I was inspired by the reports about Stuxnet. This is the worm that managed to disrupt the Iranian nuclear industry. Most point the finger at the security forces of Israel and the USA. The Stuxnet has been credited as the first real information warfare munition.
I have been sketching ideas for Stuxnet on and off for about a year now. I usually get bogged down in the minutiae of worms, virus, penetrations, shields, DOS etc. The other day I had an inspiration
1 - Each side has a several organisations that require protecting from information warfare attack.
2 - These organisations are generated randomly from a list or prepared from a historic (or near future) scenario.
3 - Each organisation has a computer network that could make it vulnerable to attack, but is necessary for it to work.
4 - A random method spreads certain known and unknown vulnerabilities between the organisations. Again this could be scenario based or an abstract setup, but the player will not know all of their vulnerabilities - use some face-down card method to distribute these, note, some will be hoaxes or false.
5 - Each side then selects its targets from the enemy's list of organisations. This is their secret target list. In an abstract game, a points system can be used. The enemy has to try and find out what is being attacked.
6 - The game starts.
Players spend their resources on
- patching known vulnerabilities
- finding unknown vulnerabilities
- improving security mesaures - human
- improving security measures - computer
- identifying target security measures
- developing attacks against specified computer security measures
- developing attacks against specified human security measures
- developing zero-day vulnerabilities - blue sky research
- human spying
Remember, attacking a computer network is not just about hacks and clever programming, there is a lot of old fashioned human spying.