September 22, 2009 By Mark Herman
Question: Where is a mouse as strong as an elephant? Answer: on the Internet.
The Internet is the great leveler. One person or small group of people can wreak havoc by disrupting Web processes, even against well funded IT departments run by well meaning CIOs.
Cyber-threats from around the globe are a pressing concern today for government and private industry alike. The threat from state and nonstate actors is here, it's real and it's only getting worse. Increasingly the public and private sectors are coming to terms with the fact that they can't confront these complex cyber-challenges alone. In industries as varied as finance and defense, there's a growing realization that cyber-security is simply too large for any one authority to solve alone.
Indeed, a particularly damaging security breach at major financial institutions could ignite a bank run and damage private industry as well as the world economies and governments. A hacked government network controlling critical infrastructure obviously would severely impact private business and the government.
If government, business and civil society face a joint and interrelated cyber-security problem, then they must work together to tackle the solution. But cyber-security is complex enough to stymie just one business or group -- let alone a tripartite group of varied interests.
With this in mind, how do you begin to address the shared risks and opportunities inherent in cyber-security? The answer can be found by exploring two important concepts: megacommunities and wargames.
Megacommunities are communities of organizations whose leaders and members deliberately come together across national, organizational and sector boundaries to reach goals they can't achieve alone. The megacommunity concept far exceeds the scope of typical public-private partnerships, which usually involve limited alliances and focus on more narrow purposes. Megacommunities take on much larger goals that evolve over time.
At heart, the megacommunity is a system where all parties benefit, as opposed to one sector maximizing profits or power. The ongoing balancing of tensions between corporations, governments and civil society is a critical component in any megacommunity's success. Members can realize its positive effects by collectively seeking a degree of operating order within any situation before differences become conflicting interests.
A cyber-megacommunity is composed of five critical elements: the existence of tri-sector engagement, an overlap in vital interest, convergence, structure and adaptability.
This structure allows adaptability in response to changes as all parties drive toward the same agreed-upon converged outcome. Best of all, operating in a megacommunity isn't a zero-sum game; all parties can benefit at once.
Once assembled, a cyber-security megacommunity is the perfect platform to answer the questions -- and at times come up with the questions themselves -- that will form the strategy for jointly combating cyber-challenges.
Although war gaming has its roots in the military, today's war games are useful to achieve a variety of goals. These may include learning and refining cyber-defense tactics, techniques and procedures; formulating public policy; and crafting an overall strategic framework in which to view and confront cyber-security challenges.
The first step to conducting a successful exercise is correctly understanding the type of war game that's required and its desired outcome. For a cyber-megacommunity, formulating public policy and gaining an overall cyber-security strategic framework are likely the most important aims.
At a cyber-megacommunity war game, decision-makers are assigned to teams representing a range of interests across government, business sectors -- such as financial services, telecom/IT, energy and transportation -- and civil society. These teams then confront an unknown scenario for which they have not prepared.
Even as the scenario unfolds, participants must rely on incomplete information about events that are taking place -- which is a reflection of the real world where decisions are routinely made with incomplete facts or where facts cannot be known. Teams are compelled to communicate with one another to propose partnerships and learn what's happening in the simulation as it advances.
Players on each team interact through a series of activities carried out over a specified period of time, which constitutes a "move." As the game begins, participants usually find that the first move is somewhat intuitive. It's the next set of moves that become much more difficult, as the other teams scheme to counteract and even set traps for subsequent moves.
A cyber-megacommunity war game does what computer simulations cannot -- it brings together experts and lets them explore future scenarios in a risk-free environment. Cyber-megacommunity war games are extremely valuable because they provide a methodology for participants to understand what no leader can grasp on her own: the very things that she doesn't know or hadn't thought of.
As famed economics professor Thomas Schelling's "impossibility theorem" suggests, you can't draw up a list of the things that have never occurred to you. Put another way, you don't know what you don't know.
Eventually as a scenario plays out, the war game forces decision-makers to see much more clearly the parameters of the problems they face. They begin to understand how their moves and decisions will affect countermoves and set off a chain of events.
The overall process helps participants challenge conventional wisdom and allows them to take a fresh look at past assumptions.
Perhaps most importantly, war games act as a catalyst for the cyber-megacommunity, encouraging each member group to work together to help find the key cyber-risks and overlapping vital interests of government, business and civil society.
In this way, it begins to build trust among three communities where it may be lacking. Like any other working environment where you get to know co-workers' motivations and working style, a war game forces participants from all three sectors to see others' unique perspectives, which may not have been fully understood. All parties step out of their ingrained day-to-day worldview that's based on singular agendas. Many times they realize that they share common interests in which to build from.
From this starting point of trust, the megacommunity can begin thinking of ways to collaborate on key actions and activities to assure the resilience of the nation's cyber-infrastructure. These may include joint investment strategies, technologies, funding, leadership, research and development -- all of which would be difficult, if not impossible, without a basic level of trust within the megacommunity.
When you bring talented leaders from business, government and civil society together to interact in new ways, unexpected results often occur. War games have a powerful way of taking sometimes-opposing elements and proving that it's in each of their best interests individually and as a group to work together. This shared vision of the risks, opportunities and challenges inherent in cyber-security produces a level of trust and understanding that form the platform for action -- to make policy changes, shape investment strategies, or initiate joint communications and training plans.
For many participants, however, perhaps the most unexpected outcome is realizing that in today's age of complex challenges -- where interaction is increasingly conducted remotely through computers and cell phones, and where computer models are relied on for all sorts of predictions -- a fundamentally ancient process that brings people face to face to act out future scenarios, decisions and reactions may be the best solution.
When you think a few moves ahead, though, that shouldn't be a surprise at all.
You may use or reference this story with attribution and a link to