Strategic Gaming to Support Critical National Infrastructure Protectio

by Dr Simon J. Davies Strategic Analysis Group. Defence Science and Technology Laboratory (Dstl)

© British Crown copyright 2003/Dstl - published with the permission of the Controller of Her Majesty's Stationery Office

The development of robust policy and plans for Critical National Infrastructure Protection (CNIP) against Malicious Electronic Attack (MEA) and other threats presents serious challenges for decision-makers and analysts alike. Chiefly, this is because the implications of disruption to networked societies are not well understood or easily modelled. Recognising a need for analytical tools that facilitate rapid learning about complex sociotechnical problems, Dstl has successfully used strategic gaming to assist senior decision-makers in exploring the issues surrounding CNIP and evolving better strategies for managing them. This paper provides an experienced practitioner’s view on the general approach, pitfalls and benefits that the UK has derived from strategic gaming to support CNIP policy development.

-oo0oo-

Introduction: complex systems behaviour and the CNIP challenge

The Critical National Infrastructure (CNI) may be thought of as those systems and services which sustain the processes of national wealth creation and overall quality of life in the UK. NISCC, the UK’s National Infrastructure Security Coordination Centre, defines the CNI as:

‘Those parts of the UK’s infrastructure for which continuity is so important to national life that loss, significant interruption or degradation of service would have lifethreatening, serious economic or other grave consequences for the community or would otherwise be of immediate concern to Government’.

NISCC currently recognises eight key sectors as core constituents of the CNI, viz: energy, telecommunications, power, water / sewerage, financial services, central government, the emergency and health services.

The problem of Critical National Infrastructure Protection (CNIP) is occupying many decisionmakers, scientists and analysts in both Government and the private sector, as they seek ways to better understand and manage the functioning of this complex entity against disruption by a broad range of threats, both malign and unintended. Because so many vital systems and services are today computermediated in operation and networked with other systems, protecting the CNI against Malicious Electronic Attack (MEA) has become a particular focus of concern for UK Government and industry, headed by the Cabinet Office and the NISCC.

At the heart of the CNIP problem is the fact that the networked systems of systems that comprise the CNI are:

• physical and virtual – for example, key point dependencies exist both as static infrastructure and as logical switches located in 'the ether' of cyberspace;
• dynamic - the physical and virtual links between different infrastructure elements, and with them the system’s boundaries, are constantly evolving and degrading;
• non-deterministic - at the macro system level, it is not possible to reliably predict specific outcomes from given interventions or initial conditions;
• socio-technical - effective policy and planning presumes an understanding not just of how the CNI works, but also of how its human operators behave and interact with those technical systems. Such models currently do not exist.

It is for these reasons that the CNIs of most advanced industrialised network societies are judged to exhibit the classic properties of ‘complex systems’ behaviour. In relation to the specific issue of MEA, additional complicating aspects of the problem include the difficulties of conducting reliable threat assessments and keeping pace with rapidly propagating technical developments (e.g. novel hacking tools such as virus-writing kits and attack scripts) that are increasingly well publicised through open sources such as the internet. Finally, due partly to the natural reluctance of CNI operators who are victims of MEA to disclose commercially sensitive information regarding vulnerabilities and intrusions, there is at present a relative lack of appropriately documented case-study data from which to develop useful models.

In sum, CNIP presents a difficult challenge for decision-makers and analysts alike. In an ideal world, policy and plans for CNIP would be based on conclusions drawn from a sound empirical understanding of the problem, reliably predictive high-resolution quantitative modelling and a degree of insight derived from case-study experience. In reality, policy makers and the scientific / analytical community that supports them cannot leverage any of these significant aids to informed decision and must therefore innovate or seek alternatives.

Strategic gaming: a partial solution

In the absence of sufficient data and understanding to conduct meaningful quantitative analysis, qualitative analysis techniques have proved useful in mapping the boundaries and key parameters of the CNIP problem, as well as helping senior decisionmakers elicit the issues involved. In terms of the support that formal methods can provide to the needs of the policy community, Dstl in collaboration with others has sought to innovate strategic gaming methods that facilitate rapid insight and learning about the CNIP problem. In so doing a systematic and holistic approach to managing its complexity has evolved that contributes to robust policy and plans.

Strategic games for CNIP are structured exercises which immerse groups of real decisionmakers in a simulated crisis situation in ways that promote a rich, shared understanding of the problem and facilitate rapid analysis of responses to it. Strategic games are increasingly used throughout government and industry to explore complex socio-technical problems and to identify and evaluate strategies for managing them. When applied to the complex issues surrounding CNIP, the ‘Day after...’ method, described below, promotes rapid learning about the problems posed and yields qualitative insights into strategies for dealing with them more effectively.

The ‘Day after…’ method

The ‘Day after...’ method was initially developed by Roger Molander and his team at RAND in the late 1980s, to facilitate studies of evolving strategic warfare problems in the areas of nuclear counter-proliferation and C3I (Command, Control, Communications and Intelligence). The method has subsequently evolved and been employed to good effect in numerous studies of other complex issues, including CNIP. The method can be used to explore operational and investment issues as well as policy and strategic problems and, in its generic form, usually comprises a three step process lasting between one-half and two days (Figure 1).

Figure 1: the RAND ‘Day after…’ method

Players are typically organised into groups as advisors to a national decision maker or command authority (e.g. the Prime Minister) conducting a time-constrained pre-meeting in advance of a formal deliberative decisionmaking conference (e.g. preceding a meeting of the Cabinet or, in a bilateral context, a videoconference between national leaders). The players are first ‘read in’ to the context of the game through an appropriately scripted ‘Future History’, describing key geopolitical and other developments in the period between the present and the chosen timeframe for the scenario.

The process proper begins at Step 1, with each group (usually comprising 8 to 10 people, aided by a facilitator and a secretary to record their decisions) assessing the critical issues arising on‘the day of ’ a political-military crisis detailed within a given scenario. In this step the first suggestions of a strategic threat are usually apparent, possibly in the form of MEA capabilities or the threatened use of strategic weapons of mass effect. Having assessed the situation, the group prepares a policy options paper (from a pre-prepared draft) outlining advice on possible courses of action for submission to the national leader. The participants are asked to seek consensus on a course of action on the issues raised, because the national leader / decision making body will always want to know if there is consensus at the level immediately below. If consensus cannot be achieved, rather than an extended (and probably inconclusive) debate to reconcile views, the methodology calls for the facilitator to note the lack of consensus, take a vote on the options still being considered (if appropriate) and move on.

In Step 2, the groups are presented with a further evolution of the scenario, describing the effects of some major strategic event (e.g. the use of a weapon of mass effect) that are apparent on‘the day after’. Again, the groups engage in a time-constrained deliberative process in which they address the critical issues and formulate a paper outlining policy options for response to the escalating crisis. At the conclusion of each step, the groups assemble in plenary to compare recommendations and debate the issues raised.

In Step 3, the game returns to ‘the day before’ (i.e. the present), at which point the participants draw upon what they have learned in the previous two steps to develop plans for new courses of action (e.g. improved policies, strategies, novel operational concepts, R&D programmes or intelligence requirements). These actions are geared towards reducing the probability of such crises occurring or mitigating the worst impacts of events such as those the players have collectively ‘lived through’. Where multiple groups and / or diverse cultures participate in the exercise, real value is derived from identifying and discussing the similarities and differences that emerge in their respective recommendations. This provides a basis on which to identify particular points of contention or difficulty and involve all the participants in a debate of the issues raised.

Scenario development and testing

Experience in organising and executing a large number of strategic games in recent years suggests that the quality of the exercise scenario and associated issues for discussion are vital to achieving a beneficial outcome. Dstl has some years experience of scripting strategic-level scenarios of this sort and places a great deal of emphasis on iterative checking and refinement of the scenario through pre-exercise tests with progressively more senior staff. This process helps to ensure that the final product is both credible (i.e. plausible, if extreme) and technically watertight (i.e. based on known or reliably projected technical capabilities) in the eyes of senior participants at the final exercise. In this respect, Dstl is fortunate to be able to draw freely upon the relevant technical expertise from ‘in house’, and technical experts are usually present at the games to resolve queries and provide additional information on technical aspects of the scenario as required. This greatly facilitates general progress and the credibility of the game, by reducing the occasional tendency of some players to ‘fight the white’ (i.e. challenge the scenario rather than the problem it faces them with).

Key aims in developing the exercise scenario are to inform and explore, by demonstrating to participants that possible threats and vulnerabilities exist and could be exploited by a skilled adversary. This heightened awareness serves as a trigger for the creative process of evolving, through dialogue, policy and plans that better manage likely threats. The principal requirement for the exercise design team is thus to produce an exercise scenario set in the near future (e.g. within the next few years) that simultaneously challenges existing capabilities and modes of thought without unduly stretching the bounds of technical and political credibility. While the specific content of CNIP scenarios featuring MEA is sensitive, they are typically focused on near term, graphic descriptions of a particular crisis and feature a broad range of actors with varying motives and capabilities. Deliberate ambiguity about the sources of particular attacks and possible links between them (including uncertainty about whether particular events really are attacks) is also built into the scenario. This helps in surfacing alert, warning and response issues (such as false negatives and false positives) for discussion. The process of creating a richly detailed scenario and testing it for credibility is both time-consuming and resource-intensive, but unquestionably worth the cost in terms of the increased value achieved.

The importance of skilled facilitation

In addition to the quality of the exercise scenario, a key requirement for successful strategic gaming is the presence of skilled and experienced facilitators to ensure that the pertinent issues are transferred from the heads of the players and into discussion in the group and plenary sessions. Although a comprehensive exploration of the facilitator’s role is beyond the scope of this paper, the task typically includes:

• encouraging everyone to contribute and ensuring that the available time is not dominated by a few individuals;
• identifying those individuals in the group that have unique expertise to be brought to bear on the subject under consideration;
• moving discussion along briskly to keep to time and cover all the material;
• capturing players’ inputs, in their own words as far as possible;
• concentrating on the process and not getting drawn into the content (i.e. avoiding value judgements on the views expressed);
• checking self and group understanding (including translating technical terms and ‘acronym-busting’ as required);
• identifying broad areas of agreement and difference;
• encouraging consideration of as many of the issues as possible;
• testing the limits of the group’s ‘comfort zone’ when issues are assumed to be unproblematic;
• summarising the group’s output and reporting it in plenary.

The value added by a skilled facilitator is substantial and the difference that such an individual can make to the success of such exercises is reflected in the fact that many specialist training courses now focus exclusively on mastering this demanding role. It is relatively inexpensive (in terms of return on the investment) to ‘grow’ skilled facilitators in-house through a combination of formal training and practical experience. However, in situations where this investment is not possible due to constraints of time or money, it is well worth considering employing a professional independent facilitator who can be ‘read in’ to achieve sufficient grasp of the technical and policy issues explored in the game.

Issues addressed

A major challenge in organising strategic games with high-level participation is ensuring that the issues addressed (especially in Step 3) are appropriately and tightly crafted for decisionmaking. By this is meant the idea that decision makers must not be allowed to evade painful policy dilemmas by claiming that the issues for decision are not well-drafted or because the issues are cast in a way that effectively justifies a ‘do nothing’ option (usually on the grounds that a complex issue will crystallise soon and a politically ‘safe’ decision emerge from among the imperfect options on offer). Both the crafting and re-crafting of issues in the scenario portion of the exercise (Steps 1 and 2) and the testing and re-testing of issues in Step 3 will contribute to getting the final plenary issues right – a critical component of the whole enterprise.

A great advantage of strategic gaming is that, when properly conceived and executed, it promotes dialogue, insight and exploration of complex technical and policy issues across boundaries of language and culture (both organisational and national). Previous strategic games run by Dstl have successfully engaged senior players from four nations speaking three languages in a substantive exploration of CNIP issues. Typical examples of the kinds of issues addressed would include:

• Alert, warning and response (AWR): how are differences and nuances of meaning between contrasting national, regional, military and civil sector systems for responding to CNI incidents to be translated and / or reconciled?
• Media handling: how are public information and presentational aspects of the response to MEA incidents against the CNI to be addressed?
• Government-private sector relations: what are the pre-requisite criteria for a trusting and mutually beneficial relationship between Government and private sector CNI operators in sharing information on threats and vulnerabilities?
• Legal issues: how do the frameworks of national and international law apply to the shifting and ill-defined boundaries of cyberspace?

Figure 2: AWR systems normalised against a generic crisis profile

To take the AWR issue as an illustration, a quadripartite game run by Dstl identified some eight separate AWR systems corresponding to the civil and military CNIs of the participating nations. Each system had a different number of alert stages and associated criteria (in different national languages) for moving between them. From a game design perspective, the complexity of the AWR issue can be appreciated in simple terms by normalising the different systems as shaded columns (each tone representing a different level of alert) and mapping them against a notional crisis profile such as might be depicted within a ‘Day after…’ scenario (Figure 2). As the horizontal dotted line in Figure 2 shows, there are key points in the escalation of situational intensity at which the ‘common’ level of alert is ambiguous. Nuances of language and differing cultural perceptions (e.g. about what constitutes ‘attack’ or ‘critical systems’) further frustrate clear analysis of a common operational picture and what level of alert and response is appropriate. The AWR issue is a classic example of the kind of ‘fuzzy’ strategic policy issue that is most effectively explored through qualitative approaches such as gaming.

Strengths and weaknesses of strategic gaming

In addition to facilitating dialogue and understanding of complex issues, gaming can usefully expose the cultural values that underpin contrasting national and organisational perspectives on ‘messy’ policy problems. From the analyst’s perspective, the format of the final output produced by strategic games (i.e. concrete action plans) is conducive to rapid qualitative analysis on behalf of the Customer, supplemented by submission of more considered advice on strategies for improving policy and plans in the aftermath of the game. The generic‘Day after…’ method has itself proven extremely adaptable and in Dstl’s experience worked well across a broad range of policy problems for various areas of Government. Finally, the ability of strategic gaming events to bring together diverse areas of expertise from a range of backgrounds (e.g. Government, commerce and industry, academia, etc.) is itself a major strength of the approach, as it affords the opportunity for informed discussion in a situation which is realistic but non-threatening (because the gaming situation is hypothetical).

Balancing these strengths, strategic gaming suffers a number of weaknesses in terms of its analytical rigour. These include:

• Limited coverage of the ‘threat space’: it is inevitable that a single, relatively focused scenario will cover only a portion of the entire theoretical ‘threat space’. An iterative gaming process can counter this problem to some extent.
• Non-reproducibility of analysis: a problem common to most gaming approaches is that different groups of participants generate different results and even the same group of participants may generate different results on separate occasions given like data. While strict repeatability is not an objective of strategic gaming per se, broad convergences of opinion can sometimes be detected in participants’ responses over time.
• Audit trail for decisions: where subjective (albeit expert) opinion provides a basis for decisions rather than objective data, it is important to capture accurately the reasoning by which decisions were reached. Dstl uses teams of experienced note-takers to record group and plenary deliberations, such that a reliable account of the rationale underpinning particular outcomes can be recreated as required.
• Bias: a degree of bias is unavoidable in the approach of both design staff and players to strategic games. Design team bias may be evident in the selection of issues for exploration, for example, or the characterisation of particular threats. Participant bias may be manifest in terms of pre-conceived attitudes to particular issues or in a tendency to ‘fight the white’. The impact of bias can be minimised by undertaking frequent, impartial reviews of the exercise material (e.g. by technical and policy experts) and by ensuring a broad mix of participants from different backgrounds.

Summary

The problem of CNIP constitutes a significant challenge for both decision-makers and the scientific / analytical community that supports them. Non-linear mathematical techniques in the field of complexity theory offer the distant prospect of synthetic environments that may one day give decision makers reliable a priori insight into the behaviour of complex systems such as the CNI. Pending the maturation of these and other abstract modelling approaches, qualitative analysis techniques have much to offer in exploring the parameters of the CNIP issue and educating policy makers about the complex issues involved.

While strategic gaming offers a viable approach to CNIP and similarly complex policy problems, the method has its limitations. These include the time and resource costs of developing and testing credible scenarios, the inability of prescripted scenarios to fully reflect the impact of players’ decisions taken in previous rounds and the fact that, by definition, strategic gaming is a relatively high-level activity that does not tackle the ‘grass roots’ aspects of how to realise grand strategic aims and objectives. Nonetheless, in situations where an absence of data or the insufficiency of grounded science precludes reliably objective quantitative analysis, strategic gaming is to be regarded as a credible and flexible analytical tool in pursuit of the wider objectives of formulating and improving CNIP policy and plans.

Biography

Dr Simon Davies is at the Defence Science and Technology Laboratory (Dstl), an agency of the UK Ministry of Defence. Prior to this he completed degrees at the University of East Anglia and was engaged in Strategic Studies teaching and research at the University of Wales, Aberystwyth. His current research interests include most aspects of strategic planning and information operations, with emphasis on the development of national and international policy approaches to the protection of critical information infrastructures.

Bibliography

• Czerwinski, T. (1998) Coping with the Bounds: Speculations on Nonlinearity in Military Affairs (Washington: National Defense University)
• Denning, D. (1999) Information Warfare and Security (Reading, MA: Addison-Wesley).
• Eden, C. and Ackermann, F. (2001) Making Strategy: The Journey of Strategic Management (London: Sage Publications).
• Molander, R., Riddile A. and Wilson, P. (1996) Strategic Information Warfare: A New Face of War (Washington: RAND Corporation).

First published to members of the Operational Research Society in OR Insight June- September 2003