In the world of cybersecurity, the term “cyberwarfare” is casually thrown around, often with a significant lack of understanding regarding how to prepare for and respond to an event in a manner that enables the organization to seize control from the cyber adversary.
“The able commander is active rather than reactive, takes the offense and controls the situation.”[1] This is especially relevant in a defensive action such as cyberwarfare and requires continuous preparation.
The continuously increasing attack surface created by digital transformation requires an ability to quickly maneuver when an unexpected obstacle is encountered. If an organization is to maximize their performance and improve their resilience from a cyberattack against an attack surface in the organization’s predominantly internet operating environment, preparation in the execution of the strategy and supporting tactics of the cyber defense plan is critical.
One strategic tactic in that preparation should be Wargaming. “In preparing for battle I have always found that plans are useless, but planning is indispensable.”[2] In an environment most often dominated by chaos, uncertainty and doubt that leads to fear, plans become useless. However, engaging in training, testing and review of the tactics, in support of the plan execution, prepare the individual and/or team to exercise the knowledge gained, from that activity, to improvise when the unexpected occurs and the plan becomes useless.
A role-playing simulation, such as a business wargame centered on cybersecurity, generates a new perspective on the subject as a product of the interactions of the multiple disciplines the participants represent. The mental models created from this activity are added to the latticework of the existing mindset regarding decision-making when such a situation is encountered. As a result of the experience of participating in the wargaming exercise, actions necessary for further mitigating risk, improving performance and maturing the cyber model component of the enterprise culture are identified.
The Goal of Wargaming is Innovation
Innovation is an important tactic in any cyber risk mitigation strategy. It requires diversity – especially cognitive diversity. Cognitive diversity is the inclusion of people whose experiences have influenced their style of problem-solving. When choosing participants for a Wargaming exercise, cognitive diversity should be a primary factor. As the saying goes, “it takes a village”.
The village is built on bonds created by the sharing of an experience. A Wargaming exercise provides an experience that enables these diverse individuals to momentarily transcend institutional barriers, share knowledge across domains and collectively grapple with possibilities, risks and uncertainties.
When done well, Wargaming is a team building exercise of shared experiences such as stress, chaos, compromise and trust building that leads to an appreciation of each individual. An appreciation that may have not been present previously, and a willingness, regarding cyber risk mitigation, to pursue innovation and the elimination of methods previously seen as workable.
The myriad challenges of data sharing and ownership and the host of other complex factors in maintaining the security and privacy of that data make Wargaming one of the best resources for discovering the innovative strategies to make the organization secure and resilient to a cyberattack.
Wargaming as a Leadership Learning Tactic
It has been said, “the minute you stop learning, you stop leading.” Leaders who accept this theory have traditionally applied their learning efforts to business operations related to their organization.
However, the challenges of data privacy, data ownership and data sharing, as organizations progress in their digital transformation, have provided a new discipline for executive management to apply an increased focus to their learning curriculum.
Psychologists maintain that the ability to deal with problems in the most appropriate manner is the hallmark of an individual’s wisdom. Wisdom is the product of experiences(s). We need to learn to deal with different situations that place different demands on us.
This skill can be taught by putting people into a situation and discussing their behavior and most importantly, their mistakes. Wargaming is considered, perhaps, the most cost-effective manner to place people in such situations regarding cybersecurity. It is an important, indeed essential, source of successful organizational and societal adaptation to the uncertain future created by cybersecurity threats.
If you want an objective answer to “are we ready?”, Wargaming should be an integral part of learning the answer. It enables senior leadership to evaluate the decision-making ability of lower-level leadership that can lead to increased trust in the leaders delegated with the authority to make in-the-moment decisions that disrupt the adversary’s plans.
Creating a Strategic Advantage Through Wargaming
In any conflict, a strategic advantage is achieved by the competitor who, by being prepared for the situation, makes decisions and acts on those decisions at a “Tempo”[3] exceeding that of their adversary. By operating at a superior “Tempo”, the adversary is forced to respond to the targeted organization’s moves and, therefore, no longer has control of the attack scenario.
We are all a product of our experiences. By creating, for its participants, a synthetic experience Wargaming gives people palpable and powerful insights that better enable them to prepare for the complex and uncertain situations of the future. In order to address this environment, a transformation of the mindset perspective of key decision makers must occur. Wargaming is considered the most cost-effective manner to obtain these experiences.
Wargaming can test a strategic plan. But, the only way for Wargaming to viably inform strategy is to allow it to inform and alter strategy – regardless of whether or not it confirms a foregone conclusion.
Strategy requires a vision of the future. The creative and visionary act of cognitive warfare produces powerful results related to vision and the subsequent strategy for achieving that vision. Wargaming incorporates cognitive warfare into its process models which enables individual participants to transform themselves by making them more open to internalizing their experiences in the exercise. Such transformation of decision makers is necessary if decision makers are to properly prepare for the complexity and uncertainty of a cyberattack.
At the very least, the synthetic experiences of a Wargaming exercise will help prepare decision makers to ask critical questions during planning and preparation for the unpredictable range of possible futures. A cybersecurity Wargaming simulation should target a critical vulnerability, unique to the operating environment of the organization, that has been identified from previous observation of the operating environment.
Questions, whose answers are the product of the exercise may cause them to alter their previous strategy. Examples of such questions are:
- Where is the next threat to this vulnerability coming from?
- What controls are immediately available to quickly respond to such a threat?
- What is the level of situational awareness, across the enterprise, of this threat?
- How can the organization improve the detection of the anomalous behavior of this threat?
The Human Factor in Wargaming Exercises
Wargames can test a company’s readiness for a cyberattack and most often seeks to answer the question, “can the security team identify and assess a breach quickly?” Organized around a business scenario, it is structured to simulate the experience of a real attack. What may not receive the attention it deserves is the human factor in a cyberattack.
Humans are subject to a bias towards keeping their prior commitments and staying consistent with their prior selves when possible. A cyberattack is, by definition, a stressful event. Stress causes both mental and physiological responses that tend to amplify the biases held by the individual. Stress causes mental biases to become worse; the individual relies purely on instinct, makes hasty decisions and falls back on habits learned in previous experiences as well as those developed in training. This second source of habits emphasizes the importance of creating stress in Wargaming scenarios.
A Wargaming scenario must integrate the elite soldiers’ motto into the objectives of the exercise, “in the thick of battle, you will not rise to your expectations, but fall to the level of your training.”
The only way to ensure optimal organizational security posture is to continuously expose your environment, and the people operating in that environment, to the latest malicious activity occurring in that environment.
Changing The Human Factor of Learning is Critical to a Cybersecurity Transformation Program
Cybersecurity transformation involves the modernization and forward thinking of people, processes and technology. Of the three, perhaps the most difficult in which to affect change, is people. Humans can’t do very many different things because we are finite creatures with a limited number of dimensions related to behavior. As creatures of habit, it is human nature to follow simple reproducible patterns and to resist any change in those patterns. We rarely act in isolation and would rather interact with the environment around us. Therefore, it becomes incumbent on the organization to create an environment that fosters learning and leads to a willingness to change our patterns of behavior.
In order to create such an environment, three conditions are necessary:
- A person must be given consistent and regular feedback related to performance.
- Feedback must be relatively immediate or learning will be difficult.
- Feedback must be measured and unambiguous.
This type of environment will significantly address the cognitive limitations of humans and improve their mental focus on the objective of improved cybersecurity.
Using Wargaming to Create Mental Models
As previously mentioned, cognitive diversity in assembling participants for a Wargaming exercise is invaluable. Each of these individuals, based on their experiences, will see something different regarding the problem scenarios of the exercise and will introduce facts for consideration. The creative and visionary act of this cognitive warfare exercise produces powerful results. But if these results (facts) don’t hang together on a latticework of theory, you don’t have them in a usable form. That usable form is known as a mental model.
Mental models are like tools in a toolbox. Each tool can be used or was designed for one specific purpose. In this instance, the toolbox is our head. The quality of our thinking and therefore our decision making is proportional to the models in our heads and their usefulness in the situation at hand.
Mental models are how we simplify complexity and why we consider some things more relevant. They help establish “muscle memory” and multi-function coordination to better manage the business crises associated with the uncertainty and unknown of a cyberattack.
The human brain is a relatively inefficient device for noticing, selecting, categorizing, recording, retaining, retrieving and manipulating information for inferential purposes. Humans think using a process known as “The Ladder of Inference”. The process begins with a pool of data and, based on observations of that pool of data, elements are selected that lend meaning to the current situation and allow the person to make assumptions.
The mental models created by previous experience are part of that pool of data. That experience is one part of the necessary conditions that result in learning. The second component of learning is the introduction of new data such as the mental models created in a Wargaming exercise. This new data is often the result of the mixture of the cognitive diversity of the team whose thoughts on a situation might change existing assumptions (i.e., mindset regarding the situation). Conclusions founded on these new assumptions can cause the person/team to develop different beliefs (i.e., perspective) regarding the solution and foster a different action than what might have been taken if the decision was based only on past mental models.
The risk-free environment of Wargaming enables the participants to express thoughts that may not have been considered in a real life situation and develop a different perspective on the business security challenges. This process must be continuous to affect learning.
Few Organizations Use Cyber Wargaming to Practice Response Plan
Everyone has a role to play in cyber awareness and in their own organization’s response plan. Yet, surveys regarding Wargaming indicate that a significant number of the organizations polled do not conduct Wargaming exercises. Many of the C-level respondents indicated they do not know their individual roles within the organization’s cyber incident response plan.
Wargames were originally developed to test military action plans. Their focus is on ‘action-reaction’ assumptions on how the ‘enemy’ will respond to different decisions. In cybersecurity, wargames are cross functional exercises where two or more teams are prompted to make strategic decisions focusing on the “what if”. As such, corporate Cyber Wargames are invaluable in testing potential response strategies and undertaking scenario planning.
Organizations must take action to become more proactive in the use of Wargaming exercises. It is a known fact that the threat actors are collaborating way better than organizations currently collaborate regarding maturing the cyber model of the enterprise culture and the need to improve organizational resilience. Resilience is the product of trust across the organization. Wargaming is an exercise for strengthening trust, teams learning from each other and reducing the dependence on a single analyst who may or may not be available when an actual threat incident occurs.
Summary
“Cyber wargames are an important way to raise awareness of the latest cyber risks and attack types, as well as cyber risk management and adaptive response capabilities an organization needs during, after and preparing for the next cyber incident,” said Daniel Soo, cyber wargaming leader for Deloitte.
A typical wargame allows participants to hone organizational reflexes and collaborative judgment capabilities required to avert or reduce a cyber incident crisis with real-time injects and threat vectors that mirror those an organization would likely encounter.
The reason legacy vulnerability-centric programs and simulations fail is they don’t show CISOs where they’re most exposed based on how adversaries actually think and act. It is necessary to adapt the attacker mindset and prioritize vulnerabilities based on real-world impact which is the basis of Wargaming simulation.
The ability to rehearse different outcomes of decision making enables teams to see beyond the immediate crisis and to understand the longer-term consequences of their decision making. This includes how they would defend those decisions to the media, shareholders and regulators, should they need to do so at a later date. For this reason, wargames are amongst the most effective tools for senior leaders to gain confidence in decision making, challenge assumptions and become better prepared to face a cyber crisis.
Wargaming exercises can improve the organization’s maneuverability and flexibility and, “fight the fight you are facing when the plan to fight is no longer appropriate.”
[1] Sun Tzu, The Art of War
[2] General Dwight D. Eisenhower
[3] Tempo is relative speed in time. In the series of moves and countermoves involved in cyber defense, tempo of execution is critical to seizing control of the situation.