PAXsims

Conflict simulation, peacebuilding, and development

Tag Archives: cyberwarfare

Schechter: Wargaming Cyber Security

The latest issue of War on the Rocks features a piece by Benjamin Schechter (US Naval War College) on wargaming cyber security.

“Wargames can save lives” is axiomatic in the wargame community. But can they save your network? As modern conflict has become increasingly digital, cyber wargaming has emerged as an increasingly distinct and significant activity. Moreover, it’s doing double duty. In addition to its application to national defense, it’s also helping protect the economy and critical infrastructure. Wargaming is a military tool used to gain an advantage on the battlefield. However, it has also found a home beyond national security, frequently used in the private sector. Cyber security straddles the battlefield and the boardroom. As a result, it is not surprising that cyber wargaming is increasingly common across both the public and private sectors. As cyber security concerns intensify, so too does the attention given to cyber wargaming.

Designed well and used appropriately, cyber wargames are a powerful tool for cyber research and education. However, misconceptions about what cyber wargames are, their uses, and potential abuses pose challenges to the development of cyber wargaming.

He offers some useful insight into how to do this well—and some equally useful comments on what to avoid:

Cottage industries have emerged that cater to every type of cyber security need. A variety of contractors, consultants, and specialists offer bespoke cyber wargames, support services, and wargaming tools. Often, they provide valuable services during a time when people are grasping for insights and solutions. Yet there are also potentially troubling challenges and conflicts of interest. Wargame sponsors and participants sometimes lack the social and technical ability to assess the wargame product they receive critically. Alternatively, the need for immediate, easy answers for hard cyber problems encourages problematic cyber wargames. Whatever the source, and there can be many, the potential problems and pathologies with cyber wargames go beyond the purely technical or conceptual.

In a world of new tech, vaporware, and buzzwords, cyber wargames can be used to sell other products, services, or ideas. The marketplace for cyber security may encourage using wargames as a sales pitch, leveraging the emotional and intellectual intensity of wargames for influence. One example is using cyber wargames to create anxiety or fear with “cyber doom scenarios.” While this may be appropriate in some specific instances, more often than not, it’s threat inflation to advance a program, advocate for an idea, or sell a product. This is not a new problem, nor is it limited to cyber or wargaming. Bureaucratic politics and defense procurement raise the specter of ulterior motives in wargames for the Department of Defense. The risks are significant for Fortune 500 companies as well as government agencies.

There’s also the problem of cyber wargames that don’t produce anything of value, either by design or by error. The most meaningless and infamous wargames are BOGSATs (a bunch of guys/gals sitting around a table). Cyber BOGSATs are common. These games may appear promising, with distinguished participants and institutions. But they lack clear objectives or game design leading to no substantial finding or benefit. BOGSATs occur when a wargame is not the best tool for the problem, is window dressing for something else, or is just poorly designed.

Particularly egregious are cyber wargames that actively cause harm by teaching the wrong lessons or creating false knowledge. Unfortunately, this is not a new or uncommon phenomenon. Common causes are ill-designed or unrealistic cyber elements and gameplay, poorly specified cyber objectives, and poor communication. A cyber wargame about a high-intensity conflict where cyberspace operations are consistently and catastrophically effective might lead to some skewed perspectives on cyberspace operations. Alternatively, poorly abstracted networks and computer systems may artificially limit player creativity or instill a false sense of security. Finally, and most fundamentally, they might fail to articulate how cyberspace has been abstracted or will be used within the game. Because cyberspace is synthetic, its representation can vary significantly and in different ways from other domains. In any case, poor design will result in games that fail to meet their objectives. Worse yet, they teach the wrong lessons, skew analysis, or stifle new or innovative ideas. My colleague, Dr. Nina Kollars, and I discuss these and related cyber wargaming challenges and pathologies in an upcoming Atlantic Council article.

You can read the full article link at the link above.

How can we credibly wargame cyber at an unclassified level?

253020.jpeg

The frighteningly-efficient Stephen Downes-Martin has been kind enough to pass on a game lab report from the recent Connections US 2018 wargaming conference on “How can we credibly wargame cyber at an unclassified level?”  (pdf) with contributions from Michael Bond, Stephen Downes-Martin, Andreas Haggman, Clayton Hutto, Michael Markowitz, Douglas Samuelson, and Joseph Saur:

A small minority of cyber experts with wargaming and research experience have security clearances. If cyber operations are researched and gamed only at high levels of classification, then we limit our use of the intellectual capital of the United States and Allies and put at risk our ability to gain edge over our adversaries. We must find ways to wargame cyber[1]at the unclassified level while dealing with information security dangers to best use the skills within academia, business and the gaming community. During the Connections US Wargaming Conference 2018 a small group of interested people gathered for about an hour to discuss the question:

“How can we credibly wargame cyber at an unclassified level?”

The group concluded that it is possible to wargame cyber credibly and usefully at the unclassified level and proposed eight methods for doing so. The group also suggested it is first necessary to demonstrate and socialize this idea by gaming the trade-offs between the classification level and the value gained from wargaming cyber.

[1]“Wargaming cyber” and “gaming cyber” are loose terms which group deliberately left as such to encourage divergent thinking and to avoid becoming too specific.

Cyber Operational Awareness Course matrix game

The following report was contributed by Major Tom Mouat, Directing Staff officer responsible for Modelling and Simulation at the Defence Academy of the UK.


I thought that PaxSims readers might like to hear how running a Matrix Game went down as part of the Cyber Operational Awareness Course at the Defence Academy of the UK.

cybercourseThe course “aims to contextualise Cyber within Defence by raising awareness of wider operational perspectives.” It lasts 3 ½ days and is Rank Ranged OR7-OF4 (Civilian D-C1), (Staff Sergeant to Colonel) which is somewhat unusual, but I think the course benefitted from the wide rank range due to the inclusion of senior NCOs, many of who were specialists in their own right and very interested in the subject. This certainly added to the classroom discussions.

The course is currently only available to UK MOD personnel and, while generally conducted at a low classification, takes place in a restricted area in case questions and discussion stray onto more classified topics.

On previous courses there was a “Planning Estimate” carried out, lasting about a day and featuring a 50 page background briefing about an entirely fictional scenario. This attracted a lot of criticism as it covered many things that had no cyber relevance and the background briefing was coma inducing because it was completely fictitious and was extremely difficult to follow (both for the students and the instructors).

It was decided to replace the Planning Estimate with a Cyber Matrix game. Matrix Games are extremely low overhead, free-form games, built around an evolving narrative through the means of a series of logical “Arguments” proposed by the participants to advance their position in the game. They are useful for rapid assessment of scenarios, as an alternate analytical method and for education. They are particularly suited to subjects where “effects” are more important than weapon system performance.

This represented something of a challenge as previously we had conducted Matrix Games with relatively few players and the course required the game to run with 35 participants. We elected to run the game with teams of about 4 players representing the different actors and use a couple of the more experienced participants to assist in the adjudication of the “Matrix Arguments”.

We conducted a trial with about 10 participants and a completely fictitious scenario which, while it ran adequately, was lacklustre. The scenario suffered from the same difficulty in identifying the different actors in the conflict and being able to present them in a realistically nuanced way. It was quite fun, but failed to bring out the learning points required, so required a significant re-think.

In the end the scenario was completely re-written to involve fictitious states as the primary actors, but within the real geo-political context of the Baltic States. This enabled us to reduce the briefing considerably and promote a better understanding of the scenario through the means of analogies. The teams were allocated as follows:

  • The NATO sympathetic State.
  • Their “cyber supporters”.
  • The Main Protagonist State, massing troops on the border and fomenting rebellion in border cities.
  • Their “cyber supporters”.
  • The USA.
  • An independent third party hacking group based in the Far East.
  • The Press (Global Network News – GNN)
  • Assessors (a couple of experienced students intended to help with adjudication).

In addition a map was constructed showing the military deployments, as well as things like refugee camps and significant infrastructure installations in order to provide player teams things to focus on.

The game was run in an afternoon in a large classroom with 2 projectors – one with the maps and deployments on it and one with a PowerPoint show with the “Press Headlines” from each turn. This served as a record of the results of the Matrix Arguments as well as a summary of international opinion at the end of each turn (each of which represented “about 2 weeks”).

CapabilityCardExample1We also decided to provide the actors at the start of the game with a number of “Capability Cards” representing certain cyber capabilities, to focus their minds but also to bring out specific learning points.

Team briefs included these Capability Cards, the much reduced background briefing (now limited to 4 pages and a map) and a one page briefing specific to the team (including their objectives).

In between turns the players were also asked general “cyber awareness” questions, such as “Who was responsible for the leak of 750,000 confidential US documents to Wikileaks in about 2010?” (Bradley (Chelsea) Manning). The correct answer would provide the team with an opportunity to re-roll the dice if there was chance of failure in an argument, and was intended to represent the “research” element of cyber operations – the better the research / reconnaissance phase, the higher the likelihood of success.

The game went well with good engagement all round. Student quantitative feedback scores were the highest for the Matrix Game session than any of the other sessions in the course and qualitative feedback comments were also good.

Points to note:

  • Adding a “Press” team to record results and present “International Opinion” worked very well and was very useful as part of the game debrief (and was fun).
  • The “Capability Cards” as specific pointers towards educational learning points worked well – they were used (or not used) appropriately, sold to other Teams, patched and made redundant, and generally added to the outcomes. This supports Canadian findings that player perceptions can be heavily influenced by the information provided and physical presentation. In an educational context this can be very useful.
  • There was one criticism in the qualitative feedback that the person running the game “didn’t always listed to the full arguments”. This is an easy trap to fall into when running Matrix Games, in that the person running the game ends up acting as an “Umpire” and occasionally imposing his world view, rather than as “Facilitator” for the event (again supporting the Canadian findings above). The inclusion of the “Assessor” team was intended to mitigate against this, but they weren’t sufficiently briefed.
  • While the game was very successful, the post-game briefing was merely adequate. More effort was needed to provide a structure to the debrief and identify the specific learning outcomes. The Capability Cards helped (especially with those teams who chose NOT to use them), but there is room to provide more obvious team objectives in order to bring out additional points.

Overall the inclusion of a Matrix Game in a cyber-focussed course was a success in promoting discussion and understanding of a subject resistant to conventional teaching methods, so we are likely to use it again in the future. I believe that Matrix Games are particularly suited to education about cyber operations as they avoid getting bogged down in unnecessary technical detail, while promoting insight and understanding.

Tom Mouat 

Review: Curry and Price, Dark Guest (Training Games for Cyber Warfare)

John Curry and Tim Price, Dark Guest: Training Games for Cyber Warfare (Volume 1: Wargaming Internet Based Attacks). 2nd edition. History of Wargaming Project, 2013. 97pp.  £12.95

darkguestThis booklet is intended as a guide and aid for those involved in promoting broader awareness of “cyber warfare” and information security within their organizations. It consists of a discussion of the challenges of training on the issue, and overview of cyberwargaming, and a brief discussion of the rise of hacking and hactivism. Thereafter, it presents five games that can be used (or modified) in a training context:

  • In “Enterprise Defender” a hacker team secretly prepares descriptions of possible cyber attacks while a security team identifies IT defences. These are then discussed and resolved by an umpire as a way of both exploring the issue and generating a broader exploration of the topic.
  • “All Your Secrets are Mine” is a matrix game, whereby participants examine hacking and military-industrial espionage through a series of verbal actions and counter-actions that are assigned a probability weight by the umpire, then resolved with dice.
  • “Conspiracy” is a card game in which participants create the cards prior to game play, and is intended to show the interactive and interconnected nature of hacking and cyberwarfare.
  • “Media Wars” involves efforts by a fictional environmental group that has seized control of an oil refinery and is trying to get its message out, while the local government and other stakeholders also compete to influence the information space. Again, the primary game mechanism is one of teams developing media strategies, which are then rated by an umpire, with effects also dependent on a die-roll.
  • Finally, “Talinn  Soldier” is crisis game based on the 2007 attacks against Estonian government and private sector servers by pro-Russian activists.

The games are not technical ones. Indeed, experts in cybercrime, warfare, and hacktivism may find the lack of technical detail and analysis in this volume surprising.

If so, they would be missing the point. Dark Guest is intended to provide resources for those who have the task of spreading awareness of cyberwarfare issues within larger organizations, possibly inspiring them to modify the sample games provided or develop their own for their own particular needs. The games are thus designed to encourage non-IT specialists and managers to think about potential vulnerabilities (although some might also encourage IT specialists to go beyond issues of hardware and software to reflect on more general questions of policy, strategy, and context). All of the games are relatively free-form, and most are rather abstract. They are thus highly adaptable and designed to promote discussion-through-play. Most can also be played quite quickly, making them very suitable as ice-breakers or to provide a change-of-pace as part of a broader training programme. A previous edition of Dark Guest included a full rules-based card game on cyberwarfare, which has been dropped in this edition precisely because the authors feel that a book containing “generic ideas… [with] wider application” would be more useful for those seeking to integrate serious games into their training process.

One key aspect that the authors note, but could do more to address, is the fundamental importance of effective game facilitation and umpiring in free-form games such as these. Considerable skill is required to do this, since the moderator simultaneously needs to run the game, adjudicate actions (in a way that participants find convincing), maintain player engagement, deal with less cooperative players or those “fighting the scenario,” while all the time exploiting the teachable moments that the game generates. Experienced teachers may have some of these skills, and experienced role-playing-game “dungeon masters” have others—but not all neophytes have all of them. Given that this is volume 1 in what promise to be a continuing series—and given its association with the longstanding History of Wargaming research and publication project—this may well be an aspect that the authors turn to in a subsequent volume.

 

%d bloggers like this: