Tim Casey, at the Intel IT group’s blog reports on their experiences using wargaming to simulate and understand enterprise-level security threats and presents the resulting white paper (“Wargames: Serious Play that Tests Enterprise Assumptions,” .pdf).
One of Casey’s colleagues at Intel attended the Naval War College‘s 2002 “Digital Pearl Harbor” wargame and came away impressed:
So we decided to stage something similar at Intel, but focusing on the attacker viewpoint rather than the defenders. Although this is somewhat different than a classical war game, we kept the basic process (and the name “war game”) to keep it different from other risk assessment methods. It wasn’t easy to come up with our own game. At the time, there was very little about war gaming that wasn’t based on military objectives, and it was almost all from the defender’s point of view.
What strikes me, in reading both the article and the white paper, is the process of defining “war gaming,” both linguistically and procedurally.
In a section entitled “Wargames: Collaborative Malevolence,” the White Paper, written by Tim Casey and Brian Willis, describes wargames as “intensely focused exercises in which a multidisciplinary set of experts gets together to focus intense scrutiny on assets from an attacker’s point of view.” Certainly this definition is fairly specific to Intel’s particular risk assessment methodology, but those of us in the wargaming hobby can see similarities with our own, admittedly multifarious, understanding of the term.
Wargames are, by their very nature, “intensely focused exercises”—no wargame can model every aspect of a conflict with complete fidelity. The designer and developer abstract highly complex real-life situations to create a simulation that focuses on some aspect of a conflict. Some games focus on command and control issues, others on logistics, still others on the “shape” of a battle on the tactical or operational scale. Intel’s IT team uses wargaming to understand how they are vulnerable, focusing on the attacker’s role to uncover previously unknown threat vectors.
As noted, the researchers kept the name “war game” for their process, suggesting that the term has some particular cultural meaning, that it represents a particular type of risk assessment tool. What is it that makes a wargame, a wargame?
Wargames help enterprise professionals better understand attackers by temporarily becoming attackers. These games are characterized by a) understanding and emulating a specific attacker mindset, and b) taking a multidisciplinary approach to enterprise defense. While traditional defense tests are conceived and run by the IT or security staff, wargames pull in knowledgeable people—beyond the security experts—from across the company. Wargames focus the attention of multiple experts on a specific attack goal, exploiting multiple vulnerabilities in unique and often unforeseen ways.
I see the root of gaming itself in the identification with a particular side, a particular objective, the game being the tool used to effect this temporary identification beyond the self. Wargames, for me, focus on conflict, of forces that act not merely in competition but in direct opposition. There are sides, and you must act as one or the other.
Indeed, the White Paper suggests that “Wargames are intense role-playing exercises that involve a multi-disciplinary cross-section of the organization, from facilities to finance, IT staff to factory worker.” This identification does not necessarily imply sympathy, and the authors later point out the difficulties in getting wargame participants to consider ways to bring some harm to their company and co-workers. Games are simply tools that foster the ability to look at situations that are beyond our daily norms.
And I find it striking that the suggestions for running a corporate wargame sound very much like the traditional wargaming tournament or convention:
It’s best to get off campus for a wargame, though moving to a hotel presents security concerns and can make it difficult to adopt a diabolical mindset. You do not want non-participants to have access to the meeting room. Intel typically holds wargames at a different Intel campus to get away from the gamer’s everyday environment. Regardless of the setting, players must attend in person and away from their desks. You should at least have a large conference room, one that accommodates twice the number of individuals that are gaming.
[…]
Food, of course, is a necessity. It’s best to cater lunch to minimize people leaving the room.
Gaming is, as the White Paper’s title says, Serious Play. Our ability to see beyond what we normally see has benefits that surpass the merely pleasant passage of time.