Decision makers: Get your war game on
- By Paul McCloskey
- Feb 16, 2017
The use of war games as a way to explore government decision making has long interested agencies outside the defense space.
Now that interest might be expanding as agency managers, financial analysts and cybersecurity staff confront the vicissitudes of a new administration and the need to provide direction to a new team of government decision makers.
Just after the President Donald Trump's administration opened for business this year, Unisys Corp. launched a set of cyber resilience services that used war-gaming techniques to help plan for crises related to cyberattacks by simulating threats and using them to develop avoidance and response policies and procedures.
To develop its services, Unisys customized Department of Defense cyber war gaming methodology, combining it with standards from the National Institute of Standards and Technology for use by its government clients. The services identify challenges to participants’ organization as “most likely,” “most dangerous” and “out-of-the-box/it will never happen.” Participants work in teams to meet objectives as conditions change.
John Bone, a retired Army colonel and former chief of the war gaming center for the U.S. Joint Forces Command, is leading the Unisys effort, which aims to understand users’ challenges; build war game scenarios that align with real threats; and then lead, monitor and analyze exercises based on those scenarios.
There are also plans afoot to return to war gaming to study national security policies and their impact on the Defense Department, Bone said.
“The current group of senior leaders in the military grew up in the last 14 years as the result of 9/11,” he explained. “And so they are not necessarily opposed to the objective, underpinnings of a war game and a detailed, objective analysis.”
Changing the mindset
Even so, the cybersecurity playing field has become so complex that few standalone tools are productive anymore. “What used to be the idea that I could have a static defense -- put in a firewall and I don’t have to worry about anything -- is no longer the case,” Bone said.
Instead, the “attack vectors and the threat have become so agile and so adaptable, so inventive in how they approach the victim, that you have to have more of an active pursuit,” he said. “You have to change your defense posture, and you have to change how you think about it.”
A new mindset surrounding defense will mean adopting unprecedented assumptions in building a culture of resilience around security, Bone said.
“The reality is you will be attacked, you will be penetrated,” he said. “So how do you prepare, rehearse, train and provide confidence to the public that your [team] is ready to respond to and manage these intrusions through a war game?”
Given these conditions, flexibility around choosing large or very small teams in conducting a simulation is considered a distinct asset to war gaming experts.
“I think this is a great thing, and one of the things we talk about with war games is that they are perfectly scalable,” said Nicole Monteforte, who directly manages the war gaming and exercise team for Booz, Allen Hamilton.
Last fall Booz Allen partnered with the National Academy of Public Administration, which had an effort underway to help the president elect smoothly transition into office.
In the exercise, the teams came up with a series of war games addressing aspects of the presidential transition, including a long-term look into the future.
“We tried to take a 10-year projection -- what’s the future going to look like; what are the challenges that the next administration might face,” Booz Allen Vice President Ron Sanders said.
The team also conducted a simulated cyberattack on a piece of critical infrastructure. The simulation did not assess technical questions, Sanders said, but instead focused more directly on the impact of an attack.
“We looked at how to deal with the aftermath [of the] attack itself, including panic, food lines and people lining up at gas stations.” Sanders said. The analysis of responses to the simulation will show “if we did this on an interagency basis, because that’s one of the great challenges of government, working across agency lines and intergovernmental lines,” he added.
The legacy of war gaming was also heavily influenced by the events of 9/11, which became a powerful standard for addressing crisis management and coordination. “That’s been a theme that’s continued over the past 15 years,’ Monteforte said.
Even so, cyber remains the primary challenge for most government war gamers.
Cybersecurity has become “a huge focus area for a number of our clients across the government and commercial markets,” Monteforte said, noting that up to half of the Booz Allen war gaming portfolio is focused on cyber.
“We find that people use war games to help them think through the really sticky issues that they’re facing today or in the next two to five years,” she said. “Cyber just seems to be the thing that’s on the front of everybody’s mind.”
The weakness within
War gaming can also help organizations look inward to find potential cracks in an agency plan or strategy.
“A war game can be a very powerful diagnostic,” Sanders explained. A simulated cyberattack on an organization, for example, lets the executives see how they will react.
“We’ll reveal short-term technical and tactical issues that the organization needs to deal with,” he added. “But almost invariably it also reveals more deep-seated organizational and structural problems that the organization needs to contend with.”
A war game can also be a powerful way of building a new team, Sanders said, “especially when you have career civil servants dealing with a new group of political appointees who have just been sworn in.” At the beginning, the groups might not work well together.
“The sooner they mesh and come together as a team and focus on the challenges that the agency has to contend with, the more likely they’re going to be able to solve them,” he said. “As a team building tool, this is powerful.”
“At the end of the day, you’re never going to predict the future,” Sanders said, “but this is about preparation, not prediction. And if the team is prepared to coordinate and collaborate and share information, they have to practice that.”
Yet war games are not necessarily for everyone, Monteforte said. “This is for those really big problems … [where] you’ve got competing interests, competing equities, lots of different people who have to come to the table to work together.”
“And whether you’re talking about leadership training for how leaders are going to work together or you’re talking about responding to a crisis, having those different personalities and different perspectives working together in that simulated environment, where they can make mistakes and try to feel each other out is really one of the most powerful definitions for when you need a war game,” she said.
If a solution rests with just one person, he “can write a study and you don't need a war game,” she said. “But if you have seven people and they all want to go in different directions, bringing them together in this environment is really powerful.”
Editor’s note: This article was changed Feb. 20 to refer to Booz Allen Hamilton as Booz Allen rather than BAH.
Paul McCloskey is senior editor of GCN. A former editor-in-chief of both GCN and FCW, McCloskey was part of Federal Computer Week's founding editorial staff.