28 April 2018

How to Run a Cyber War…Game

MICHAEL SULMEYER AND DMITRI ALPEROVITCH

The Cipher Brief hosted its second annual threat conference at beautiful Cloister Resort on Sea Island, Ga., this month. While there, Dmitri Alperovitch and I ran cyber exercises that pushed participants, many of whom are former senior government leaders, to step into the shoes of U.S. national security decision-makers to resolve international crisis situations. Because the sessions were entirely off-the-record, I won’t discuss how specific participants reacted and what they recommended, but rather I will reflect on what lessons can be learned from these types of exercises and how The Cipher Brief’s can be a model for others.


Be clear on what you want to exercise: Last year, we wanted to press our participants on how they would get ahead of the threats that we asserted were looming. We provided a fact pattern that created sufficient danger to warrant a serious national-security discussion, but there were enough off-ramps that our teams could recommend ways to keep tensions from boiling over. This year, we changed focus and forced our participants to develop response options after complex attacks had already occurred. Whatever your focus may be, make it clear and repeat it often so that participants have no doubt on what they are being tested.

Think through in advance the response options that the teams will deliberate on: Make sure the scenario provides for enough ambiguity and challenges to provide for a good debate amongst the teams as they are consider how to respond to an outlined threat. One of the things that make cyber policy issues so challenging is that they often occupy the grey zone between war and peace. If the scenario incorporates attacks that are too catastrophic in nature, the decision space becomes very simple – we are at war and hitting back at the enemy hard. If on the other hand the attacks are very limited in nature, the decision-makers may push to do nothing and simply ignore the problem. The trick is in doing enough to make it impactful but not too much so as to eliminate the non-kinetic options from consideration.

Don’t distract with extraneous information: To keep the focus on response options, we didn’t want our fact pattern to contain too many distractions that would lead participants astray. One of the easiest distractions we’ve observed is the issue of attribution. Of course, if the objective of an exercise is to test how participants react in the absence of knowing “whodunnit it,” facts that exploit uncertainties about it are helpful. Yet with only 10-20 minutes for teams to prepare their briefings to our mock president, we chose to control for the attribution variable by stipulating that in our scenario, specific intelligence agencies had high confidence in their findings. This kept the teams representing the intelligence community, the state department, and the military on track and tailored their discussions to actionable proposals they could bring to the table.

Know your participants and break interagency stovepipes: Dmitri and I have run exercises for participants with a range of different experiences and backgrounds. The participants at The Cipher Brief’s threat conference have an amazing breadth and depth of experience across industry and government. The opportunity for us was not to teach cyber policy, but rather to design scenarios that pushed experienced leaders into uncomfortable positions. For example, a senior diplomat might be asked to lead the team representing the views of the military. Usually, these leaders enjoy the chance to go outside their comfort zone.

Be creative with the role of the media: While decision-makers search for the best recommendations for how to handle a national security crisis, they also must contend with how whatever they do or don’t do will be viewed in the media. Last year, we selected a few participants to play the role of the mainstream U.S. media. This year, we asked them to assume the role of a news outlet sponsored by a foreign adversary.

How these “reporters” twisted our fact pattern and spun the Twitterverse was instructive not just for us as scenario designers, but for participants as well, since they saw their carefully crafted policy proposals distorted beyond recognition.

The adversary gets a vote: We wanted our participants to face the additional challenge not just of briefing a mock U.S. president, but also to learn how a team representing the adversary would react to their recommendations. Adversary teams are great when they are staffed with true area experts with deep knowledge of the country and its history. After all, the goal of such team is not to simply be a fun spoiler and troublemaker, but to put themselves into the shoes of the opposing country’s government and thinking through their objectives, constraints and priorities. We were fortunate that so many participants at The Cipher Brief conference possess this fluency: they proved to be an excellent validator of the proposals offered by the other teams.

Don’t try to do too much in too little time: We had 90 minutes after lunch, and we have both been involved into too many exercises that ask participants to consider too many details in too little time. Given that time limit, we limited each of our two scenarios to one adversary, and we limited each adversary to five or six discrete actions that participants were then forced to react to. We expedited internal discussions to 10-20 minutes, but let our mock president interrogate team leaders for 35 minutes per scenario.

Regardless of how future scenario designers create their fact patterns and staff their teams, we hope the factors highlighted above help create a more realistic simulation environment.

No comments: