Two professors teaching a cyberwarfare course sought to teach creative thinking. Their method? An impossible test with the idea that students must cheat – and that not getting caught cheating was what the test was actually about.
In other words, they stole the concept of Kobayashi Maru.
Why? The introduction to their paper sums it up:
“Adversaries cheat. We don’t. In academic institutions around the world, students understand that they will be expelled if they violate their college’s honor code or otherwise fail to play by the institutional rules. The dissonance between how our adversaries operate and how we teach our students puts our students at a distinct disadvantage when faced with real world adversaries who inevitably do not play by the rules. Breaking through the paradigm where students self- censor their ways of thinking to a new paradigm that cultivates an effective adversary mindset is both necessary and possible.”
The paper itself details the methods and manner each student used. And in each case the student exploited a loophole in the teacher’s rule set.
Sometimes the phrase “Red Team” or “Red Cell” is used to describe those who are designated to exploit our potential weaknesses. I prefer the term “Devil’s Advocate” – the Catholic concept of bringing evidence against canonization of a Saint. Why? Because the Devil’s Advocate can’t just say “well, what if?”. The Devil’s Advocate must make his case. He must be able to actualize his contention.Too many Red Teams just say “what if” and walk away. Their concept or challenge must not be realistic, achievable, or anything other than a wrench in the machine, and that is not creative thinking – it’s is disruptive, destructive, and dangerous because it does nothing but cause trouble. It does not seek to exploit or identify a loophole.
The paper’s conclusion…
“Teach yourself and your students to cheat. We’ve always been taught to color inside the lines, stick to the rules, and never, ever, cheat. In seeking cyber security, we must drop that mindset. It is difficult to defeat a creative and determined adversary who must find only a single flaw among myriad defensive measures to be successful. We must not tie our hands, and our intellects, at the same time. If we truly wish to create the best possible information security professionals, being able to think like an adversary is an essential skill. Cheating exercises provide long term remembrance, teach students how to effectively evaluate a system, and motivate them to think imaginatively. Cheating will challenge students’ assumptions about security and the trust models they envision. Some will find the process uncomfortable. That is OK and by design. For it is only by learning the thought processes of our adversaries that we can hope to unleash the creative thinking needed to build the best secure systems, become effective at red teaming and penetration testing, defend against attacks, and conduct ethical hacking activities.”
The final kicker? This was done at the US Military Academy…
As a military we prize conformity. And that conformity in the main is a good thing. But we also need people who are capable of thinking – and actualizing – “what if”. What if we loaded up our carriers with airplanes and launched from maximum range on a Sunday morning? What if we hijacked and piloted fuel laden commercial jets into office buildings? What if we designed a computer virus geared to do one thing and one thing only? What if we use runners for messages and small speedboats to attack the carriers?
Not “What if someone took over a LNG tanker and blew it up” without describing the how, what, why, and physics behind it.
The paper is a quick read. Take a look. Then think about how you can teach your people to think creatively for the betterment of the next operation, next mission, next maintenance, next training. But make them do so in a manner that is achievable. Make them “cheat” – and not get caught.
(h/t Bruce Schneier)