"Gaming versus Exercises: Designing Surprise-resilient Organizations for a Cybered World

Similar documents
HOW STRATEGIC ROADMAPPING ADDS VALUE

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 8 R-1 Line #50

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

DoD Strategy for Defending Networks, Systems, and Data

How To Create An Insight Analysis For Cyber Security

CYBER SECURITY GUIDANCE

THE CHALLENGES OF CYBERSECURITY TRAINING

Lessons from Defending Cyberspace

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

v. 03/03/2015 Page ii

TUSKEGEE CYBER SECURITY PATH FORWARD

Who s got the grease pencil?! What Cyber Security can Learn from the Outer Air Battle

Security Design & High-Risk Users HITB GSEC 2015

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

ADC Survey GLOBAL FINDINGS

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Gregg Gerber. Strategic Engagement, Emerging Markets

A comprehensive strategy for successful data center consolidation

Network-Wide Class of Service (CoS) Management with Route Analytics. Integrated Traffic and Routing Visibility for Effective CoS Delivery

CYBER SECURITY THREATS AND RESPONSES

How SPAWAR s Information Technology & Information Assurance Technical Authority Support Navy Cybersecurity Objectives

Integrating Physical Protection and Cyber Security Vulnerability Assessments

ICT SECURITY SECURE ICT SYSTEMS OF THE FUTURE

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

Technology Strategy April 2014

Cisco Advanced Services for Network Security

Protecting the keys to your kingdom against cyber-attacks and insider threats

On the European experience in critical infrastructure protection

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

National Cyber Security Policy -2013

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

SCADA/ICS Security in an.

CYBERSPACE SECURITY CONTINUUM

Priority III: A National Cyberspace Security Awareness and Training Program

What Directors need to know about Cybersecurity?

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

APIs The Next Hacker Target Or a Business and Security Opportunity?

Incident Response 101: You ve been hacked, now what?

ESKISP Manage security testing

Endpoint Security: Moving Beyond AV

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Keynote. Professor Russ Davis Chairperson IC4MF & Work Shop Coordinator for Coordinator for Technology, Innovation and Exploitation.

Security Risk Management For Health IT Systems and Networks

Advanced Persistent Threats

Cyber Security Research and Development a Homeland Security Perspective

Threat intelligence visibility the way forward. Mike Adler, Senior Product Manager Assure Threat Intelligence

How To Defend Yourself Against Cyber Attacks

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

Extending the Internet of Things to IPv6 with Software Defined Networking

Cybersecurity Workforce Opportunities

OPM LEADERSHIP DEVELOPMENT MATRIX:

CBEST FAQ February 2015

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

The internet and digital technologies play an integral part

Cyber security: Practical Utility Programs that Work

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Risk & Responsibility in a Hyper-Connected World: Implications for Enterprises

Cybersecurity: Mission integration to protect your assets

Smart Grid Cyber Security

Targeted attacks: Tools and techniques

Legal Issues / Estonia Cyber Incident

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

The Future of Access Control: Attributes, Automation and Adaptation

Cyber Intrusions: More than an IT Challenge

Accessing and sending data securely across security domains

A Rhode Island Academic Collaboration. Cybersecurity Technology and Policy (CCTP)

Advanced Risk Analysis for High-Performing Organizations

Top five strategies for combating modern threats Is anti-virus dead?

Honourable members of the National Parliaments of the EU member states and candidate countries,

How To Change A Business Model

I N T E L L I G E N C E A S S E S S M E N T

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

THE ACTUA MANIFESTO WHY WE BELIEVE IN THE NEXT-WAVE, VERTICAL CLOUD

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

Symantec Cyber Security Services: DeepSight Intelligence

Task Characteristics, Knowledge Sharing and Integration, and Emergency Management Performance: Research Agenda and Challenges

Public Private Partnerships and National Input to International Cyber Security

2. OVERVIEW OF THE PRIVATE INFRASTRUCTURE

INTRODUCTION TO INFORMATION TECHNOLOGY SECTOR CRITICAL INFRASTRUCTURE PROTECTION...

SOLUTION BRIEF. Increase Business Agility with the Right Information, When and Where It s Needed. SAP BusinessObjects Business Intelligence Platform

Transcription:

"Gaming versus Exercises: Designing Surprise-resilient Organizations for a Cybered World Chris C. Demchak Professor, United States Naval War College Co-Director, Center for Cybered Conflict Studies Strategic Research Department Newport, Rhode Island, USA 02841 Views expressed are not those of the US Government or the US Navy.

Cyberspace imposes wide range of conceivable forms of nasty surprises to critical Socio-Technical-Economic Systems Possible on global scale, Including those from unintentional acts or just poorly coded attacks Multiplies knowledge and sensemaking problems many times over for leaders and institutions ensuring national security

FOUR Layers of Complex Systems Surprise inherent in Global, Open Cyberspace Layer One: LTSs, Largescale Complex Socio-Technical Systems, Normal accident" in surprise-prone large cybered organizations) Layer Two (all above plus: CIP, Critical Infrastructure LTSs (protected status, many linked organizational and technical systems) Layer Three (all above) plus :mass volume Bad Actors (average to good skills, ubiquitous from script kiddies to vast majority of botnet masters, volunteer anarcho-hactivists and less well skilled nation states) Layer Four (all above) plus: highly skilled low volume Wicked Actors (high threat persistent motivations, exquisite skills, ability to organize, access/evasion expertise, or wide deep harm propagation potential)

Must to learn to be resilient when embedded and vulnerable to globally complex system Resilience to surprise must be developed inside the socio-technical system, especially its security units. Need to develop collective sensemaking AND a menu of doable rapid accurate actions under urgent conditions (*) In addition to comprehensive data inside and outside the institution Must have collective trust among those responsive, mitigation or improvisation or innovation knowledge foundations, and holistic understanding of the wider environments involved. * From L. Comfort, A. Boin, and C. Demchak, eds. 2010. Designing Resilience. U of Pittsburgh Press

Exercises that worked in the past are today need virtual advances for surprises of cybered conflict See cyberspace narrowly as domain so limit environment Construct exercises for known roles and responses One-offs, even if annual event No replay on the spot to test alternative hypotheses Usually do not play to break because want to bound the training or events Reverberations beyond scenario at best second order Educates those who design it and those who directly play, few others Not widely available for replay, update, dissemination

Exercise Shortcomings in Values do not collect tacit knowledge continuously, develop it, or allow the widespread reuse of this data. Do not prepare adequate capabilities against surprise across multitude of actors in complex socio-technical systems Even cyber ranges suffer from narrowness of vision

Oh great! We trained only with BIG ladders

Basic Lessons about Responding to Surprise from Complexity, LTS and Complex Adaptive Social System Research Complexity Research Major Lessons 1. Only Trends can be forecast with knowable/unknowable unknowns 2. Path Dependence powerful 3. Channeling trends is best possible accommodation option Largescale Technical Systems Research Major Lessons 1. Trial and Error best to acquire knowable unknowns 2. Tighter coupling increases potential rippling error paths 3. Redundancy and Slack powerful accommodators 4. Knowledge is expensive in time, money, staff attention, implementation Complex Adaptive Social Systems Research Major Lessons 1. Human buy-in essential for effectiveness (legitimate, useful, doable) 2. Cultural filters powerful (socialization, operationalization hard to control) 3. Largescale socio-technical systems drift readily into unnoticed critical coupling and a lack of urgency to absorb or seek knowledge

FOUR Types of MultiSource Threat Categories in Increasing Uncertainty and Surprise Potential Complexity in Largescale Complex Socio- Technical Systems, LTSs (basic "normal accident" and cascading surprise-prone large cybered organizations) (all above) plus Criticality for Nation CIP, Critical Infrastructure LTSs (protected status), High Reliability Industry, or Operationally Engaged Military (all above) plus high volume Bad Actors (average to good skills, ubiquitous from script kiddies to vast majority of botnet masters, volunteer anarchohactivists and less well skilled nation states) RESILIENCE DISRUPTION (all above) plus highly skilled low volume Wicked Actors (high threat persistent motivations, exquisite skills, ability to organize, access/evasion expertise, or wide deep harm propagation potential) Cybered Resilience Action Requirements (including Disruption Supplement) 1. Redundancy (of knowledge) 2. Slack (in time to respond) 3. Organizational Discovery Trial-and-Error Learning (DTEL) (all above) plus 4. Collective Sensemaking, 5. Rapid Accurate Mitigation, Improvisation, and Adaptation Action, 6. Frequent Whole System Practice for Extreme Events under Urgent Conditions (all above) plus 7. Enforceable Cyber Hygiene, 8. Underlying Technology-Secure Design Transformation, 9. Comprehensive Multi-Organizational/Layer Learning for Systemic Generative Innovation, 10. Stratified Two-Way Flow Sensors/Tagged-linked Interoperable Policy-guided Gateways (building blocks of National Cyber Borders ) (all above) plus 11. Extensive Wicked Actor(s) OODA Loop/Business Model/Motivation Knowledge Collection and Development, 12. Selected Controlled Disruption under Protective Principle of International Law 13. Collective Understandings/Undertakings with Like-minded Cyber Responsible States

Organizations need to Play It Through using advantages of virtual worlds Virtual reality simulations, if done correctly, can allow organizational members to play out their experiences and hypotheses with others, developing richer options for response to surprise Gathers tacit knowledge in ways that meet the graphical and spatial predilections of humans in easy, useful, and collaborative mechanisms Members can develop trust relations with those playing, and engage instinctively in performance assessments Can be re-used, replayed, reviewed, analyzed, and reconsulted later trial-and error learning IF co-authored, the tacit knowledge can be provide remarkably informed innovative responses to surprise because they or someone has played through

The Gaming needs to be Fully Embedded in Shared Practices of the Organization Knowing when to seek more knowledge is the sense-making of resilience Requires seeking what can be known continuously and keeping that tacit knowledge for ubiquitous operational use Embedded organizational high-fidelity, continuously available, co-authored, game-based simulations Daily practice of contributing reinforced by relatively frequent episodes of development of competence under surprising conditions Actors unusually educated about overall system Advantages Maintenance of knowledge closely monitored Environmental surprises constantly explored Cognitive resilience encouraged by ability to test ideas for local actions and see how they blend Operational knowledge exchanges practiced broadly with different actors or same ones

Operationalized real time surprise

Gaming and an Atrium Organization Embed operationalized on-call gaming in the organization Trial-and-error learning is easy, accessible, and useful Key attributes: High fidelity, continuously available, co-authored game-based simulations embedded in shared practices of critical organizations Encourages knowledge redundancy, along with novel approaches to slack.

ATRIUM for Cross Organizational Cyber Gamed Operational Learning Only possible in cybered world Can segregate own sensitive files and yet still play through Builds cross organizational trust continuously Builds interorganizational knowledge sets Atrium Core (multiple organizations) Real & Virtual Emergency Task Forces

Wow! for a moment there, it all made sense! Chris.demchak@usnwc.edu