Gameplay and game theory are some of the most valuable tools to teach information security. Game theory is a branch of mathematics that allows us to reason through cyberattack/defense scenarios without spinning in philosophical circles. It allows you to model probabilities on how someone else will take action and what you should do to counter that action.
And it’s a critical part of an effective cybersecurity strategy, which is why the U.S. military has run a number of game theory training programs to date.
The All-Army Cyberstakes is a 10-day long cybersecurity-based capture-the-flag competition. All members of the military and U.S. government are invited to play with the goal of training. Other similar but shorter programs have been run, too, featuring attack and defend scenarios.
Perhaps the grandest example was the Defense Advanced Research Projects Agency (DARPA) Cyber Grand Challenge in 2016, in which seven teams constructed autonomous systems designed to play an attack and defend-style capture-the-flag without any human intervention.
My team was one of the finalists in that challenge.
The Cybersecurity Competitions to Yield Better Efforts to Research the Latest Exceptionally Advanced Problems (CYBER LEAP) Act of 2020 builds on these existing programs. Sponsored by Senators Roger Wicker, R-Miss, Jacky Rosen, D-Nev., and Cory Gardner, CyberLEAP would instruct the Commerce Secretary to establish national challenges to “achieve high-priority breakthroughs in cybersecurity by 2028” in five areas: the economics of a cyberattack, cyber training, emerging technology, reimagining digital identity and federal agency resilience.
It would establish a coherent policy toward finding the best cyber talent within the US Government. Senator Rosen, a former computer programmer, told NextGov, “Investing in our cybersecurity workforce is vital for our national security and our economic future.”
Unfortunately, the legislation, which passed a committee vote in May, has now stalled on the U.S. Senate floor. It needs to be passed. At a time when there are legitimate security concerns around the upcoming presidential election, with our financial instructions, and even our drive to find an effective vaccine for COVID-19, we need a commitment to educating our government employees and officials on best practices for cybersecurity. And what better way to learn than through gamification?
Results from the CyberStakes program have already been beneficial. Former DARPA project manager Frank Pound said that before the military competitions started in 2014, it was hard to find somebody in military leadership who actually knew the low-level details of software exploitation, and why it mattered. Or what’s happening in a computer’s memory with buffer overflows. Or how the memory of a program can be manipulated from the outside by an adversary. He said that unless you understand those nuanced problems, it is hard to make good military strategy decisions about how to defend against them.
So game theory can influence policy decisions. It can highlight where we can place incentives that may not be obvious and whether those incentives actually change the game we (think) we’re playing.
In cyber, you don’t have certainty in what exploits your adversary knows about, whether they are using an exploit they already disclosed, and whether your zero-day is really a zero-day (again, no visibility). So it’s critical that our military has experience in navigating attacks and defence on the cyber front through effective training.
It’s critical that the Senate move the CyberLEAP bill forward to ensure we have the cybersecurity skills we need to keep the country protected.
David Brumley is CEO and co-founder of ForAllSecure and a CMU professor (currently on leave).