Cyberwar game activities allow companies to practice their reactions to a series of cyber incidents, helping to improve their resilience to inevitable cyber attacks.
The government and military have long used war game exercises to train their attack and response capabilities. Today, in the face of ongoing high-profile data breaches and increasing regulatory pressure, some private sector companies are using cyberwar games to test their ability to respond to cyber incidents.
It’s a much different approach than your regular video game and, at often times, it becomes quite serious.
Benefits
Cyberwar games help to identify potential gaps in an organization’s preparedness and response plans. For example, participants in an organization that was conducting a war game with a financial fraud scenario decided to temporarily stop high-value banking transactions to limit the damage from the attack, only to find, according to Soo, that they did not have the technical capabilities to limit those transactions. Suffice it to say that one of the things they took away from the war game exercise was to build up the technical skills to do so.
Although cyberwar games require time and resources to plan and execute, many organizations that run them say they are well worth the effort, according to Soo.
Another advantage of cyberwar games is that they can prevent participants from getting bogged down in organizational politics. Soo notes that during traditional assessments of cyber threat preparedness planning, session participants may begin to criticize the cyber response plan, saying, for example, that it should have been written by someone from risk or crisis management as opposed to IT security.
How Does a Cyberwar Game Work?
The sophistication of cyberwar games can range from relatively simple “table-top” exercises to full-blown, dynamic simulations. In a table-top activity, moderators instruct participants from various business functions on the attack scenario; participants then practice the company’s response plan to the incident, Soo says.
In many situations, organizations that want to objectively assess their responsiveness will engage an external third party to design, facilitate and conduct the war game on their behalf. A third party creates a war scenario that has a high-threat level on an organization as well as the industry and the objectives of the organization. According to Soo, an organization’s objectives may include the need to define and clarify the roles and responsibilities of cyber responders, improve communication among them, understand decision-making authority, or highlight interactions with third-party business partners. The war game facilitator develops scenarios to work out these goals.
The simulations are structured differently. Participants usually do not know when the “attack” will occur or what form it will take. Instead, they have to piece together clues they get from the moderators, who point out that something is wrong. These hints could be applications that run slowly, are delayed or otherwise do not work properly.
Purpose
Cyberwar gaming puts participants in an immersive simulated cyber attack situation, like website defacement, denial of service attack, data breach, or the discovery of malware within a corporate organization. Over the past 18 months, a variety of companies in various sectors, including financial services, energy and healthcare, have conducted industry-specific cyberwar gaming exercises to practice their response to coordinated attacks.
Soo says that cyberwar games bring the experience of responding to a cyber attack to life. In this way, he adds, they allow participants to practice their responses in a safe, controlled environment and help organizations assess the effectiveness of their inter-departmental coordination and communication. Cyberwar games bring to light not only the escalation paths for these decisions, but also unexpected decisions that companies may face, such as whether to shut down part of the corporate network.
Cyberwar games differ in many ways from traditional assessments of organizations’ readiness to defend against cyber threats, according to Daniel Soo, a director of cyber risk services at Deloitte & Touche LLP. While traditional assessments of cyber threat preparedness focus on assessing technology controls and the completeness of incident response plans,