ArchiveOODA Original

Cybersecurity, like Espionage, Is an Infinite Game

Game theory, the study of competition and conflict, tells us there are two types of games: Finite Games and Infinite Games. Knowing which one you are playing is key to making optimal decisions.

Finite games are those that have a beginning and an end. The objective of a finite game is to win. The game ends when all sides know who the winner is. Examples of finite games include most battles in a traditional war; they end when there is a decisive victory. Sporting events are examples of more peaceable finite games.

Infinite games go on forever, as if they have no beginning and no end. At any one time a player may be ahead or behind, but the game continues as long as the players play. Examples of infinite games include the dynamics of business competition. There is no finish line in business.

  • Espionage is an infinite game. A particular operation may be thwarted and agents arrested, but spies are going to spy.
  • Conflict is an infinite game. A particular battle or war may be a finite game with a winner, but the broader human conflict always continues.
  • Crime and law enforcement is an infinite game. Individual players may be taken off the field, but crime and law enforcement will never stop.

In infinite games, winning or losing is at best temporary and is more a snapshot of the current situation than anything final. Any leader currently achieving objectives in an infinite game should recognize the situation is going to change. To have hope of meeting objectives in the future, the game must continue. Counterintelligence professionals can never stop. Law Enforcement can never stop. Defenders must always defend.

Business, espionage, conflict and crime have all transitioned to cyberspace. So, clearly, cybersecurity is an infinite game. Every organization and every individual connected to the Internet is now participating in an infinite game, whether they wanted to or not.

Only that which can change can continue: this is the principle by which infinite players live.- James Carse

Understanding that cybersecurity is an infinite game should inform our all our actions in cyberspace. Here are suggested considerations for businesses, individuals and governments:

Business Considerations

  • All business leaders and decision-makers should realize the never-ending nature of cyber conflict. It is important to continuously raise defenses and work to mitigate vulnerabilities. But there will never be a silver bullet or magic piece of technology that makes all challenges go away. Adversaries will surprise.
  • Although permanent victory will never come, recognize there is a wealth of knowledge and lessons learned that can be applied in reducing risks. This includes best practices on how to design more secure systems and how to make it much harder on adversaries to accomplish their objectives. This point underscores that ongoing collaboration with other businesses and good governments is of critical importance.
  • Since surprise is highly likely, all businesses should have incident response plans and well thought out data backup procedures.
  • Some of the most important metrics in continuous cyber conflict include how fast an adversary can be detected in an enterprise and how fast they can be pushed out once detected. Track these metrics on a continuing basis. Other metrics include how long it takes a well-trained red team to accomplish objectives in an organization. Red teaming can provide insights that improve defenses against real world adversaries.
  • Like all other infinite games, insights into adversary capabilities and intentions can provide advantage. Businesses should leverage cyber threat intelligence in decision-making. And work to inform defenses using community knowledge of adversary tactics and techniques (see: MITRE ATT&CK).

Individual Considerations

  • Individuals can leverage the incredible talents of highly capable engineering teams and cybersecurity professionals by making use of cloud-based services for email and other online collaboration. By following the best practices of vendors like Apple, Microsoft, Google and Amazon, home users can store data online and on devices in ways that are very hard for adversaries to compromise.
  • Keeping all devices (laptop, desktop computer, phones, tablets) patched, and using multi-factor authentication for every online system can make it much harder on adversaries. It is also a good practice to use a high-end password manager, like Lastpass or Dashlane. Or, for people 100% in the Apple ecosystem, the Apple Keychain password manager can be used.
  • One of the best ways for individuals to stay informed on the dynamic cyber threat is to tap into the resources of the government. For example, the DHS Critical Infrastructure and Cybersecurity Agency (CISA) provides tips on recommendations via email for those that get on distribution at: https://us-cert.cisa.gov/ncas/tips

Government Considerations

  • All government policy-makers should realize cybersecurity is an infinite game. Some already do. The greatest successes in government action in cyberspace have been those that are built on a recognition of the dynamics of the never-ending cyber threat. This includes, for example, the work of operational cybersecurity and intelligence organizations in government, who have decades of experience in the true nature of the threat. However, other parts of the government are not so aware. In fact, some of the greatest failures of government policy in cybersecurity can be attributed to approaches that seem to be based on finite game solutions. This includes those policy initiatives that are treated as fixing the problem (which has happened in every administration in the digital age). There is an observed phenomenon called cyber threat amnesia, which occurs when decision-makers take action to fix a problem and then seem to think nothing will happen again. Any organization demonstrating the symptoms of cyber threat amnesia is treating cybersecurity as a finite game.
  • If this were a finite game, the issue could be addressed and the battle won with a Presidential Directive, like that of the President’s Commission on Critical Infrastructure Protection of 1998, or the Biden Administration’s Executive Order of May 2021. These are generally positive things, but contribute to many of us deluding ourselves into believing we are done.
  • Since cybersecurity is an infinite game where adversary action is continuous, defender action, even at the most senior level, must be continuous. Instead of a Presidential level directive every four years, consider continuous guidance on cyber risk mitigation on a daily battle rhythm, lasting from now until eternity.
  • The observation that cybersecurity is an infinite game has implications for policy-makers who posit that cyber incidents can be deterred. In infinite games, the rules change too much for that. Like espionage, which no open society could ever deter, cyber conflict will endure. Policies that raise the cost for attackers and slow their actions are good. So are many other actions around raising defenses. But pursuing finite solutions will prove to be folly.

Understanding the true nature of cyber conflict as an infinite game can help align decision-making in business and government and can do so in ways that reduce risk and make it harder on adversaries to achieve their objectives. Making things harder on adversaries in cyberspace should bring joy to any defender.

More On Finite and Infinite Games: James Carse introduced this concept of finite and infinite games in at book with that title in 1986. In 2019 author Simon Sinek explored this concept from a business standpoint in the book “The Infinite Game”. To explore this topic in more detail I recommend starting with Sinek’s interview of Carse at: https://simonsinek.com/discover/episode-24-the-infinite-game-with-dr-james-carse/

Related Reading:

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: OODA Cybersecurity Sensemaking

From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things?  See: From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

If SolarWinds Is a Wake-Up Call, Who’s Really Listening?

As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims.  The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed. See: If SolarWinds Is a Wake-Up Call, Who’s Really Listening?

Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities

This post provides executive level context and some recommendations regarding a large attack exploiting Microsoft Exchange, a system many enterprises use for mail, contact management, calendar/scheduling and some basic identity management functions. This attack is so large and damaging it is almost pushing the recent Solar Winds attacks off the headlines. Keep in mind that till this point, the Solar Winds attack was being called the biggest hack in history. So this is a signal that the damage from this one will also be huge. See: Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities

Bob Gourley

Bob Gourley

Bob Gourley is the co-founder and Chief Technology Officer (CTO) of OODA LLC, the technology research and advisory firm with a focus on artificial intelligence and cybersecurity which publishes OODALoop.com and CTOvision.com. Bob is the author of the book The Cyber Threat. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency.