1 / 39

"Games versus Exercises: Designing Surprise-resilient Organizations for a Cybered World”

"Games versus Exercises: Designing Surprise-resilient Organizations for a Cybered World”. Chris C. Demchak Associate Professor, United States Naval War College Strategic Research Department Newport, Rhode Island, USA 02841 Views expressed are not those of the US Government or the US Navy .

rafi
Download Presentation

"Games versus Exercises: Designing Surprise-resilient Organizations for a Cybered World”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. "Games versus Exercises: Designing Surprise-resilient Organizations for a Cybered World” Chris C. Demchak Associate Professor, United States Naval War College Strategic Research Department Newport, Rhode Island, USA 02841 Views expressed are not those of the US Government or the US Navy .

  2. My Focus in Research • Field: Comparative study of deliberate and accidental surprise affecting complex, critical socio-technical systems(niche: fusion of social structural, with technological design and basic information systems complexity research) • Focus: Organizational responses in design, operations, learning • what people do [comparatively] in their organizations when nastily and intentionally surprised, • Underlying concerns: • Resilience as Systemic Attribute • Reverberations through institutional changes to alterthe wider society and global system

  3. Outline: Surprise, Scale/Complexity of Cyberspace, changing Conflict, Power, and the Institutional/Political Topology of the Cybered World Limitations of Existing Exercise Formats for Learning Resilience in Largescale socio-technical Systems Argument: Gaming and adapted organization (Atrium model) for operationally accurate timely trial-and-error learning (TEL)

  4. Cyberspace better seen as a globally man-made ‘Substrate’ • Expansion engine of Globalization •  Dual nature - it enables good and bad actions equally • Now is a Complex Socio-Technical System on Steroids at Global Scale •  Enormous Security and Resilience Challenges for heavily digitized civil democratic nations

  5. New Underlying Insecurity for States • Everyone regardless of intent can use global cyber substrate to operate through, with, and on anyone whenever over whatever period of time to any level of precise outcome. • Opponents of any sovereign state have historically new choices to create a multiplicative inventory of complex attacks for little cost: • Scale: enemies can organize from 5 to 500, etc, with globalized communications, • Proximity: enemies can reach from anywhere with the high speed, globalized connections, • Precision: enemies can target one or thousands with globalized interdependent connectivity

  6. Result: a wide range of conceivable forms of cybered conflict and nasty surprises • Possible on global scale, • Including those from unintentional acts or just poorly coded attacks • Multiplies knowledge and sensemaking problems many times over for leaders and institutions ensuring national security

  7. Natanz Peace and Prosperity Nuclear Fuel Reprocessing Plant STUXNET

  8. Global Complex Socio-Technical Systems as Conflict Spaces require a newer language • “Cybered Conflict”, not ‘cyber’ war’ • Cyber is the basic technological system • Cybered is the whole combination of people, instituions, etc with cyber to create the socio-technical whole • ‘Cybered’ because conflict has no easily defined attributes • No clear beginning, end, rules of engagement, limitation on actors involved, avenues of deterrence, metrics of risk, indicators of strategic opportunity, immunization, or incremental success, etc • Cybered conflict “Any conflict of national significance in which success or failure for major participants is critically dependent on computerized key (cyber) activities along the path of relevant events”

  9. Need adapted notion of ‘Cyber Power’ in complex Cybered World • Some attacks will succeed => national ‘security’ now intertwined with national ‘resilience’ because • “Cyber Power” now has two parts: • Disruption: traditional capacities to deter, deflect, reach out and harm, but not destroy, ability • Resilience: newer complex adaptive system ability to endure inevitable successful attacks with internal critical redundancy, slack, and constant trial-and-error learning (TEL) throughout home society • Cyber power provides the “security resilience”(*) of a nation *C.Demchak, forthcoming 2011, Wars of Disruption and Resilience: Cybered Conflict, Power, and National Security. UGA Press

  10. Building Cyber Power means increasing Resilience across the Nation • Exceptionally difficult to do under urgent conditions when under flood of disparate attacks • Hard to get necessary redundancy, slack, and T&EL (trial and error learning) quickly enough across whole society while cyberspace still growing • Cannot process inputs fast enough or create critical redundancies quickly enough in real time right now • Supply chain especially hard to comprehend and control a for bad actors or subverted goods cross such open exchanges

  11. Cyber challenges deeply embedded in supply chains in a globalized largescale socio-technical system LENOVO China-IBM Inc

  12. In this cybered world, how do we COLLECTIVELY in our key organizations learn to be surprise-resilient and then design ourselves to keep it fit for purpose over the long run as cyberspace and its topology evolves? National ‘cyber’ Power needs resilience as much as disruption capabilities in a Cybered world

  13. Militaries Historically Surprise-Embracing Organizations • Within their purview, modern militaries pursue redundancy, slack and trial-and-error learning • Use standardized drill and training routinely • to prepare large-scale units for the surprises anticipated in traditional conflicts • Train individuals to be redundant in specialties • and cross level them as needed • Read history of wars and gather intel on likely opponents to create scenarios (slack) • Use exercises in mass and depth • in accordance with resources

  14. Exercises that worked in the past are today inadequate for surprises of cybered conflict • See cyberspace narrowly as “domain” so limit environment • Construct exercises for military role in “war” • Defined crisis build-up, ROE constraints, preplanned scenarios, and ending objectives • One-offs, even if annual event • No replay on the spot to test alternative hypotheses • Offense not allowed full range of offense advantages in order to contain training or events • Reverberations beyond focused AO at best second order • Educates those who design it and those who directly play, few others • Not widely available for replay, update, dissemination

  15. “Oh great! We trained only with BIGladders”

  16. Knowable? Yes No Preparation Serendipity Yes Outcomes Universe Accommodated? No Neglect Rogues 5-20% Cyberspace is a Complex Socio-Technical System on ‘Steroids’ at a Global Scale Complexity expands the Universe of Undesireable Outcomes:

  17. Accommodating Surprise in Complex Largescale Socio-Technical Systems • To get to the KNOWABLE unknowns, need implicit as well as explicit knowledge • Especially missing tacit knowledge embedded in your organizational members • Normally lose or ignore their experiences, knowledge of their professional domains, untapped skills, and perspectives encouraging innovative responses • Most of this is currently difficult to collect at best • Complex systems and organizations research has recommendations

  18. Basic Lessons about Responding to Surprise from Complexity, LTS and Complex Adaptive Social System Research • Complexity Research Major Lessons • Only Trends can be forecastwith knowable/unknowable unknowns • Path Dependencepowerful • Channeling trendsis best possible accommodation option • Largescale Technical Systems Research Major Lessons • Trial and Error bestto acquire knowable unknowns • Tighter coupling increases potential ripplingerror paths • Redundancy and Slackpowerful accommodators • Knowledge is expensivein time, money, staff attention, implementation • Complex Adaptive Social Systems Research Major Lessons • Human buy-in essentialfor effectiveness (legitimate, useful, doable) • Cultural filters powerful(socialization, operationalization hard to control) • Largescale socio-technical systems drift readilyinto unnoticed critical coupling and a lack of urgency to absorb or seek knowledge

  19. Exercise Shortcomings • do not collect tacit knowledge continuously, develop it, or allow the widespread reuse of this data. • do not prepare adequate capabilities against surprise in complex socio-technical systems

  20. How to learn to be resilient when embedded and vulnerable to globally complex system • Resilience to surprise must be developed inside the socio-technical system, especially its security units. • Need to develop collective sensemaking AND a menu of doable rapid accurate actions under urgent conditions (*) • In addition to comprehensive data inside and outside the institution • Must have collective trust among those responsive, mitigation or improvisation or innovation knowledge foundations, and holistic understanding of the wider environments involved. * From L. Comfort, A. Boin, and C. Demchak, eds. 2010. Designing Resilience. U of Pittsburgh Press

  21. Organizations need to “Play It Through” • Virtual reality simulations, if done correctly, can allow organizational members to play out their experiences and hypotheses with others, developing richer options for response to surprise • Gathers tacit knowledge in ways that meet the graphical and spatial predilections of humans in easy, useful, and collaborative mechanisms • Members can develop trust relations with those playing, and engage instinctively in performance assessments • Can be re-used, replayed, reviewed, analyzed, and reconsulted later – trial-and error learning • IF co-authored, the tacit knowledge can be provide remarkably informed innovative responses to surprise because they or someone has played through

  22. The Gaming needs to be Fully Embedded in Shared Practices of the Organization • Knowing when to seek more knowledge is the sense-making of resilience • Requires seeking what can be known continuously and keeping that tacit knowledge for ubiquitous operational use • Embedded organizational high-fidelity, continuously available, co-authored, game-based simulations • Daily practice of contributing reinforced by relatively frequent episodes of development of competence under surprising conditions • Actors unusually educated about overall system • Advantages • Maintenance of knowledge closely monitored • Environmental surprises constantly explored • Cognitive resilience encouraged • by ability to test ideas for local actions and see how they blend • Operational knowledge exchanges practiced broadly with different actors or same ones

  23. Gaming and an Atrium Organization • Embed operationalized on-call gaming in the organization • Trial-and-error learning is easy, accessible, and useful • Key attributes: High fidelity, continuously available, co-authored game-based simulations embedded in shared practices of critical organizations • Encourages knowledge redundancy, along with novel approaches to slack.

  24. Imagine operationalized gaming embedded in your organization

  25. Atrium Model: What a “Surprise-Facing” System might look like • Model Refines hypertext organization identified by Nonaka and Tageuchi in successful Japanese corporations Task Forces Core Atrium

  26. The Atrium Knowledge base not merely library or programmed threshold-based decision-maker Socially constructed as colleague People “enter” Atrium virtually as consumer, contributor, or producer Atrium

  27. The Core -- Main Operational Stem • Personnel required to rotate into Atrium and then action related Task Forces before returning to main operations • Everyone rotates, including CEOs • Wide familiarity with Atrium queries, knowledge needs and uses • Fully uses adjunct members and part-timers Core Atrium

  28. Task Forces – Action end of the Knowledge Chain • On Call action teams across systems • Personnel conduct short tours here • Personnel rotate into Atrium and then Core before returning to task forces, or at each change in major assignment • Capture wide familiarity with knowledge needs and Atrium uses Task Forces Core Atrium

  29. Task Forces Core Atrium Gaming aspect of Atrium is in the operationalized collaborative emergent knowledge (tacit and explicit development Accommodates surprise with 24/7 self-coordinating scalable knowledge-centric organization IF co-authored Conceptual clarity in goals and processes as people play through what they do routinely Effectiveness AND security enhanced as knowledge less scarce organizationally and societally

  30. Real & Virtual Emergency Task Forces Core (multiple organizations) Atrium ATRIUM for Joint OPS Only possible in cybered world Can segregate own sensitive files and yet still play through Builds cross organizational trust continuously Builds inter-organizational knowledge sets

  31. What scenarios might individuals play through that have no real outlet currently? • Casual overeducated unemployed youth in ME pile-on • during period of active Chinese nationalism with rise of proxy cyber warriors and student projects with unpredictable waves of persistent threats through supply chain backdoors left in place over time in both military and commercially central firms • “Anonymous” related attempted Fukushima redux attacks • across small reactors with related Son of Stuxnet attacks on small electrical generation plants serving aviation, mass transit, large federal clearing houses, and main trunk oil pipelines • Peer state heightened tensions as persistent threats open dormant back doors into military and NATO nation subnational systems • in disruption in world of national cybered borders across international system with nonstandard OS variants operating in government owned/operated clouds.

  32. How will we play through a cybered world in which most nations have a cyber commands (or equivalent)? Cybercommands are Critical Cyber Sovereignty Indicator of Politcal/Economic/Social Seriousness attached to National Uncertainty from global Cyber Substrate But only seeds of future evolutions in this sovereignty building process – may end up regional entities

  33. Cybered New Forms of Conflict? “Sir! Enemy BN CDR Alpha has tweeted his family. He plans to be home today in time for a birthday party at 1600.” “Air strike on his likely travel route? …… ……or tweet back?”

  34. A Millisecond in Life at the Cyber Border National Cyber Security Gateway “You’re SURE your unit can tell which ones are the remotely targeted, massed, Alien cyber bots?...you ARE really sure, right?”

  35. Welcome to the Cybered Conflict Age ?

  36. Questions? “And now at this point in the meeting, I ‘d like to shift the blame away from me onto someone else.”

More Related