Shostack + Friends Blog


Adversarial Thinking and Wargames

Thinking about adversarial thinking cadets at a high tech military academy

At a recent private event, I had the pleasure of meeting a professor from a military academy, and we had a brief conversation about how they teach adversarial thinking. They said something like “its at the core of what we teach.”

Regular readers know my dislike of demands to “Think like an attacker”, and that extends to both reliance on “adversarial thinking” and worrying about specific attackers. But I’ve been thinking a lot about the conversation and what we might learn about adversarial thinking.

First, I think that it would be silly, naive or arrogant for me to declare that the military academies don’t understand their own pedagogy. So, what are they teaching and how does that relate to cybersecurity adversarial thinking? How do they teach it?

To help me understand, I read Martin van Creveld’s Wargames, in which he discusses the use of wargames as a teaching tool. He also discusses how war differs from things like gladiatorial combat or dueling. In those, there is less opportunity for surprise, mis-direction, or selecting terrain. You know where your opponent is, and when you’ll fight. You have little opportunity to bring superior force to bear on an unprepared enemy. War also differs in that physical factors like fatigue, weather, and bad food impact combatants, as does physical risk. Those are hard to simulate in either a board or computerized wargame.

Those sorts of wargames allow participants to focus on learning strategy, and even adversarial thinking. You have resources X and Y, and you can deploy them in various ways to fight your enemies. Your enemy will be doing the same, and you need to learn to think “adversarially” to anticipate how they may behave, and organize your activity to beat them as they try the same. This is similar to business strategy asking what advantages do we have, and how can we maximize them?

In commercial cybersecurity, we have a somewhat different problem. Companies do not have forces that we can bring to bear to break the enemy’s will or ability to fight. They are not continuing politics by other means. We are convincing customers to give us their money, time, attention or personal data. The goal of a cybersecurity team is to allow their employer to meet those business goals. (I’ll ignore the idea of hacking back, because of the hard to surmount legal and business challenges, and note that governments have diferent priorities.)

We can think about how companies educate their employees or even teach them specific skills, and I'll note that cybersecurity ranges, where staff can practice with specific technologies, have an interesting relationship to wargames, where both tend to eliminate the physical factors like fatigue and the stress of the CEO calling every 30 minutes for updates. Tabletops do something similar for executives; neither really touches on adversarial thinking as a learning goal.

Those differences aside, we can ask how they teach adversarial thinking. It’s first worth noting that people who apply to the military academies first self-select and then are selected for those who focus on conflict. Those who are admitted and succeed are taught over several years to view the world in terms of fights and winning those fights. They learn this through the framing that their teachers use, and through leaning experiences including war games and maneuvers. (There are infinite other frames we can use. Examples include an engineering frame of “will the bridge bear weight?” a business frame of “how can we best serve customers?”)

And so we can distinguish between adversarial thinking for the military and adversarial thinking for cybersecurity on at least three grounds. First is the situation in which they find themselves, second is the amount of time they spend learning to think adversarially, and third is the people who learn that.

Midjourney: “cadets at a high tech military academy, standing around a table with a map and miniatures. The are actively learning to think about strategy and defeating an opponent. The scene is sunny, brightly lit, outdoors in a field”