Sun Tzu might approve.
As every general and C-suite pseudo-warrior knows, the ancient Chinese military theorist advised that every battle is won before it is ever fought — a saying that highlights the importance of preparation prior to any fight. The recent news that Goldman Sachs is the first financial institution (FI) to sign up with U.K.-based Immersive Labs for its cyber security war games demonstrates the enduring appeal of that adage.
Businesses have long played war games (certain veterans might take issue with the use of “war” to describe issues related to profit and loss, but capitalist society long ago embraced the idea that “business is war”). Those games might revolve around the question of whether to raise prices by a certain percentage, for instance, or seek to anticipate the effects of a competitor breaking into the market. The games might be analog or digital, and take the form of a series of meetings or a corporate retreat.
In addition, organizations — those with a long view, at least — have long done cyberthreat assessments, a process centered around checking anti-hacking technology and the credibility of cyberattack response plans.
However, what Goldman Sachs is doing represents a different level of preparedness for hacking attacks, data breaches and similar digital threats — though one that carries its own risks.
Immersive Labs, the company hired by Goldman Sachs, created a cyber war game tool just four hours after the WannaCry malware attack became public. That tool enabled users to analyze how the ransomware behaved so they could create prevention antidotes. The general idea — the one that comes straight from Sun Tzu — is to get employees ready for the various facets of response to a cyberattack, actions that can not only include counterattacks against the invading technology, but communications among company officials and to customers.
“Another benefit of cyber war games: They may prevent participants from getting mired in minutiae and organizational politics,” said Deloitte in a column from The Wall Street Journal, which still holds true today.
Goldman will let its 8,000 technology employees access the Immersive platform and test their skills against company colleagues. The competitive aspect likely will appeal to the types of hyper-ambitious people who tend to work at such high-powered firms as Goldman Sachs, at least according to Immersive Labs’ CEO James Hadley. Speaking of other clients who use the tool, Hadley told Financial Times that “a lot of our heavy users use the platform on Friday and Saturday night so they want to be top of the leaderboards on Monday morning.”
Of course, the use of cyber war games extends beyond Goldman Sachs and the financial industry.
Last August, for instance, Boeing conducted what it called the “inaugural Defense Industry Cyber War Game,” with the purpose of helping to “position companies against cyberattacks and practice preparedness,” according to a statement from the company. Other companies that took part in the exercise included BAE Systems, Lockheed Martin, Northrop Grumman and Raytheon, “all of whom are members of the U.S. Defense Industrial Base,” Boeing said.
The exercise, which was the first of its kind, provided an opportunity to examine and address a large number of different cyberattack methods that can occur simultaneously and, if left unchecked, accelerate out of control. The exercise, described by Boeing, seemed more like chess than to checkers.
The exercise “challenged conventional lines of authority, as the adversary leveraged four different attack vectors, crossed organizational hierarchies, and incorporated simultaneous events, actions and requests,” the company said. “This operational cadence encouraged proactive communication as the best method to spread awareness of the threat and how to combat against it.”
When it comes to real war, not the boardroom imitation of it, successful games can lead to significant battlefield success. Take the Louisiana Maneuvers, a series of U.S. Army exercises conducted before the Pearl Harbor attack — its lessons, according to military historians, led to tactics and policies that helped the Allies win later success against German forces.
Then again, war games — or plans based on them — can lead to something akin to defeat. The locked-in thinking of European military leaders in the summer of 1914 — the alliances, rail transport schedules, set-in-stone countermoves — arguably helped turn World War I into the unexpected slaughter it quickly became.
Can businesses learn something from that? Probably, at least according to a McKinsey & Company report that dates to 2012, but whose wisdom might have found approval from Sun Tzu.
“An ill-thought-out response can be far more damaging than the attack itself,” the report said. “Whether customers cancel their accounts in the wake of a successful cyberattack depends as much on the quality of a company’s communications as on the gravity of the breach. How much value is destroyed by the loss of sensitive business plans depends on the ability to adjust tactics quickly.”
That passage stands not only as a call for constant preparedness, to strive to win the battle before it is fought, but as a warning against rigid thinking, which holds especially true in an era when criminals operating in the digital world can adjust their moves with amazing speed.