Wargaming: the art of combatting Cyber Resilience by Richard Pasco
A senior officer once told me that no paper is complete without a quote from a German General so let’s start with one.
“This is not a game! This is training for war! I must recommend it to the whole Army.” General von Muffling, Chief of the Prussian General Staff, 1824
Anyone in the military has certainly attended a Tabletop Exercise, Tactical Exercise Without Troops, Rehearsal of Concept drill, or wargame before. They can be an effective way of assessing a plan against a range of threats. The military use them for planning and learning how to plan, which is increasingly relevant in our rapidly changing world. Speaking from experience, good quality data, and effective handling and analysis of that data (alongside willingness to play the game) is critical in delivering effective and well-informed wargaming.
A data-led approach
A data-led wargame has the advantage of focussing the conversation on the tangible problem and avoids the potential of a discussion without resolution. If analysts are able to model the wargame scenario in advance and pull out the key logistic issues, a simple graph or data table projected around the room can focus the conversation on the key issue(s). Even better than that is a tool that can be operated live in the room so new courses of action (COAs) can be suggested, tested and adjudicated all within the wargame itself. The advantages of applying machine speed calculations to bring logistics issues to life greatly benefit the act of presenting logistics challenges (and opportunities) to a commander. Predictive analytics that forecast usage linked to real time stock levels and an understanding of nodal constraints via open-source or satellite data is a compelling offering. Logistics is a science but wrapped in an art and a numbers-centric wargame can bring out both sides of this challenge.
A willingness to commit to the game is also critical. Dice, chance cards and voting can all feel a bit geeky, but there is a great body of academic evidence to demonstrate that these tools are incredibly effective in aiding good decision-making. Anonymity of voting on likelihood of success or suggesting alternative COAs can initiate a brilliant idea from those who would otherwise have been lost or hidden behind their rank badge.
How do you wargame a threat that exists in a virtual domain?
The internet has interconnected our world and revolutionised the way in which we shop, the way we bank, the way we watch TV and the way we live almost every part of our lives. Our personal lives and the business world exist in a heavily integrated global network and as a group we tend to believe that our IT security is covered by others, rolling our eyes when our phone decides to update or when MODNET unexpectedly reboots at 11am on a Monday morning. As the recent National Audit Office report stated, the internet is inherently vulnerable and attempts to exploit its weaknesses, known as cyber-attacks, continue to increase and evolve. The Government’s view is that cyber risks can never be eliminated, but they can be managed to the extent that the opportunities provided by digital technology, such as reducing costs and improving services, outweigh the disadvantages.
In the Defence industry ‘cyber’ is rapidly becoming a warfighting domain, with frontline skirmishes happening as we speak. Of all the domains, it can be argued that Defence Support has the greatest software, services and systems which it does not and may never come to completely control. We depend on contracted partners at all stages of activity, from routine support on the home base to working with a service provider when forward deployed. To do so, we share many types of information between ourselves and with our partners in order to deliver logistic effect.
What is the impact of a cyberattack?
In 2017, the attack known as NotPetya was released, targeting a Ukrainian banking firm. It spread rapidly around the world, infecting millions of PCs including those of Maersk. Maersk operate 340 ports around the world and play a role in 20% of all global shipping. The NotPetya outage left Maersk unable to process shipping orders until systems were restored, freezing revenue from several of the company’s shipping container lines for weeks.
The attack was so severe that Maersk lost the ability to function, to the extent that they could not even open the gates of their ports. In a chance relief, there was a critical server powered down in Lagos which was flown back to the UK, where a team of consultants were locked in Reading Industrial Park to rebuild the entire Maersk network. The loss of several weeks of activity is estimated to have cost Maersk £200-300 million.
That is why cyber resilience wargames were created. We need to understand the impact of a cyber event so that we can put the right mitigation processes in place. No one can ever be completely secure, but we must understand and then manage that risk. A huge part of the wargaming process is education and, like many things, a cyber-attack feels very ethereal until it happens to you. We have found that simply stepping through the wargame can change mindsets and start to create a cyber-aware culture which is far more effective than the mandatory training on its own.
A cyber resilience wargame in operation
A cyber-resilience wargame takes a logistic capability - be that a piece of LogIS, a logistic node or process - and brings together SMEs who understand the subject into a (suitably cleared) room. Often there is a vulnerability investigation into the technical attack vectors that can be used to gain access. This provides some background but the conversation we are aiming for is about the resulting impact of an event and not how someone could get inside. The players are briefed on the rules of the game; most importantly, this is a safe-to-fail environment. We are not technical experts in cyber but it affects us all which means we all start the challenge with equal equity.
Step One: Availability
A scenario is presented of a routine activity for this capability and then challenges are introduced. These can be an event against confidentiality, integrity or availability (also known in the cyber world as ‘CIA’). It is easiest to start with an event against availability with a total loss of system function. Quite often we have found that business continuity plans for any sort of loss are already in place as part of military contingency planning, often based on phone calls and reverting to previous procedures (as long as the number isn’t stored on the system that’s gone down!). This redundancy offered through extra capacity, reversionary modes or staff experience is critical to maintaining the logistic task. Any “updates” to a system in the name of efficiency must be measured against effectiveness in a constantly degraded environment.
Step Two: Integrity
Next, we introduce an attack against integrity where data is changed or manipulated. Maybe an order is duplicated, cancelled or changed. What if a delivery arrives that you weren’t expecting or twice as much as you thought you had ordered? How can that be noticed in amongst the volume of orders flowing through a system? How would you identify if this was an attack or human error?
Step three: Confidentiality
Finally, we test an event against confidentiality. If an attacker can gain access to a system and simply observe, what can they learn? Would logistic activity signal an operational change or signify an imminent deployment? What would a combination of these insights from several systems provide a potential aggressor?
The findings of our cyber resilience wargames can be grouped into three major themes:
- Defence needs to truly understand its appetite to trade efficiency of new technology with operational effectiveness.
- Defence Support will always be working with partners and must find a way of sharing the cyber response (including the operational risk) with those partners.
- Education is the best way to combat the cyber threat and wargaming is an excellent way to teach the players how to think about cyber in a meaningful and actionable way.
We have run these games inside Defence Support but also have also provided this service to other industries and academia. To find out more, or to discuss how a cyber resilience wargame could be applied to your company, unit or department please visit our website.
Techmodal is a UK-based applied data science business solving complex data problems for its clients in Defence and Industry. Its purpose is to help customers harness their data using experts, teams and bespoke tools to support their most important business decisions. More information about Techmodal can be found here: www.techmodal.com