Strategic Foresight and Resilience Through Cyber-Wargaming

摘要

Cyber-capabilities provide nation and non-nation state actors, including criminal organisations and individuals, with the ability to project power and influence across borders and into critical infrastructure, corporate networks and military systems with relative anonymity and impunity. Employed on their own or as part of a broader influence activity, cyber-attacks can use vulnerabilities within networked and digitally-enabled systems to create opportunities to undertake a variety of malicious actions, including the theft of intellectual property or financial data, engage in aspects of hybrid warfare or undertake the destruction and/or disabling of physical property that is network connected. Traditionally, strategic and military planners have undertaken wargaming as a means of anticipating potential outcomes relating to system vulnerabilities and failures, as a means of optimizing a system of systems and increasing resilience. However, cyber-wargaming as a strategic planning activity has suffered conceptual and practical problems due to the disconnect between technological design and the conceptual models used for physical systems and critical infrastructure. Traditional concepts such as time, which have generally been easily represented within wargames, are much more difficult to represent in the cyber domain. The lack of suitable models has led to two different approaches; a focus on the operational and technical through red teaming and cyber exercises, or a focus on the strategic through executive table-top activities and matrix wargames. Cyber-wargaming is an iterative approach to optimizing the information security posture of an organisation, whilst simultaneously increasing the knowledge of the participants about their environment. Cyber-wargaming ensures the organisation evolves as a collective and has an opportunity to engage in a safe way with potential risks and threats. This paper proposes a unique cyber-wargaming model which seeks to achieve strategic foresight and increase the resilience of the system of systems. The model provides organisations and individuals with a way of understanding vulnerabilities across the systems of systems within cyber-space, in a way that facilitates understanding of the fundamental risks to an organisation. The cyber-wargaming model proposed by this paper will allow participants to reduce risk, enhance understanding and increase collaboration to address the fundamental socio-technical issues they must address to succeed. This unique approach extends on existing assurance programs and governance frameworks, by recognizing the role of the malicious actor, incorporating a view of the cyber-ecosystem and aligning strategic organizational imperatives with information and communication technology security programs.