Digital attacks are on the rise globally. These attacks threaten the continuity and effectiveness of democratic actors’ daily operations and, on a larger scale, threaten to undermine the public’s trust in the democratic systems in which these actors operate. To put it plainly, digital insecurity is becoming an existential threat to democratic actors and democracy itself. Despite the significant nature of the threat, it’s often not until after a cyberattack occurs that parliaments, political parties, civil society organizations, and other democratic actors make the necessary human, financial and technical security investments. Our goal: inspire democratic actors to make such investments in digital security before a crisis occurs.
To more effectively build democratic actors’ awareness of the critical importance of digital security - and, in doing so, help to spur this much-needed security investment - NDI has developed a series of experiential learning resources. Why develop something new? While traditional digital security training methods and resources still have an important place in developing skills and helping to operationalize best practices, they often have limited success with the critical initial step of helping partners feel the potential impacts of insecurity. We need tools designed to help democratic actors experience, within the safety of fictional (but realistic) environments, the significant impacts of a successful cyberattack.
NDI’s first experiential digital security resource, CyberSim, is an in-person tabletop exercise designed to mimic the security challenges faced by democratic actors. The Institute is actively developing versions of the game to cover scenarios for parliaments, government institutions, and civil society organizations, but the initial version of CyberSim is set in the context of a political campaign. During the game, participants take on different roles within the campaign, working together to win an election while responding to security threats as they arise. For example, participants may need to scramble to bring the campaign’s website back up from a DDOS attack if they fail to set up appropriate mitigations, or they may need to spend precious campaign funds on new computers if they fail to keep their devices physically secure from theft.
Based upon recent pilots of CyberSim with civic partners in Malaysia and members of the digital rights community at the Global Gathering conference in Portugal, NDI has found the game to be just as engaging as we had hoped. Matt Stempeck, curator of the Civic Tech Field Guide and one of the CyberSim participants during the Global Gathering conference, noted that “playing CyberSim was so much fun…absolutely everyone was super engaged.” He added that he was “particularly impressed that even in short simulation, common problems arose…and common identity, too - our field team came up with such a great campaign slogan for our rallies that I ended up chanting atop a chair!”
In addition to being fun, participants have come away from the CyberSim experience with a deeper appreciation for the importance of investing in digital security. A participant at a workshop with civic groups in Malaysia reflected that “the interactive nature of [CyberSim] allowed us to immerse ourselves in real-life cybersecurity scenarios, promoting a deeper understanding of the concepts and strategies needed in such situations.” With this participant and his colleagues, we played through CyberSim and then followed it with more traditional digital security training. Hearing participants themselves directly refer to events from the game highlight the importance of a given training topic was perhaps the most powerful evidence of CyberSim having its intended impact.
While in-person games are great, the past few years have also taught us all that sometimes virtual engagement can be the better (or only) option. To ensure that the benefits of experiential digital security learning are as widely accessible as possible, the DemTech team has also created two virtual versions of CyberSim. The first, which closely mirrors the in-person game and was developed in coordination with game design experts at the Copia Institute, is built for a group to play synchronously via Discord. DemTech has also created a single-player, choose-your-own-adventure version of CyberSim titled Alissa for North Olania. In this game, the player takes on the role of a campaign manager, responding to digital threats and deciding how to allocate limited resources best.
While not a complete replacement for traditional training, experiential learning holds great potential for building democracy actors’ cyber resilience and, in doing so, helping to strengthen democracy itself. As summarized by a CSO in Malaysia, “Our team unequivocally believes in the potential of utilizing games as a medium to teach cybersecurity, given its ability to create a dynamic and engaging learning environment.”
Authors: Evan Summers, Senior Program Manager on the Democracy and Technology team and Vanessa Revilla, Program Associate on the Democracy and Technology team
NDI is a non-profit, non-partisan, non-governmental organization that works in partnership around the world to strengthen and safeguard democratic institutions, processes, norms and values to secure a better quality of life for all. NDI envisions a world where democracy and freedom prevail, with dignity for all.