Wargaming Cyber Security
“Wargames can save lives” is axiomatic in the wargame community. But can they save your network? As modern conflict has become increasingly digital, cyber wargaming has emerged as an increasingly distinct and significant activity. Moreover, it’s doing double duty. In addition to its application to national defense, it’s also helping protect the economy and critical infrastructure. Wargaming is a military tool used to gain an advantage on the battlefield. However, it has also found a home beyond national security, frequently used in the private sector. Cyber security straddles the battlefield and the boardroom. As a result, it is not surprising that cyber wargaming is increasingly common across both the public and private sectors. As cyber security concerns intensify, so too does the attention given to cyber wargaming.
Designed well and used appropriately, cyber wargames are a powerful tool for cyber research and education. However, misconceptions about what cyber wargames are, their uses, and potential abuses pose challenges to the development of cyber wargaming.
What Are Cyber Wargames?
Cyber wargames are a specialized class of wargame about how human decisions relate to cyber actions and effects. They distill the complexities of cyberspace into a manageable and functional form, allowing discrete elements to be studied and taught.
They can be categorized as games with cyber and games about cyber. A wargame with cyber may have a significant cyber component, but that is not the wargame’s focus. Examples include some Department of Defense wargames that attempt to “bolt-on” cyber operations to games focused on conventional sea, land, and air operations. In these wargames, cyberspace is just one consideration among many. Wargames about cyber are primarily, if not exclusively, dedicated to some aspect of cyberspace, such as investigating how cyberspace operations impact strategic decisions. These are what we often think of when we describe “cyber wargames.” They run the gambit from cyber incident response inside individual organizations to large, interagency wargames.
Cyber wargames are still wargames about human decision-making. The nature of cyberspace fuels the misconception that cyber wargames should be highly technical as well. This error leads people to conflate several related but distinct technical activities. For example, hands-on-keyboard events like NATO’s Locked Shields cyber exercise or other capture the flag events are useful, but they are not wargames. Breach and attack simulations, penetration testing, cyber range training, and even hackathons play an important role in the cyber security ecosystem. But they shouldn’t be mistaken for wargames. There is a fine but important line between technical exercises, training, and modeling and simulation on the one hand, and wargames on the other.
Why Do Cyber Wargaming?
Cyber security is hard, but cyber wargaming can help. Cyberspace is a cross-cutting infrastructure upon which numerous other infrastructures and systems now rely. It helps drive the economy, guide weapons, deliver memes, and brings people together — or regrettably, drive them apart. Listing what networked and digital information technology has not been disrupted, transformed, or destroyed would be easier than thinking through what has. As a result, we face a sea of unknowns. What’s more, the topological vastness, technological complexity, and conceptual vagueness of this domain make cyber security difficult to study and teach. The techno-mysticism and buzzwords around cyber peace and conflict don’t help. When well done, cyber wargames can cut through this clutter, advancing education and investigation of a dynamic subject.
Like all wargames, cyber wargames can serve several different purposes — chiefly research and analysis, and education. The U.S. Naval War College’s 2017 Navy-Private Sector Critical Infrastructure Wargame, for example, was a research wargame about cyber. Along with private sector participants, it investigated the threshold at which cyber attacks against U.S. critical infrastructure become a national security incident and the role of government in such a crisis. Alternatively, the Atlantic Council’s Cyber 9/12 Strategy Challenge is an educational wargame series, wherein students around the world develop competing policy responses to fictional but realistic cyber incidents.
Despite ubiquitous workplace cyber awareness trainings, most people are not cyber experts. Generally, people don’t need deep expertise about cyberspace any more than they need a sophisticated knowledge about aerodynamics or epidemiology — but a basic understanding is valuable. This is especially true for leaders. Like it or not, “cybersecurity is commanders’ business.” Wargames have a long history as educational tools, and cyber wargames should be no exception. There is a marked difference between reading about the value of allies and partners in cyberspace and the wargaming experience of trying to secure public and private computer networks that, for instance, connect the United States and South Korea to Pyongyang by way of China. Furthermore, cyber wargames provide a unique vehicle for cyber experts and non-experts to work together towards resolving common problems, as they should in a real crisis. Wargaming helps leaders to understand and respond to the consequential realities about competition — between states or businesses.
What Goes into a Cyber Wargame?
For cyber wargames, like wargames in general, design decisions about what to include and exclude about the digital domain have a profound impact. It is impossible to include every aspect of cyberspace in any wargame. Nor is it desirable. Instead, good design identifies the critical elements of cyberspace that are necessary to address the wargame’s objective(s) and represents them — and little else — in the wargame. While a simple proposition, this is a difficult problem in practice, given how interdependent and complex many systems are in cyberspace. Determining what part of these complex systems to present, and how, is typically decided on case-by-case.
For instance, a wargame designed to explore gaps in a healthcare company’s cyber incident response plan should probably include the firm’s information technology networks and computer systems. But at what level of detail or abstraction? And do you also need to include the entangled external networks, such as software vendors, service providers, and supply chain partners? What about employees’ personal electronic devices? Or the “internet of things” in the corporate headquarters?
Cyber wargames for the armed services are no less daunting. You can’t map cyberspace to a geographic theater of operations: Information technology networks reach across borders and continents. Add to that the complexity of different users and owners, such as sister services, civilian agencies, partner nations, neutral third parties, private citizens, and others. Scoping, abstracting, and excluding are essential steps in cyber wargame design.
Game designers should ultimately make peace with uncertainty. There are too many unknowns to quantify all variables. Accurate or not, this is often attributed to a lack of good data. While cyberspace may consist of interconnected networks, information about these networks is nevertheless segmented and distributed across a wide range of different public and private entities. Cyberspace is also dynamic. The newest thing means that something else is often outdated. Important assumptions about a target may change radically after a simple software update or patch. When cyber wargames address these complex dynamics, game design nevertheless requires embracing the pervasive uncertainty of cyberspace.
This uncertainty isn’t just about technology. It’s also about people. Humans are integral to cyberspace. The multitude of ways that users define and interact with this domain is daunting, even when the hardware and software remain relatively constant. To quote a Naval War College colleague, “you never know how sailor Timmy is going to break the network next.” People sometimes do unexpected things. Smaller, focused cyber wargames can sometimes help make decision-making more manageable by restricting the range of technologies and user behaviors. Large cyber wargames with more players, more networks and systems, and a broader set of objectives include more uncertainty.
Cottage industries have emerged that cater to every type of cyber security need. A variety of contractors, consultants, and specialists offer bespoke cyber wargames, support services, and wargaming tools. Often, they provide valuable services during a time when people are grasping for insights and solutions. Yet there are also potentially troubling challenges and conflicts of interest. Wargame sponsors and participants sometimes lack the social and technical ability to assess the wargame product they receive critically. Alternatively, the need for immediate, easy answers for hard cyber problems encourages problematic cyber wargames. Whatever the source, and there can be many, the potential problems and pathologies with cyber wargames go beyond the purely technical or conceptual.
In a world of new tech, vaporware, and buzzwords, cyber wargames can be used to sell other products, services, or ideas. The marketplace for cyber security may encourage using wargames as a sales pitch, leveraging the emotional and intellectual intensity of wargames for influence. One example is using cyber wargames to create anxiety or fear with “cyber doom scenarios.” While this may be appropriate in some specific instances, more often than not, it’s threat inflation to advance a program, advocate for an idea, or sell a product. This is not a new problem, nor is it limited to cyber or wargaming. Bureaucratic politics and defense procurement raise the specter of ulterior motives in wargames for the Department of Defense. The risks are significant for Fortune 500 companies as well as government agencies.
There’s also the problem of cyber wargames that don’t produce anything of value, either by design or by error. The most meaningless and infamous wargames are BOGSATs (a bunch of guys/gals sitting around a table). Cyber BOGSATs are common. These games may appear promising, with distinguished participants and institutions. But they lack clear objectives or game design leading to no substantial finding or benefit. BOGSATs occur when a wargame is not the best tool for the problem, is window dressing for something else, or is just poorly designed.
Particularly egregious are cyber wargames that actively cause harm by teaching the wrong lessons or creating false knowledge. Unfortunately, this is not a new or uncommon phenomenon. Common causes are ill-designed or unrealistic cyber elements and gameplay, poorly specified cyber objectives, and poor communication. A cyber wargame about a high-intensity conflict where cyberspace operations are consistently and catastrophically effective might lead to some skewed perspectives on cyberspace operations. Alternatively, poorly abstracted networks and computer systems may artificially limit player creativity or instill a false sense of security. Finally, and most fundamentally, they might fail to articulate how cyberspace has been abstracted or will be used within the game. Because cyberspace is synthetic, its representation can vary significantly and in different ways from other domains. In any case, poor design will result in games that fail to meet their objectives. Worse yet, they teach the wrong lessons, skew analysis, or stifle new or innovative ideas. My colleague, Dr. Nina Kollars, and I discuss these and related cyber wargaming challenges and pathologies in an upcoming Atlantic Council article.
Cyber wargames are powerful tools for creating and sharing knowledge and grappling with uncertainty. However, like any tool, there are risks of abuse and misuse. While problems facing cyber wargaming have some unique characteristics, others are common to all wargaming. Clear articulation of objectives, transparency, rigor, and accountably are common solutions to wargaming woes. Other, more cyber specific problems require additional efforts to address. Improving access to data, increasing general cyber literacy, and normalizing the role of cyber subject matter experts in designing and playing in wargames will take time.
Wargames are no panacea. That said, cyber wargames are not only a reliable tool to support cyber research and education, but perhaps one of the best. When adhering to the best practices of wargame design and execution, they can help illuminate cyberspace and allow serious exploration of methods and potential solutions for cyber security.
Benjamin Schechter is the resident wargame designer in the Cyber and Innovation Policy Institute and a faculty member in the Strategic and Operational Research Department at the U.S. Naval War College. He helped design the Naval War College critical infrastructure wargame series, as well as an experimental cyber-nuclear wargame that has been played around the world. His current research focuses on cyber security, cyber wargaming, and political psychology.
The views presented here are his alone and do not necessarily represent those of the U.S. Naval War College, the U.S. Navy, or the Department of Defense.