How to use a cyber war exercise to improve your security program

You may have missed it, but a few weeks ago a small cyber war played out in just 72 hours. Just after 6pm (PDT) on Sunday, May 18th, the first moves were made. The whole event was over by Wednesday evening.

While not an actual war, the cyber war strategic exercise (CWSX) pitted graduate students (our colleagues) from City University of Seattle and Bellevue University against each other in a real-world scenario. The ultimate test of 4-6 weeks of planning, the lessons learned proved an immediate benefit to the students.

Sharing those lessons benefits us all.

Learning by doing: the Cyber War Strategic Exercise

The CWSX was developed by Dr. Erik Fretheim, Professor and Executive Director of the Technology Institute @ City University of Seattle. What started as an assignment for the Cyber Warfare course at CityU has expanded into something bigger. Ron Woerner, Director of the Cybersecurity program at Bellevue University, worked with Dr. Fretheim to welcome a second team to the program and build plans for future expansion.

At the start of the exercise, the teams are given a scenario which is based on real world events. The real world is then stretched a bit to make a realistic conflict begin. Each team is given a set of strategic objectives that they are to try to achieve through the use of cybertools.

During the exercise, each team is comprised of players, each with a specific role (President, media, spies, etc.). Plays are coordinated based on role.

Prior to play, each team spends 4-6 weeks studying the countries involved in the conflict, understanding their economic, military and cyber capabilities, and developing a book of plays based on known capabilities of the country they will be representing in play.

As Woerner explained, “The CWSX provides students with a great real-world opportunity to experience the strategic aspects of cyber war. While the scenario is fictitious, it gives the students a different viewpoint into the world of strategic operations in order to understand how they relate with day to day operations.” 

I recently spoke with Dr. Fretheim and Woerner to capture the top three lessons that came from the exercise.

1. Mapping a strategic objective into an actionable plan is hard

Despite the weeks of advance planning that went into the exercise, the students quickly learned that the process of mapping a strategic objective into an actionable plan is hard. It takes more work than expected, and gets a bit easier with some experience.

Planning and acting are two different things. The opportunity of a cyber war strategic exercise is an opportunity to think and act on multiple dimensions. It provides a way to gain real experience and insights that shape the way we act.

Security runs into this frequently today. The lesson for everyone is that translating from strategic to tactical is tougher than most consider. That means allocating more time, looking for ways to gain experience, and making sure to learn from experience to ease future efforts.

2. Cyber war (and security) is not played in isolation

Success in the game — and in life — requires thinking and acting in multiple dimensions. While the students were familiar with their security tools and techniques, this exercise forced them to take politics and media into account. Most learned that manipulation of the media is a key element of winning.

As one student explained, “I learned that working together as a team and building positive relationships with my fellow team members goes a long way, we even got to meet in person to discuss the exercise. Communication and thinking one step ahead of the adversary are key aspects to the CWSX!”

The lesson for everyone is that security is no longer isolated. While (office) politics and elements of the media come into play, the real takeaway is the need to focus on improving communication between teams and considering the impact everyone has on the overall security program.

3. The plays after the playbook are more important

Despite taking time to study and build a playbook, during the exercise most students discovered they needed to consider the plays that come next. Instead of thinking in one-dimension and linear, the integration of politics and media meant players needed a variety of options based on each play.

One of the students summed it up by explaining, “This provided an excellent opportunity to take learning beyond the academic by applying what I learned in the real world CWSX scenario.”

The lesson for all of us is that we work as part of a system. Our actions have an impact on others; their actions have an impact on us (or security). The more aware of these actions and impacts, the more robust our “playbook” — for regular operations and incident response.

What happens next for the Cyber Warfare Strategic Exercise?

This is only the beginning. For the next iteration, the teams from CityU and Bellevue will square off against two more teams welcomed into the exercise. Both sets of teams will face the same scenario. Contrasting those parallel experiences is likely to hold a lot of insights that we all benefit from.

I look forward to the results. In the meantime, have you participated in this sort of exercise? Would you like to?