined.

And hackers are opportunistic — they look for exploitable weaknesses and money. There is plenty of both in gaming.

Shah said that is in part because those who design and build the games “consider themselves artists, not software developers.”

But to avoid disaster, gaming companies obviously need to hire both. If they don’t want to be the next Cyberpunk, “they need to address security and quality early in the process, not in the QA [quality assurance] phase,” Shah said. “When you’re planning and developing your initial architecture for the software, you need to build in what tools to use, whether they are manual or automated, like static analysis.”

Otherwise, what looks like short-term gain will cause long-term pain.

Matt Kanterman, an equity research analyst at Bloomberg Intelligence who also appeared in the Bloomberg video, quoted Shigeru Miyamoto of Nintendo, known as the “father” of Super Mario, who famously said, “A delayed game is eventually good. A rushed game is never good.”

It is also unlikely ever to be secure.