Strategy for the wicked game of cyber

What is a minister for cybersecurity to do?  It’s a tough gig: cyber—the malware, vulnerabilities, exploitations, corruptions that exists within modern digital and data systems, and their consequences—isn’t very good staying in its lane.

Cyber is a miasma, reminiscent of the London smog of the 1950s or the gases of the trenches, seeping into all other aspects of government business and enervating activity. Its passage is invisible, through the ductwork and transmissions of technological systems. It can mug the unwary, and claims over behaviours, and assets, can make colleagues and the public nervous and suspicious.

That makes the task of any minister for cybersecurity unenviable, as fall guy for inevitable failure, and potentially unbounded, a dangerous prospect for both the minister and society.  This piece considers the nature of cyber and how to better respond, strategically, to its peculiar structure and behaviours.

The structural nature of cyber

Every minister has to manage the wickedness of public policy; if a problem is tractable, tame, and easy to solve, then it probably shouldn’t be on a minister’s desk.  Amongst other things, public policy problems are hard to define, lack stopping rules, are good or bad rather than true or false, cannot be tested, have no definitive solution set, are often symptoms of other problems, and how they are described changes the nature of the problem. 

Much clearly pertains to cyber.  But the structure of cyber exacerbates some characteristics and bedevils others. Cyber is a function of modern digital systems, and those are driven by recursion and interconnection. 

Recursion, a powerful programming technique, enables problem solving through breaking down the problem into smaller sub-components, which can then be then reapplied again and again.  And it can apply, regardless of scale—it is fractal in nature.

That has enabled exponential growth in hardware—the increasing sophistication and miniaturisation of the semi-conductor-chips—and in programming and data structures.  It contributes to the constant change in digital systems, and the fast, contagious spread of ideas and useful data as easily as it does malware and misinformation.

The continuous interlinking of exchanges, communication cables, networks, applications, platforms, and data that started with the telegraph system in the 1800s has generated a dense bricolage of connectivity. Its continued growth is staggering: last year, McKinsey estimated that cross-border data flows increased at ‘a 45 percent annual rate, growing from about 45 to 1,500 terabits per second’.

Recursiveness and interconnectedness mean that the data and digital systems underpinning our society and economy—including malware and vulnerabilities—lie outside the ken, let alone control, of any one minister. That makes it hard to apply Rittel and Weber’s injunction to ‘try to settle the problem on as high a level as possible’.

But we can draw some conclusions.

First, cyber is not a bug but a feature of the digital and data systems that form the modern world. That means trying to eliminate cyber, without destroying the underlying digital infrastructure or autocratically controlling people, is a lost cause.

Second, the infinite combinatorial space of interaction and opportunity comprising the cyber environment is neither flat nor homogenous; there are specific points of interest, known defensible assets and the means to mitigate vulnerabilities. There is some structure, for example, due to physical networks (submarine cable landfall sites, data centres), influence (such as key decision-makers), trust (certification authorities) or reach (developers of popular software). 

Third, through its very nature, cyberspace is micro-vulnerable—there are an infinite number of opportunities for failure or exploitation—but macro-resilient—it shifts, changes, replicates, disseminates, adapts.  Rules and boundaries, even definitions, constantly shift and change. 

The scope, scale and constant shifting and change of cyber take it outside the realm of the finite.  Cyber is not like cricket, chess or go—or, for that matter, elections—‘games’ with defined rules or boundaries, and agreed winners and losers.  It is, in James P Carse‘s terms, an infinite game.

Infinite games are fundamentally different from finite games.  Not only are the boundaries continually contested to pursue the continuation of play, but players have a different mindset.  Infinite game players expect surprises and to be transformed by them; they will actively look for opportunities to do something new. 

In contrast, finite games have clear winners, agreed by the participants, and so losers. Finite players fear any kind of disruption and so seek to control the game. Those efforts invariably entail deceptions, ‘feints, distractions, falsifications, misdirections, and mystifications’.  Simon Sinek argues that when a player tries to apply finite behaviour to an infinite game ‘all kinds of problems, the most common of which include the decline of trust, cooperation and innovation’ emerge.

Strategic play

All of which makes the task of a minister for cybersecurity near impossible—look for wins and solve problems, and in doing so, fail.  But the very nature of cyber, and of infinite games, suggest an alternate, strategic approach.

First, ‘resilience’—an infinite concept—is a much better framing for responding to or working within the constraints of cyber. 

But there are caveats.  Resilience does not inherently imply stability, but the embrace of opportunity and change. That does not come cheap.

Resilience—or better still, anti-fragility—is strengthened through practice and exposure.  Over eight years of continual attack left Ukraine much better prepared to resist attacks associated with the Russian invasion.

Further, resilience is a state of being; by itself it is insufficient.  In an infinite game, players are not defined by boundaries, which constrain, but by aspirations, their horizons. 

So, second, establish a ‘just cause’, a vision of a future state that is so appealing that people are willing to make sacrifices to advance towards that vision. 

Too often, in cyber, people are told what not to do—and the legal constraints and penalties that apply.  That’s a finite approach.  If government is to harness the good will, capacity, and capability of the community it needs to identify and support aspiration. 

Such is the appeal of universal suffrage and the genius of the phrase ‘life, liberty, and the pursuit of happiness’; it also evident in the harnessing of the tech sector, community and hobbyists in Ukraine in support of independence.

Third, continual learning.  An aspirational outlook also prepares for surprise as opposed to preparing against surprise.  That argues for empathising education over training.  Training is useful in that it helps build skills and habits, but it also presumes certainty and closure, whereas education, as Carse argues, is open to future possibility and discovery. 

Learning needs to be applied in tight loops—as with Ukraine adapting and developing greater resilience under sustained attack—and sustained over lifetimes.  The government needs to consider how to actively support lifelong learning—a one-off course or degree program is hardly likely to meet the human, economic, or technological needs of a continually shifting, complex cyber environment over decades. 

Fourth, recompense.  Failures will occur, people will be hurt.  Especially in a democracy, government has a responsibility to enable people agency, and to provide restitution and a means of re-establishment.

Where control, exclusion and blame are favoured, risk is typically transferred to those least able to bear the cost of mitigation and consequence. Trust, innovation, and ability to adapt is undermined. 

Recompense and enabling people to rebuild—financially where needed, more usefully through assistance and expertise—helps resilience and re-affirms a positive aspiration in engaging with cyber.

Conclusion

Structurally, cyber is ill-defined, amorphous, and changeable. Framing it as a wicked problem helps, but it is by nature an infinite game, one in which rules and boundaries continually change.  Responding in finite terms is assured of failure.  Shifting from a finite to an infinite mindset on cyber will not be easy, especially when decision-making frameworks are entrenched in finite mindsets.  Emphasising resilience, developing a just cause, backing that up through continual learning and ensuring recompense help underpin an infinite approach.