Why policymakers are playing board games to counter cyber threats

Can table-top tactics really be applied to the real world?

Sign Up

Get the New Statesman's Morning Call email.

Games can be more than a jovial pastime. Children playing hide and seek in the playground and the annual family game of Monopoly at Christmas are not only entertainment, but also serve important functions for social and cultural development. Just consider the character enrichment of Uncle Tom flipping the table and storming out after once more landing on Go to Jail. This emotive and evocative power of games has long been recognised and formally studied.

Beyond academia, the power of games has been recognised by a variety of professions. The type of games with the longest history of serious use are wargames, which are used to train military officers in strategy and tactics and their ancestry can be traced back some 5,000 years to Chaturanga in India (a precursor to Chess) and Wei Hai in China (a precursor to Go). Modern wargaming finds its direct roots in 19th century Prussia where Baron von Reiswitz invented Kriegsspiel (literally: “wargame”) in 1811.

Kriegsspiel took place on a board with terrain pieces to model geographical features and its playing pieces were representative of real Prussian military units. Dice were incorporated to simulate the unpredictability of conflict and other mechanisms were devised to model difficulties with visibility and communications (later encapsulated in Carl von Clausewitz’s famous concepts of “fog and friction”). With further improvements and variation developed over time, Kriegsspiel set the standard for wargaming in a professional context.

The fortunes of wargaming have waxed and waned over the past 200 years, often being cast aside as new methods or technologies were developed. In the 1950s and 1960s, for example, scientific approaches such as game theory and systems analysis took precedence, while in the 1980s and 1990s the rise of the personal computer saw a slump in interest in manual wargaming. At the present time we are experiencing a renaissance in wargaming, with multiple sectors outside the military sphere recognising the utility of games for helping shape how organisations tackle an increasingly entropic world.

One of the most pressing issues today is that of cyber security, which continues to make headlines through ceaseless incidents of compromised systems and data loss, while the spectre of cyber war is carelessly waved around in the media. It also used to be the case that cyber security was seen as a purely technical domain, impenetrable to anyone without a computer science degree. However, this has started to change, with recognition that effective cyber security requires a multidisciplinary approach involving social science and humanities fields such as psychology, law, international relations, ethics, and policy.

Despite recognition of the importance of cyber security and its multifaceted nature, very few wargames exist (in the public domain) that tackle this matter. My own PhD research in the Centre of Doctoral Training in Cyber Security at Royal Holloway, University of London, has sought to ameliorate this situation.

I have created a table-top wargame based on the UK National Cyber Security Strategy in which two teams of players take control of the UK and Russia. The game is structured around five fundamental constituents of cyber space: government, business, people, military/intelligence, and critical infrastructure, each of which are tasked with attacking, defending, or ensuring prosperity.

Players must manage limited resources to achieve conflicting objectives, while grappling with some of the fog and friction inherent in navigating cyber space, including unforeseen geopolitical events and a black market for offensive and defensive assets.

The game is targeted at senior policy decision-makers, though anyone with an interest in cyber security can play it and gain something. It is intended as a learning exercise, not in the sense that actions taken in the game translate directly to real world policy, but in that the game introduces players to basic and indispensable concepts in cyber security.

The game effectively offers a cyber security 101, without technical jargon or prior knowledge required, and in a setting which is significantly more engaging and rewarding than a PowerPoint presentation or online course. Through the emotive and evocative power of games, my game prompts discussions which enable players to test and share their knowledge and understanding, creating a stimulating learning environment.

Over the course of my PhD research I have conducted over 30 game sessions with more than 250 players across military and civilian organisations in both the UK and internationally, such as the UK Foreign & Commonwealth Office, the NATO Centre of Excellence Defence Against Terrorism, and the German Command and Staff College (thereby bringing the game to its spiritual home). These sessions have yielded a wealth of data about the efficacy of the game and how players engage with it.

So what does the data tell us? Well, if we want to predict the next cyber war by simply crunching the numbers, we find that the UK has a 50 per cent chance of winning, with Russia a 42 per cent chance and 8 per cent chance of a tie, with the war likely to end around 26th October 2020. Looking at average scores (all: 19.08), we also find that we want a good mix of people in charge of the country (mixed groups: 22.25), but not civil servants as they scored the worst (7.50).

However, these numbers are only meaningful if the game model is an accurate depiction of the real world, which it is not. The game model is representative of the real world, but only in a stylistic and in some ways deliberately incorrect way, encouraging players to challenge the game model and thereby derive pedagogical outcomes through discussions. The qualitative data these discussions yield are more meaningful to determine whether the game is an effective learning tool.

Perhaps the most illustrative example of the game fulfilling its purpose came from the play session at the German Command and Staff College. During the post-game discussion, the following exchange was observed between two participants, one of whom was a cyber security expert and one who was not.

P1 [expert] said: “I didn’t learn anything about cyber security, but I learned a lot about strategy and how society fits together." P2 [non-expert] said: “I had never heard of things like ransomware before, but now I know I can go ask [P1] about it.”

My game demonstrates that games about cyber security do not require a technical solution, just as cyber security is not only about technology. By creating a social setting where players are encouraged to share their knowledge, the emotive and evocative power of games can be harnessed to exchange and enhance expertise. If you agree that this is a good thing, then heed my advice: go forth and multiplay!

Andreas Haggman is a PhD researcher in cyber security at Royal Holloway, University of London.