“It’s not if, it’s when!”
You may have heard this common phrase as firms across the globe ask themselves if they will ever experience a breach. From government, finance, healthcare, manufacturing and media, no industry is immune from the throngs of cyber-attacks that are taking place on a daily basis. Gone are the days where a deep understanding of hacking techniques is needed in order to infiltrate a company’s IT systems. Ransomware and other exploit kits can now be easily bought and sold on the dark web, where those with relatively little hacking experience can cause severe damage to organizations.
With the possibility of monstrous financial and reputation damage, organizations find themselves asking, “How will our organization respond to a cyberattack?”
The answer to this question, in short, are wargaming exercises wherein all members of the organization, from technical staff to marketing and HR, are able to practice in a mock breach setting to see how they will conduct themselves. But what are the strategies and tactics that go into exercises of this type?
To answer this question, I had the fortunate opportunity to interview Dr. Ron Sanders, Vice President and Fellow at Booz Allen Hamilton, to discuss the cyber wargame—the wargame is actually entitled Breached!—that they recently conducted for the non-profit professional security organization, (ISC)2, in order to understand the psychological components that go into the wargaming exercises that they conduct. When we spoke, Ron was in charge of Booz Allen’s wargaming team, and he generously provided deep insight into the aspects of human psychology that go into these breach exercises. His impressive professional background, as the first Chief Human Capital Officer for the Intelligence Community, Chief Human Resources officer for the Internal Revenue Service, Director of Civilian Personnel for the Defense Department, founding director of the Defense Civilian Personnel Service, and deputy director of civilian personnel for the Department of the Air Force, brings an exceptional depth of experience and understanding of human dynamics in the workplace and allows us to better understand the important factors to be aware of as you best prepare your enterprise for a potential attack.
-What psychological factors are part of the initial crisis management assessment when conducting these breach exercises?
I think it is a mix of both psychological and sociological, or cultural factors, that we try to build into these wargames and that we look for as wargames play out. And I should add, the exercise we did with (ISC)2 is our entry-level, cyber wargame. It is generic, it is intended to demonstrate to non-technical people in the C-suite that a breach has all sorts of strategic business implications, not just technical ones. In many respects, a technical decision that may be correct in one sense may have extremely negative strategic business implications. So, the whole idea is that the entire C-suite needs to be involved.
We get much more sophisticated in our more advanced cyber wargames. But, to your question, there are somethings we look for and that we test for with all of them, both individually in the people that are playing the games, as well as more generally the organizational and cultural characteristic that can have a profound effect on how they play.
In an individual sense, obviously, we are looking for individuals that can remain calm and analytic under fire. In any war game, whether it’s in the breach exercise like ones that we do for all kinds of commercial clients that I can’t mention, or government clients like Homeland Security and NSA and the Defense Department.
The table stakes are calm under fire, and we test for that in these wargames by compressing into a matter of minutes something that may take hours or in some cases even days to play out in an actual breach. In an actual breach people may have a bit more time to think about it but even then they are human beings, and as a consequence, they may put off until the last minutes some of the really, really difficult or really, really intense decisions that need to be made. So artificially compressing the attack doesn’t detract from its basis in reality.
So, the number one characteristic is some ability to stay calm under fire. But that almost goes without saying. We also look for and vet for what some call systems thinking, maybe more practically, the ability to connect the dots. To be able to take things that on the surface may appear disparate and see how they interact with one another in non-obvious ways. Again I’ll go back to the point that a very technical solution may in fact be the wrong action to take in a strategic business sense.
I’ll give you an example right out of the breach game we did for ISC2. In that game the scenario involves non-state actor that has penetrated an organization’s network and among other things, is in its email system, actually manipulating that email system. If you ask the CISO what to do, they will invariably say “shut down the email system”, then in the game you ask now “OK, now you have to communicate to your workforce, how are you going to do that now that the email system is shut down?” The reaction is often stunned silence.
Again, what may be the technically correct answer may not be the right strategic one. So again, the ability to connect disparate dots and realize unintended consequences is critical. That is not something everyone can do, but that is something we look for and test for in the game. It is something that someone can learn, if they are aware of it, and part of the exercise is making both individuals and organizations aware of these soft traits…not just hard technical issues that they have to face in a breach, but some of the softer ones that may actually prevent them from dealing effectively with the technical ones.
So, you need to be calm under fire, and you need to be able to connect, but you also need to be able to lead without formal authority…the third quality on our list.
Think about it for a moment; in a breach situation, most of the players—whether they’re in the systems Operations Center or the C-suite—are organizational equals, and even when someone is appointed to be in charge, a smart leader is not going to come in and say, “do X, Y, and Z,” no discussion, just salute. A smart leader encourages debate and discussion and dissent, quickly of course, but encourages it, but for the staff who report to that leader during a breach, they have to have the courage and the competency to lead without formal authority…in other words, to ‘speak truth to power’ whether the person in charge wants to hear it or not. That lowly staff member may see how the dots connect and realize the unintended consequences, and if that person is not t prepared to step up and say that, then again, the organization may make the wrong decisions.
This is especially the case in the C-suite; when the CEO or COO is in the room, we see phenomena like group-think. People try to read the person with the most rank and anticipate what that person wants to do, whether it is the right thing or not. That is a common phenomenon. We especially see it in government organizations that are very hierarchical. We encourage staff to learn how to lead–lead-up if you will—even if they don’t have formal authority over the issue or the circumstance.
There are other qualities like the ability to build and leverage social networks within an organization, that are part of connecting the dots, and is part of finding an effective solution to a breach. That’s probably fourth on our list, and again, it’s something that can be taught and learned through practice.
If there is a fifth factor (and again these apply both individually and collectively), it’s the interest in and capability to solve puzzles. At the end of the day, these breaches are all puzzles and you want people in the room who like to solve puzzles, who are challenged by them, and getting to the bottom of a breach, especially with some alacrity, can be critical. But at the same time, in that puzzle solving ability, you have to be able to connect the dots and realize unintended consequences. So critical thinking and analytic skill—call it analytic tradecraft, a word from the intelligence community—is also required, and someone who practices that that tradecraft will deliberately seek out alternative points of view, alternative hypotheses that may be counter to the group’s thinking, to test the efficacy of that thinking.
-What characteristics of the Millennial personality can be utilized in these breach exercises?
Having Millennials in the room when an organization is dealing with a breach can be a huge advantage for a couple of reasons.
One, because Millennials they are digital natives, they tend to be comfortable with the whole notion of a breach. They spend much of their lives online and know the risks. My intuitive sense is that Millennials are also more collaborative, and there’s some anecdotal evidence to back that up. For example, when it comes to solving puzzles they are more collaborative, and that is an advantage in these circumstances because again, gone are the days when a single technical expert that knows the answer.
As we have been discussing, a breach situation involves all sorts of disparate dots that need to be connected and one of the best ways to do that is through collaboration with the individuals that represent those dots. I’ve watched my Millennial son play an online game with a team that he has never met, yet they interact and operate as a team in real time through IM. In some cases, they don’t all even speak the same language, and yet they still manage to communicate and coordinate their actions. Now that’s collaboration!
This instinctive ability to collaborate includes setting one’s ego aside, to say, “I don’t have to be in charge or be the subject matter expert” and that makes it much easier to solve a problem collaboratively, as a group basis; now that is a very powerful thing.
The other things that Millennials bring to the table is that they are pretty fearless when it comes to rank. It doesn’t bother them. They will speak truth to power, they don’t really care who it is. That may have other consequences when it comes to organizational politics, but they don’t worry about that at the moment. In a breach, you want somebody who is going to help to solve the problem, who is going to think collaboratively and connect the dots, and then who is going to say what they think, even if it is “You are about to do something stupid, you better stop.”
Now that is the good news. The bad news is that while you may have many Millennials in the Systems or Network Operation Center, you don’t find many in the C-suite. We have run cyber wargames before where we have the Systems Operation Center and the C-suite operating against a fictitious breach at the same time, and you would be surprised at how differently they approach it. Some of that has to be generational. For example, there are formal communications channels between the Systems Operations Center and the C-suite, both of whom have to be in sync in a breach, but often those communications channels can become clogged or misaligned. In addition, (and I’ll grossly overgeneralize here), younger people tend to be more collaborative, and that’s not what you will find in the C-suite.
-What unique value can women add in these exercises?
Again, I’ll grossly overgeneralize. I don’t have any empirical evidence, although I am sure it exists, but I do think women tend to be less worried about ego and rank, and as a consequence they can more effectively facilitate collaborative interactions among members of a group, where—with all due respect to those of my gender—men tend to worry a lot about who is in charge. And that can get in the way of solving some of the problems posed in a breach, particularly when they are playing out very, very rapidly. So I do believe women tend to be more collaborative, not just Millennials, but most women; they don’t let ego get in the way, and I think that allows them to collaborate and help connect the dots where us type A personalities are all vying to sit at the head of the table; that tends to get in the way of puzzle solving.
I also think women understand how to lead without formal authority, another of those skills so essential in a breach situation. Again, I know I am generalizing, but that is precisely what you need in a situation like that. You don’t want groupthink, you don’t want everyone deferring to the person with the most rank or the fanciest title, that would be exactly the wrong thing to do. We actually incorporate that scenario into the breach wargame we did for ISC2. The CEO is not actually present and playing the game, but they are making rash decisions (supplied by the game masters) that affect the play and the players…just like an uninformed, uninvolved CEO would. It’s really fun to watch the team struggle with, “Do we comply with his decision or not?” Bottom line: in responding to a breach, what you really need is a more collaborative approach, and I think women are very comfortable in that environment. They don’t let their ego get in the way.
-What human biases to you routinely encounter in these exercises and what are the ways you use to overcome them?
One of the strongest bias in a breach, a data spill, a malware attack, whatever it is, is to defer to the technical experts. There is an overwhelming bias to say, “this is a technical problem, so it needs a technical solution,” and non-technical people, like members of the C-suite, who may not the technicalities will defer to whatever the CISO says. Again, the purpose of a wargame like Breached! is to overcome that deference bias and to show, in pretty dramatic terms, that a perfectly plausible technical solution can shut down a company’s revenue stream. That’s why you need people who can understand strategic business implications of a breach, who can weigh the risks, who know enough about the technical aspects of the breach to be aware of their consequences, but who can also take into account reputation risk, shareholder and board reaction, employee reaction, etc. All too often that is not the case, so if there is one overarching bias, it is that technical deference bias; that can lead to exactly the wrong decision.
So, a game like Breached! will underscore the fact that if you make purely technical decisions, you are going to put your organization at risk. That means that you have got to make the C-suite more technically aware, you have got to teach them and train them, you’ve got to practice in more sophisticated settings. Breached! is just the undergraduate version, so you need to bring them along and school them in this. But the first step is to make them aware that, “If I knew that, I would have done things differently, but that’s what the technical expert told us to do.”
The other bias is to defer to the person with the most rank when these kinds of decisions need to be collaborative. And that means the person with the most rank has to be very careful to say “wait, no, I am not going to tell you what I think, I want to hear what you think.”
The leader needs to encourage dissent and debate, needs to ensure that there is diversity within the room—organizational diversity as well the cognitive diversity that comes from having people of different backgrounds, generations, gender and ethnicity, etc. You want different points of view in the room and the leader has to consciously ensure that people are not deferring to his or her rank out of organizational instinct…that in fact they are going to speak their mind and the group is diverse enough to offer varied points of view.
Without that diversity, you get bias of groupthink. People are watching the person with the most rank, they are watching body language, they will cue off his or her behavior, and if they think the boss is leaning one way, even at a subconscious level, they are going to lean that way as well, and that may result in a completely wrong answer.
So cognitive diversity, can help to connect the dots, but it also takes the courage and character to say “wait a minute, I may be the lone voice here, everybody may be going the other way but I think this is wrong.” And of course you need an organizational culture that allows that. Those are the kinds of organizational and that normally surface in a game, and that’s the kind of feedback we give to the client; for example, “You thought you were being open to descent or debate but you really are not so maybe that is something you should look at.”
The real power of a wargame is practice.. Cybersecurity is a team sport. and so is effectively dealing with a breach. No athletic team takes the field and is successful without practice. So, a wargame gives the organization and the individuals within that organization a chance to practice in a safe environment. They can do things and fail and they won’t put the company at risk, and hopefully then they can learn from what they do, what worked and what didn’t, so when the real thing happens, they’re prepared. Of course, nobody can anticipate the real thing, that rarely happens; however, more often than not the scenarios we use only vaguely resemble the real thing, but the fact is that with practice—with a wargame—you build relationships and you establish behaviors and norms that let you deal successfully with whatever comes your way.
You don’t get that without practice, practice, practice.
-What are the most important factors of security culture that stand out to you when conducting these exercises?
Many organizations talk about creating a cyber secure culture, and then they don’t do all the things necessary to actually change their culture. There are lots of experts in changing organizational culture, and it is more than two hours of online training to make employees aware of spear phishing attacks. That is just the start, so part of it is practice, practice, practice. Part of it is building rewards into your culture to signal to people that being cyber-aware, being cyber-secure, practicing good cyber hygiene, these are all things that this firm, this organization, this agency values, and you reward people for behaviors consistent with those precepts. In other words, you need a culture that allows and encourages behaviors like collaboration and connecting the dots, as well as a ‘safe’ organizational environment where dissent and disagreement, especially with the technical experts, is also allowed and encouraged.
The risks involved in a breach are such that it is worth the investment to make sure that you really are creating a cyber secure culture and you are not just giving it lip service.
While organizational leaders may ask themselves if it is worth the investment to participate in a simulated breach exercise of this type, the better question may be, what will be the cost if I do not make the investment. Ron’s wisdom gives the security industry an understanding of the psychological components that should be highlighted and encouraged, and it is now left to organizational leaders to make the commitment to protecting their organizations through these exercises. As in any game, without the opportunity to practice, how will you ever become a master?
I would like to express my deepest gratitude to Ron Sanders of Booz Allen Hamilton and Dan Waddell of (ISC)2 for their time and consideration in conducting and facilitating this interview that will undoubtedly assist the information security community in understanding how to prepare for a cyberattack situation.