The latest issue of War on the Rocks features a piece by Benjamin Schechter (US Naval War College) on wargaming cyber security.
“Wargames can save lives” is axiomatic in the wargame community. But can they save your network? As modern conflict has become increasingly digital, cyber wargaming has emerged as an increasingly distinct and significant activity. Moreover, it’s doing double duty. In addition to its application to national defense, it’s also helping protect the economy and critical infrastructure. Wargaming is a military tool used to gain an advantage on the battlefield. However, it has also found a home beyond national security, frequently used in the private sector. Cyber security straddles the battlefield and the boardroom. As a result, it is not surprising that cyber wargaming is increasingly common across both the public and private sectors. As cyber security concerns intensify, so too does the attention given to cyber wargaming.
Designed well and used appropriately, cyber wargames are a powerful tool for cyber research and education. However, misconceptions about what cyber wargames are, their uses, and potential abuses pose challenges to the development of cyber wargaming.
He offers some useful insight into how to do this well—and some equally useful comments on what to avoid:
Cottage industries have emerged that cater to every type of cyber security need. A variety of contractors, consultants, and specialists offer bespoke cyber wargames, support services, and wargaming tools. Often, they provide valuable services during a time when people are grasping for insights and solutions. Yet there are also potentially troubling challenges and conflicts of interest. Wargame sponsors and participants sometimes lack the social and technical ability to assess the wargame product they receive critically. Alternatively, the need for immediate, easy answers for hard cyber problems encourages problematic cyber wargames. Whatever the source, and there can be many, the potential problems and pathologies with cyber wargames go beyond the purely technical or conceptual.
In a world of new tech, vaporware, and buzzwords, cyber wargames can be used to sell other products, services, or ideas. The marketplace for cyber security may encourage using wargames as a sales pitch, leveraging the emotional and intellectual intensity of wargames for influence. One example is using cyber wargames to create anxiety or fear with “cyber doom scenarios.” While this may be appropriate in some specific instances, more often than not, it’s threat inflation to advance a program, advocate for an idea, or sell a product. This is not a new problem, nor is it limited to cyber or wargaming. Bureaucratic politics and defense procurement raise the specter of ulterior motives in wargames for the Department of Defense. The risks are significant for Fortune 500 companies as well as government agencies.
There’s also the problem of cyber wargames that don’t produce anything of value, either by design or by error. The most meaningless and infamous wargames are BOGSATs (a bunch of guys/gals sitting around a table). Cyber BOGSATs are common. These games may appear promising, with distinguished participants and institutions. But they lack clear objectives or game design leading to no substantial finding or benefit. BOGSATs occur when a wargame is not the best tool for the problem, is window dressing for something else, or is just poorly designed.
Particularly egregious are cyber wargames that actively cause harm by teaching the wrong lessons or creating false knowledge. Unfortunately, this is not a new or uncommon phenomenon. Common causes are ill-designed or unrealistic cyber elements and gameplay, poorly specified cyber objectives, and poor communication. A cyber wargame about a high-intensity conflict where cyberspace operations are consistently and catastrophically effective might lead to some skewed perspectives on cyberspace operations. Alternatively, poorly abstracted networks and computer systems may artificially limit player creativity or instill a false sense of security. Finally, and most fundamentally, they might fail to articulate how cyberspace has been abstracted or will be used within the game. Because cyberspace is synthetic, its representation can vary significantly and in different ways from other domains. In any case, poor design will result in games that fail to meet their objectives. Worse yet, they teach the wrong lessons, skew analysis, or stifle new or innovative ideas. My colleague, Dr. Nina Kollars, and I discuss these and related cyber wargaming challenges and pathologies in an upcoming Atlantic Council article.
You can read the full article link at the link above.