What's involved in cyber war games?

There are good lessons to learn from failure - especially when it comes to testing your digital defences.

Most large companies regularly subject themselves and their IT staff to exercises designed to expose their weaknesses. Indeed, some aspects of everyday business depend on them being able to show they are prepared for the day when the "bad guys" come knocking. Which is pretty much every day.

Generally these exercises are what are known as "penetration tests", and they are conducted by outside companies which know the many ways computer technology can be compromised or people can be tricked into handing over information that can be used to get at corporate networks.

They are supposed to mimic the techniques of the attackers, and the idea is to expose failings that can then be fixed - and to demonstrate to staff how careful they need to be. Experts say that pretty much every firm undergoing penetration tests fails, but that is kind of the point of them.

War games are a step up from these tests because staff inside a firm are taking a more active role. They know they are going to come under attack and have to show how they would respond to whatever is thrown at them. Penetration tests target computers and war games test the people.

"In a war game you are testing peoples' ability to deal with stress and pressure," said Stephanie Daman, chief executive of the UK's Cyber Security Challenge - a government and industry backed-competition that seeks people with the the skills needed to help the UK beat back cyber criminals, hacktivists and terrorists.

The Cyber Security Challenge is about to embark on a series of war games for some of its entrants which will involve them working in teams to handle a variety of different attack scenarios. Previous simulations run by the challenge involved both high-profile publicly announced attacks by hacktivist groups through to much more low-key campaigns involving sophisticated malware and "social engineering" such as phishing.

And it is not just companies that engage in these simulated cyber security exercises.

In the UK the Bank of England ran its paper-based war game exercise called "Waking Shark 2" that got bank staff reacting to a series of different problems such as ATM networks failing or phone systems breaking down, to see how response teams fared.

Also, the Western military alliance Nato regularly runs war games for the various cyber defence units in the armed forces of its members.

In November 2014, Nato carried out one of the largest ever cyber war games in its history that involved almost 700 soldiers and civilians from 28 separate nations. Over the space of the three-day exercise a cadre of 100 cyber attackers in a Nato command centre in Estonia hit defending teams around Europe with a series of simulated attacks.

These attacks ranged from booby-trapped apps sent to Android phones of defenders, compromises of computer equipment at firms supplying military materiel and the penetration of networks run by the armed forces.

One attack involved the fictitious kidnapping of the family of a senior Nato official, who was then blackmailed into stealing large amounts of classified data that was handed over to the attackers.

The best scenarios, said Ms Daman from the Cyber Security Challenge, were those that resembled real attacks that a company or other organisation might actually suffer.

"You cannot prepare adequate protections against these threats unless you understand their true nature," she said. "And to do that you have to be in the attack situation."

Sometimes war games simulate big attacks that seek to take a company down but others are more subtle and harder to spot.

"Attacks take many forms," said Ms Daman. "Sometimes something that seems very innocuous can build up into a major threat."

How the team handles it, or fails to handle it, is the important part. It's only by going through the war game that security staff can build up the experience to deal with attacks that happen for real, said Ms Daman.

"You are very much testing resilience and readiness," said Ms Daman, adding that in a lot of the scenarios there is no right way to respond. Learning comes through trying and failing.

She said: "You want to find out what works well, what works badly and what you can put in place to make it work better next time."