The emergence of e-sports is no longer news. According to industry reports, the global e-sports industry created over $950 million in total revenue in 2020, and experts expect that number to grow to $1.6 billion by 2023. While the sports industry is struggling to stay afloat amid a global pandemic, e-sports has seized the moment to raise its profile as a viable — and for many, preferable — alternative to traditional sporting events.
But as with the rest of the world, the pandemic has changed the e-sports landscape. Two trends are noteworthy: e-sports matches that used to be held in person are increasingly migrating to online platforms, and more people are gambling on e-sports matches than ever. To adjust to these trends, the e-sports industry must pay attention to two neglected issues in e-sports law: cybersecurity and anti-cheating. In this post, we explain why implementing robust security and anti-cheating measures and being prepared for inevitable security and cheating incidents is a crucial next step for e-sports stakeholders in ensuring the industry’s continued success.
Migration toward Online
Before the pandemic, most major e-sports tournaments were held in person, often in large stadiums or arenas. From a marketing standpoint, e-sports leagues and event organizers focused on creating the “gameday experience” associated with traditional sporting events. One of the collateral benefits of holding matches in person was enhanced security. Because players were all in the same physical venue, matches could easily be played on secure local networks.
The pandemic, however, forced many major e-sports leagues to shift to an online format. This shift is likely to continue post-pandemic. With its ethereal nature and international reach, it makes sense for e-sports to migrate online for logistical convenience and cost savings, particularly for smaller-scale stakeholders such as collegiate leagues and grassroots competition organizers.
The e-sports industry’s shift toward online, however, creates increased cybersecurity risks. From simple denial-of-service attacks to more sophisticated code injection and malware attacks, there are many ways in which cybercriminals can disrupt online e-sports events to achieve their nefarious goals, ranging from simply gaining notoriety on the Internet to extortion. The e-sports industry is not prepared to defend itself against these threats. In 2019, for example, two threat researchers from the cybersecurity firm Trend Micro found that 219,981 internet-connected devices related to e-sports were left accessible to outsiders. The same researchers also found multiple game-related servers with exploitable vulnerabilities.
Boost in E-Sports Wagering
The pandemic has also been a boon for the e-sports betting industry. With traditional sporting events halted, many gamblers turned their focus to e-sports. In 2020 alone, the state of Nevada approved betting on 13 separate e-sports leagues and tournaments after having approved just three such leagues and tournaments in all previous years combined. Fantasy sports companies like FanDuel and DraftKings also started offering paid fantasy contests for e-sports.
But where there is betting, there are individuals trying to cheat the system. E-sports, where a click of a mouse can change the outcome of any given match, is no exception, and stakeholders struggle to combat cheating and match-fixing attempts. Just last year, local authorities in Australia charged five professional Counter Strike: Global Offensive gamers for throwing matches to gain proceeds from bets they placed on their own games. Other examples abound.
The problem is likely to get worse before it gets better. A slight lag caused by a server attack from malicious actors can dramatically shift the betting odds of an online e-sports match. No physical venue means no centralized oversight against various methods to cheat, including the use of cheat codes and doping. The motivation to cheat and collude will only grow stronger as more money flows into e-sports gambling.
Measures to Protect the Integrity and Reputation of E-Sports
E-sports event organizers, teams, and players should all aspire to protect the integrity and reputation of the sport to ensure its continued success. Gaming companies, which own the intellectual property rights to the underlying games, also have a vested interest in protecting the integrity and reputation of e-sports, which has buoyed the popularity of their games. The e-sports and gaming industries already experienced the consequence of failing to protect those qualities when the popularity of the South Korean e-sports leagues plummeted following one of the industry’s first match-fixing scandals in 2010. This suggests that the first step to ensuring e-sports’ growth is strong industry-wide security against cyberattacks and cheating.
Here are five essential steps individual e-sports stakeholders should take to improve their security posture:
- Start with a robust security policy. Any effort to boost security should start with creating, implementing, and enforcing robust security policies. These security policies should document an organization’s technical safeguards to detect and prevent cyberattacks and cheating. But they must also focus on the organization’s people and processes, including (1) how to educate and train employees, personnel, and players on the importance of security and (2) creating repeatable processes to monitor how the organization implements its security measures.
- Conduct risk assessments to select and implement appropriate controls. A risk assessment is a key step to ensure that an organization’s security program focuses on the right administrative and technical controls to detect and prevent security incidents and cheating. A risk assessment will evaluate the threat actors that are likely to target an e-sports organization, determine what security gaps exist in the environment, and analyze which gaps are most likely to impact the organization (e.g., through ransomware, data theft, or cheating) if not addressed.
- Develop incident response and disaster recovery procedures. E-sports organizations should also develop procedures to guide them through a security incident or catastrophic system failure. These procedures should include a written incident response plan, a disaster recovery plan, an incident response training program, and periodic tabletop exercises to prepare for inevitable security incidents and test the organization’s procedures.
- Impose security obligations through contracts. Larger stakeholders in the e-sports industry should also contractually obligate downstream stakeholders to implement satisfactory security measures and reserve the right to audit their security environments — a mechanism that is increasingly required in data protection laws where personal data is being processed. Gaming companies, for example, could make security and audit-related provisions a part of their licensing deal with e-sports league and tournament organizers.
- Develop standard investigative and enforcement procedures. E-sports stakeholders should escalate their efforts to develop standard investigative and enforcement procedures for security incidents and cheating. Although there has been movement toward this by some organizations, most prominently by the Esports Integrity Commission and its member organizations, further standardization and increased transparency will help the e-sports industry dispel questions raised by some stakeholders about the legitimacy of its investigative and enforcement procedures.
The shift toward online and increased gambling in the e-sports industry demand closer attention to cybersecurity and anti-cheating issues. E-sports stakeholders must create and implement robust security policies, and prepare for inevitable security and cheating incidents by developing strong security practices and moving toward a more standardized regulatory regime to address new security challenges.