7 November 2022

Cybersecurity is an Infinite Game

Bob Gourley

Game theory, the study of competition and conflict, tells us there are two types of games: Finite Games and Infinite Games. Knowing which one you are playing is key to making optimal decisions.

Finite games are those that have a beginning and an end. The objective of a finite game is to win. The game ends when all sides know who the winner is. Examples of finite games include most battles in a traditional war; they end when there is a decisive victory. Sporting events are examples of more peaceable finite games.

Infinite games go on forever, as if they have no beginning and no end. At any one time a player may be ahead or behind, but the game continues as long as the players play. Examples of infinite games include the dynamics of business competition. There is no finish line in business.Espionage is an infinite game. A particular operation may be thwarted and agents arrested, but spies are going to spy.

Conflict is an infinite game. A particular battle or war may be a finite game with a winner, but the broader human conflict always continues.

Crime and law enforcement is an infinite game. Individual players may be taken off the field, but crime and law enforcement will never stop.

In infinite games, winning or losing is at best temporary and is more a snapshot of the current situation than anything final. Any leader currently achieving objectives in an infinite game should recognize the situation is going to change. To have hope of meeting objectives in the future, the game must continue. Counterintelligence professionals can never stop. Law Enforcement can never stop. Defenders must always defend.

Business, espionage, conflict and crime have all transitioned to cyberspace. So, clearly, cybersecurity is an infinite game. Every organization and every individual connected to the Internet is now participating in an infinite game, whether they wanted to or not.

Only that which can change can continue: this is the principle by which infinite players live.- James Carse

Understanding that cybersecurity is an infinite game should inform our all our actions in cyberspace. Here are suggested considerations for businesses, individuals and governments:

Business Considerations In Cyber ConflictArchitect for continuous operations. Models like The OODA Loop are far more relevant to defenders than static checklists.

All business leaders and decision-makers should realize the never-ending nature of cyber conflict. It is important to continuously raise defenses and work to mitigate vulnerabilities. But there will never be a silver bullet or magic piece of technology that makes all challenges go away. Adversaries will surprise.

Although permanent victory will never come, recognize there is a wealth of knowledge and lessons learned that can be applied in reducing risks. This includes best practices on how to design more secure systems and how to make it much harder on adversaries to accomplish their objectives. This point underscores that ongoing collaboration with other businesses and good governments is of critical importance.

Since surprise is highly likely, all businesses should have incident response plans and well thought out data backup procedures.

Some of the most important metrics in continuous cyber conflict include how fast an adversary can be detected in an enterprise and how fast they can be pushed out once detected. Track these metrics on a continuing basis. Other metrics include how long it takes a well-trained red team to accomplish objectives in an organization. Red teaming can provide insights that improve defenses against real world adversaries.

Like all other infinite games, insights into adversary capabilities and intentions can provide advantage. Businesses should leverage cyber threat intelligence in decision-making. And work to inform defenses using community knowledge of adversary tactics and techniques (see: MITRE ATT&CK).

Individual Considerations in Cyber ConflictIndividuals can leverage the incredible talents of highly capable engineering teams and cybersecurity professionals by making use of cloud-based services for email and other online collaboration. By following the best practices of vendors like Apple, Microsoft, Google and Amazon, home users can store data online and on devices in ways that are very hard for adversaries to compromise.

Keeping all devices (laptop, desktop computer, phones, tablets) patched, and using multi-factor authentication for every online system can make it much harder on adversaries. It is also a good practice to use a high-end password manager, like Lastpass or Dashlane. Or, for people 100% in the Apple ecosystem, the Apple Keychain password manager can be used.

One of the best ways for individuals to stay informed on the dynamic cyber threat is to tap into the resources of the government. For example, the DHS Critical Infrastructure and Cybersecurity Agency (CISA) provides tips on recommendations via email for those that get on distribution at: https://us-cert.cisa.gov/ncas/tips

Government Considerations in Cyber ConflictAll government policy-makers should realize cybersecurity is an infinite game. Some already do. The greatest successes in government action in cyberspace have been those that are built on a recognition of the dynamics of the never-ending cyber threat. This includes, for example, the work of operational cybersecurity and intelligence organizations in government, who have decades of experience in the true nature of the threat. However, other parts of the government are not so aware. In fact, some of the greatest failures of government policy in cybersecurity can be attributed to approaches that seem to be based on finite game solutions. This includes those policy initiatives that are treated as fixing the problem (which has happened in every administration in the digital age). There is an observed phenomenon called cyber threat amnesia, which occurs when decision-makers take action to fix a problem and then seem to think nothing will happen again. Any organization demonstrating the symptoms of cyber threat amnesia is treating cybersecurity as a finite game.

If this were a finite game, the issue could be addressed and the battle won with a Presidential Directive, like that of the President’s Commission on Critical Infrastructure Protection of 1998, or the Biden Administration’s Executive Order of May 2021. These are generally positive things, but contribute to many of us deluding ourselves into believing we are done.

Since cybersecurity is an infinite game where adversary action is continuous, defender action, even at the most senior level, must be continuous. Instead of a Presidential level directive every four years, consider continuous guidance on cyber risk mitigation on a daily battle rhythm, lasting from now until eternity.

The observation that cybersecurity is an infinite game has implications for policy-makers who posit that cyber incidents can be deterred. In infinite games, the rules change too much for that. Like espionage, which no open society could ever deter, cyber conflict will endure. Policies that raise the cost for attackers and slow their actions are good. So are many other actions around raising defenses. But pursuing finite solutions will prove to be folly.

Understanding the true nature of cyber conflict as an infinite game can help align decision-making in business and government and can do so in ways that reduce risk and make it harder on adversaries to achieve their objectives. Making things harder on adversaries in cyberspace should bring joy to any defender.

No comments: