What’s the Best Way to Wargame Cyberwarfare?
Faced with a variety of new threats, from hypersonic ship-killing missiles to anti-satellite weapons and terrorist attacks, top Pentagon leaders are pushing for more analytical wargaming to devise strategies to counter such threats.
But in an era where information can be an instrument of war, the question of how to effectively wargame cyber attacks is a critical issue for military planners.
Modeling cyberwarfare resembles the philosophical question of whether a tree actually fell in a forest if no one heard it fall. How does a wargame designer realistically depict a stealth weapon like a computer virus, whose very effectiveness depends on the victim not knowing that the virus exists or how it works?
“We have been trying to integrate stuff like that [cyberwarfare] into operational games, but the weapons themselves are so highly classified and tightly held that we don’t really know what capabilities exist,” says Peter Perla, a defense wargaming expert and senior research scientist with the Center for Naval Analyses.
Perla calls cyber the “holy grail” of wargaming. “We have some general ideas of what might exist but we tend not to be able to cross those barriers. So we kind of give people generic capabilities and ask them to find something that they’d like to have. Then we assess whether it is a one-shot deal, or it might be persistent for a while,” he said. “But the parameters are very difficult to get a handle on because we have no experience with them.”
That lack of experience extends to those operating defense networks. “One big thing we did that was game-changing for us is that we actually wargamed our computer network defense activity,” said Bill Marion, the Air Force’s deputy chief information officer at a May 11 AFCEA breakfast meeting. “So it’s not industry [network defense] and government network defense. It’s got to be a partnership. So we actually wargamed – and exercised – two times with DISA [the Defense Information Systems Agency]– to a point where … the mission owner actually went through those threats, worked through them, and documented those processes.
“Because they just don’t exist when a classified event happens. How do you work through the flow of mission? That was one of our biggest stumbling blocks,”Marion continued. “You have to dig through that with your industry partners. It’s absolutely critical.”
The gaps in knowledge can create problems for the people who design and run wargames. Designing a cyber wargame in which you don’t know the full cyber capabilities of either party is like designing a ballistic missile defense simulation where the characteristics of enemy missiles are unknown and so are the capabilities of U.S. and allied radars and interceptors.
Should the U.S. ever engage in hostilities in the South China Sea or Eastern Europe, cyberwarfare is certain to come into play, probably on both sides. If so, U.S. wargames will need to incorporate cyber in order to craft a realistic strategy for any such engagement. Indeed, Deputy Secretary of Defense Robert Work’s February 2015 memo which called for more wargaming, specifically mentions cyber as a factor that must be included.
In a January 2015 speech, Work also cited cyber as one of several capabilities that potential adversaries are designing “to counter our traditional military strengths and our preferred way of operating.”
John Curry, author of “Dark Guest: Training Games For Cyber Warfare,” sees two issues with simulating cyberwarfare. The first is that there is little real-world experience of cyberwarfare on which to base a game. While cyberattacks do occur, we have not yet seen the kind of intensive cyber warfare that might take place between sophisticated cyber powers at war. “Google, Microsoft, HP and our universities have not been mobilized in an all-out effort to hit the other side,” Curry says. “Despite protestations that we have had cyber war, we have only had skirmishes on the fringe of conflicts.”
The second is the incredibly rapid fluctuations endemic to cyberwarfare. “One of the issues of cyber weapons is they are largely untested and can be rendered ineffective by the next software patch,” Curry says. “You build a tool, the other side builds a patch and then your tool has to be re-engineered.”
So how should cyberwarfare be simulated in defense wargames? Experts say there are two ways to approach this. One is to simulate cyberweapons in detail, such as distinguishing between different types of viruses and their effects. This would help teach players something about how these weapons work and how they could be employed in conflict.
But Perla and others suggest the alternative solution is better: It’s a “black box” approach in which players only see the basic effects of cyberwarfare and don’t get caught up in the details about how something is done. It’s the same approach wargames use for electronic warfare, where players are simply told that jamming has disrupted their communications.
“I would focus on potential effects rather than specific weapons,” Perla says. “For example, one type of attack might reduce command and control capacity, making it difficult to issue or change orders. This could be characterized on a ‘Cyber Card’ the player has available. When played, the game controllers would implement the effects as they see fit. Possibly, the effect is either bigger or smaller than expected. Possibly, the opponent is aware of the attack and able to negate it, or even turn it against the original user,” he said.
Perla also notes that depicting cyber depends on the level of warfare being simulated. “Cyber at the strategic level is likely to use different tools against different targets than cyber at the tactical level,” he said. “Big surprise. For example, at the tactical level, one side may try to tap into the cyber networks of their opponent after capturing a headquarters. But the opponent may run a deception op, feeding false info through the captured node.”
Simulating cyberwarfare also depends on the audience. If the goal is to create a training simulation for cyberwarfare operators, then it makes sense to delve into the nitty-gritty of specific forms of attack and defense, or the characteristics and vulnerabilities of various types of software or computer networks. But if the audience is a slate of senior generals and admirals wargaming a North Korean invasion of South Korea, then there is no reason for the game to simulate the differences between a malware attack and a denial-of-service cyberattack.
“The operational reality is that cyber is integrated with the other domains of warfare,” Curry says. “Cyber is just a means and is rarely the end.”