1 "Gaming versus Exercises: Designing Surprise-resilient Organizations for a Cybered World Chris C. Demchak Professor, United States Naval War College Co-Director, Center for Cybered Conflict Studies Strategic Research Department Newport, Rhode Island, USA Views expressed are not those of the US Government or the US Navy.
2 Cyberspace imposes wide range of conceivable forms of nasty surprises to critical Socio-Technical-Economic Systems Possible on global scale, Including those from unintentional acts or just poorly coded attacks Multiplies knowledge and sensemaking problems many times over for leaders and institutions ensuring national security
3 FOUR Layers of Complex Systems Surprise inherent in Global, Open Cyberspace Layer One: LTSs, Largescale Complex Socio-Technical Systems, Normal accident" in surprise-prone large cybered organizations) Layer Two (all above plus: CIP, Critical Infrastructure LTSs (protected status, many linked organizational and technical systems) Layer Three (all above) plus :mass volume Bad Actors (average to good skills, ubiquitous from script kiddies to vast majority of botnet masters, volunteer anarcho-hactivists and less well skilled nation states) Layer Four (all above) plus: highly skilled low volume Wicked Actors (high threat persistent motivations, exquisite skills, ability to organize, access/evasion expertise, or wide deep harm propagation potential)
4 Must to learn to be resilient when embedded and vulnerable to globally complex system Resilience to surprise must be developed inside the socio-technical system, especially its security units. Need to develop collective sensemaking AND a menu of doable rapid accurate actions under urgent conditions (*) In addition to comprehensive data inside and outside the institution Must have collective trust among those responsive, mitigation or improvisation or innovation knowledge foundations, and holistic understanding of the wider environments involved. * From L. Comfort, A. Boin, and C. Demchak, eds Designing Resilience. U of Pittsburgh Press
5 Exercises that worked in the past are today need virtual advances for surprises of cybered conflict See cyberspace narrowly as domain so limit environment Construct exercises for known roles and responses One-offs, even if annual event No replay on the spot to test alternative hypotheses Usually do not play to break because want to bound the training or events Reverberations beyond scenario at best second order Educates those who design it and those who directly play, few others Not widely available for replay, update, dissemination
6 Exercise Shortcomings in Values do not collect tacit knowledge continuously, develop it, or allow the widespread reuse of this data. Do not prepare adequate capabilities against surprise across multitude of actors in complex socio-technical systems Even cyber ranges suffer from narrowness of vision
7 Oh great! We trained only with BIG ladders
8 Basic Lessons about Responding to Surprise from Complexity, LTS and Complex Adaptive Social System Research Complexity Research Major Lessons 1. Only Trends can be forecast with knowable/unknowable unknowns 2. Path Dependence powerful 3. Channeling trends is best possible accommodation option Largescale Technical Systems Research Major Lessons 1. Trial and Error best to acquire knowable unknowns 2. Tighter coupling increases potential rippling error paths 3. Redundancy and Slack powerful accommodators 4. Knowledge is expensive in time, money, staff attention, implementation Complex Adaptive Social Systems Research Major Lessons 1. Human buy-in essential for effectiveness (legitimate, useful, doable) 2. Cultural filters powerful (socialization, operationalization hard to control) 3. Largescale socio-technical systems drift readily into unnoticed critical coupling and a lack of urgency to absorb or seek knowledge
9 FOUR Types of MultiSource Threat Categories in Increasing Uncertainty and Surprise Potential Complexity in Largescale Complex Socio- Technical Systems, LTSs (basic "normal accident" and cascading surprise-prone large cybered organizations) (all above) plus Criticality for Nation CIP, Critical Infrastructure LTSs (protected status), High Reliability Industry, or Operationally Engaged Military (all above) plus high volume Bad Actors (average to good skills, ubiquitous from script kiddies to vast majority of botnet masters, volunteer anarchohactivists and less well skilled nation states) RESILIENCE DISRUPTION (all above) plus highly skilled low volume Wicked Actors (high threat persistent motivations, exquisite skills, ability to organize, access/evasion expertise, or wide deep harm propagation potential) Cybered Resilience Action Requirements (including Disruption Supplement) 1. Redundancy (of knowledge) 2. Slack (in time to respond) 3. Organizational Discovery Trial-and-Error Learning (DTEL) (all above) plus 4. Collective Sensemaking, 5. Rapid Accurate Mitigation, Improvisation, and Adaptation Action, 6. Frequent Whole System Practice for Extreme Events under Urgent Conditions (all above) plus 7. Enforceable Cyber Hygiene, 8. Underlying Technology-Secure Design Transformation, 9. Comprehensive Multi-Organizational/Layer Learning for Systemic Generative Innovation, 10. Stratified Two-Way Flow Sensors/Tagged-linked Interoperable Policy-guided Gateways (building blocks of National Cyber Borders ) (all above) plus 11. Extensive Wicked Actor(s) OODA Loop/Business Model/Motivation Knowledge Collection and Development, 12. Selected Controlled Disruption under Protective Principle of International Law 13. Collective Understandings/Undertakings with Like-minded Cyber Responsible States
10 Organizations need to Play It Through using advantages of virtual worlds Virtual reality simulations, if done correctly, can allow organizational members to play out their experiences and hypotheses with others, developing richer options for response to surprise Gathers tacit knowledge in ways that meet the graphical and spatial predilections of humans in easy, useful, and collaborative mechanisms Members can develop trust relations with those playing, and engage instinctively in performance assessments Can be re-used, replayed, reviewed, analyzed, and reconsulted later trial-and error learning IF co-authored, the tacit knowledge can be provide remarkably informed innovative responses to surprise because they or someone has played through
11 The Gaming needs to be Fully Embedded in Shared Practices of the Organization Knowing when to seek more knowledge is the sense-making of resilience Requires seeking what can be known continuously and keeping that tacit knowledge for ubiquitous operational use Embedded organizational high-fidelity, continuously available, co-authored, game-based simulations Daily practice of contributing reinforced by relatively frequent episodes of development of competence under surprising conditions Actors unusually educated about overall system Advantages Maintenance of knowledge closely monitored Environmental surprises constantly explored Cognitive resilience encouraged by ability to test ideas for local actions and see how they blend Operational knowledge exchanges practiced broadly with different actors or same ones
12 Operationalized real time surprise
13 Gaming and an Atrium Organization Embed operationalized on-call gaming in the organization Trial-and-error learning is easy, accessible, and useful Key attributes: High fidelity, continuously available, co-authored game-based simulations embedded in shared practices of critical organizations Encourages knowledge redundancy, along with novel approaches to slack.
14 ATRIUM for Cross Organizational Cyber Gamed Operational Learning Only possible in cybered world Can segregate own sensitive files and yet still play through Builds cross organizational trust continuously Builds interorganizational knowledge sets Atrium Core (multiple organizations) Real & Virtual Emergency Task Forces
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
USDA Forest Service Fire and Aviation Management Workforce and Development Strategic Framework Agency Fire Mgt Vision Line / Fire Dialogue Mentoring and coaching Leadership Development Long-term Indiv.
ericsson White paper Uen 307 23-3230 February 2014 Guiding principles for security in a networked society The technological evolution that makes the Networked Society possible brings positive change in
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Cyber security: it s not just about technology The five most common mistakes kpmg.com b Cyber security: it s not just about technology Contents Preface 1 01 Understanding the cyber risk 3 02 The five most
Cyber Security Capability Maturity Model (CMM) - Pilot Global Cyber Security Capacity Centre University of Oxford 12/15/2014 1 Table of Contents Introduction... 3 Cyber Security Capability Maturity Model...
INTERNATIONAL STRATEGY FOR CYBERSPACE Prosperity, Security, and Openness in a Networked World MAY 2011 Table of Contents I. Building Cyberspace Policy............................... 3 Strategic Approach
IMPROVING OUR SERVICES A Users Guide to Managing Change in the Health Service Executive Developed by the Organisation Development and Design Unit, HSE, with the support of the Strategic Planning, Reform
Resilient e-communications Networks December 09 Good Practice Guide on National Exercises Enhancing the Resilience of Public Communications Networks 2 Good Practice Guide on Exercises Good Practice Guide
THE PRESIDENT S NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE NSTAC Report to the President on the Internet of Things November 19, 2014 TABLE OF CONTENTS EXECUTIVE SUMMARY... ES-1 1.0 INTRODUCTION...
National Spatial Data Infrastructure Strategic Plan 2014 2016 Federal Geographic Data Committee December 2013 Federal Geographic Data Committee Federal Geographic Data Committee, Reston, Virginia: 2013
FEDERAL HEALTH IT STRATEGIC PLAN 2015 2020 Prepared by: The Office of the National Coordinator for Health Information Technology (ONC) Office of the Secretary, United States Department of Health and Human
Best Practices in Computer Network Defense: Incident Detection and Response M.E. Hathaway (Ed.) IOS Press, 2014 2014 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-372-8-107 107
IBM Industries White paper Business analytics in the cloud Driving business innovation through cloud computing and analytics solutions 2 Business analytics in the cloud Contents 2 Abstract 3 The case for
manufacturing service small business nonprofit government education health care Baldrige Excellence Builder Key questions for improving your organization s performance Improve Your Performance The Baldrige
Convergence of Social, Mobile and Cloud: 7 Steps to Ensure Success June, 2013 Contents Executive Overview...4 Business Innovation & Transformation...5 Roadmap for Social, Mobile and Cloud Solutions...7
DEPARTMENT OF OF HUMAN RESOURCES Career Planning and Succession Management Resources CONTENTS: ASSESSMENT TOOLS... 3 Work Personality Index (WPI)... 3 Myers Briggs Type Indicator (MBTI)... 3 Multiple Perspective
National Cyber Security Research and Development Challenges Related to Economics, Physical Infrastructure and Human Behavior An Industry, Academic and Government Perspective 2009 A report to the Chairman
The Industrial Internet@Work Marco Annunziata & Peter C. Evans Table of Contents Executive Summary The Industrial Internet Towards No Unplanned Downtime 3 Introduction A New Information and Collaboration
WINTER 2011 VOL.52 NO.2 Steve LaValle, Eric Lesser, Rebecca Shockley, Michael S. Hopkins and Nina Kruschwitz Big Data, Analytics and the Path From Insights to Value REPRINT NUMBER 52205 THE NEW INTELLIGENT
BELGIAN CYBER SECURITY GUIDE PROTECT YOUR INFORMATION This Guide and the accompanying documents have been produced jointly by ICC Belgium, FEB, EY, Microsoft, L-SEC, B-CCENTRE and ISACA Belgium. All texts,
A Best Practices Guide to Workforce Planning For the Canadian Bus Industry Overview Workforce plans are the foundation upon which other human resources management activities such as: recruitment, selection,
PELL CENTER REPORT for INTERNATIONAL RELATIONS and PUBLIC POLICY Joint Professional Military Education Institutions in an Age of Cyber Threat Francesca Spidalieri August 7, 2013 The United States military
In this White Paper Connectivity is good. Secure connectivity is essential. This white paper by Thales UK explains how Thales Gateway Services protect the exchange of data across security domains. It discusses
Network security: Protecting our critical infrastructures This paper was prepared by Professor Seymour E. Goodman, Pam Hassebroek, and Professor Hans Klein, Georgia Institute of Technology (United States).
Customer Cloud Architecture for Big Data and Analytics Executive Overview Using analytics reveals patterns, trends and associations in data that help an organization understand the behavior of the people
TRANSFORM YOUR CITY THROUGH INNOVATION THE INNOVATION DELIVERY MODEL FOR MAKING IT HAPPEN JANUARY 2014 CONTENTS INTRODUCTION... 1 THE IMPERATIVE FOR INNOVATION... 2 WHAT IS THE INNOVATION DELIVERY MODEL?....
The IT Industry s Cybersecurity Principles for Industry and Government 2011 ITI MEMBER COMPANIES Apple Inc. TABLE OF CONTENTS Executive Summary 5 Setting the Stage 7 Six Cybersecurity Principles 9 Principle