Playing an Infinite Game: Tactics for Maintaining Competitive Advantage in Cyber Competition

In the ever-evolving geopolitical landscape, the relationship between the United States and its enduring adversaries is characterized by strategic rivalry. Since the 1990s, cyber operations have emerged as an additional tool for state competitors. This digital maneuvering, beyond the traditional boundaries of state conflict, is best understood as an infinite game. James P. Carse, a professor emeritus of history and literature of religion at New York University, introduced the concept of infinite games in his book Finite and Infinite Games: A Vision of Life as Play and Possibility.1 He describes an infinite game as a philosophical and theoretical concept focused on continuing play, in contrast to a finite game, which aims for a definitive end. This book was not written with foreign policy as its most probable recipient, but instead stemmed from Carse’s endless fascination with the unknowable and the meaning of human existence. However, the concept is helpful when applied to state conflict in cyberspace, particularly considering U.S. Cyber Command’s strategic shift in 2018 to Persistent Engagement—a strategy that advocates for continued contact with adversaries to maintain a competitive advantage.2 

Unfortunately for the United States, the Cyber Mission Force (CMF), which is the collective name for all cyber forces regardless of their originating armed service, operates within organizations and cultures developed for finite military operations. This creates a misalignment between the type of game being played and the type of game the organization is built to play. These military organizations and cultures have historically executed finite approaches appropriate for wartime operations in tangible domains—land, sea, and air. When charged with operating in cyberspace, they brought these finite approaches to state cyber competition, which is more akin to an infinite game. This misalignment between finite organizational approaches and an infinite game has had, and will continue to have, significant consequences for the CMF. If the CMF fails to address this misalignment of organization and culture, the United States’ relative cyber capability will diminish over time compared to its adversaries.

This paper argues that the CMF must implement organizational strategies and cultural-change initiatives to align their organizations and culture with the principles of playing an infinite game. By focusing on generating knowledge, developing technological literacy, and increasing automation in public-private partnerships, the CMF can build organizations capable of executing U.S. Cyber Command’s Persistent Engagement strategy more effectively, thereby maintaining a relative competitive advantage over adversaries indefinitely. Before exploring the recommended strategies and initiatives, it is imperative to delineate the concept of an infinite game in contrast to a finite one and its relation to state cyber competition. This paper will ground the analysis in the foundational theoretical concept, showing how it has been demonstrated over three decades in U.S.-Russia cyber competition, and will then discuss strategies to enhance the United States’ capacity to maintain relative competitive advantage. 

Infinite Competition in Cyberspace

There are at least two types of games: finite and infinite. “A finite game is played for the purpose of winning, an infinite game for the purpose of continuing the play.”3 Examples of finite games include playing a game of basketball, running in an election campaign, or fighting a conventional war. These games are characterized by players obeying a set of rules, recognizing boundaries, and striving to bring the game to an end. Importantly, at the end, players and spectators recognize winners and losers. Conversely, players in infinite games enter and exit play, have evolving boundaries, and the game has no definitive end. There are no final winners and losers. Instead, players have moments of relative competitive advantage. Examples of infinite games include geopolitical competition, business, and the pursuit of knowledge. However, these two concepts do not exist isolated from each other. Just as a conventional war can occur within decades of geopolitical competition, finite games can begin and end within an infinite one. 

Carse’s concept of the infinite game is helpful for understanding state cyber competition. To illustrate this, the analysis will examine U.S.-Russia cyber competition through the lens of the infinite game concept, highlighting the need to view cyber operations through longer time horizons. A broader perspective allows one to see how cyber operations have connected over decades and how they strive to achieve a relative competitive advantage in cyberspace. In pursuit of relative competitive advantage, Russian cyber activity has evolved from espionage to influence operations, and then to effects operations. The following stories illustrate these evolutions and exemplify the characteristics of infinite play—remaining unbound by rules and regulations and not concluding with a definitive end. Although the examples below focus on Russian operations, viewing cyber operations as an infinite game is adversary-agnostic and should be applied to other revisionist countries.

Russian cyber operations first emerged as an evolution in espionage in the late 1990s. These early operations, such as Moonlight Maze, exploited computer networks to acquire information for the Russian intelligence apparatus. Moonlight Maze tells the story of Russian-backed hackers infiltrating U.S. government organizations, including the Department of Defense, the National Aeronautics and Space Administration (NASA), and various educational institutions.4 The intent was to gain information to inform decision-making, assess the United States’ relative competitive advantage over Russia, and potentially acquire intellectual property to boost Russian programs. It took decades to fully understand the extent of this operation. Reflecting the nature of an infinite game, future research uncovered the extent of the past operation, and the conduct of Moonlight Maze did not conclude in a definitive end of U.S.-Russian cyber operations. The competition continued.

In 2016, Russia began using new tactics and operations in cyberspace to erode American competitive advantage. Hacking groups Fancy Bear (APT28) and Cozy Bear (APT29), associated with Russian intelligence services the Chief Intelligence Office (GRU) and the Federal Security Service (FSB), respectively, hacked the Democratic National Committee (DNC). The attackers stole and leaked confidential information to damage the target’s reputation, impact decision-making, and instigate disorder.5 Although this attack produced acute problems, its more pernicious impact was its contribution to a broader systemic campaign to erode the American public’s trust in U.S. political institutions. Russia’s shift from espionage, exemplified in Moonlight Maze, to influence operations echoes the evolutionary nature of an infinite game, which did not end with the DNC hack.

Russian cyber activities in 2021 provide an example of the emergence or dissolution of players. Players not being fixed, and instead entering and leaving, reflect a characteristic of an infinite game. The attack on the Colonial Pipeline by the Russian cyber proxy Darkside led to the group’s dissolution. Like players in an infinite game entering and exiting based on their willingness and available resources to sustain engagement, Darkside dissolved soon after it targeted state critical infrastructure because they lost the will and resources required to stay engaged.6 Since states have more staying power due to their larger resources and willingness to compete, they do not drop out of play as quickly as non-state actors. However, cyber proxies like Darkside illustrate how actors exit the game once they fail to maintain the necessary will or resources. 

Prior to the group’s dissolution, Darkside used ransomware to extract large sums of money from its victims. The Colonial Pipeline, a major U.S. pipeline system that transports gasoline, diesel, fuel, and jet fuel across the southeastern and eastern United States, was an attractive target for Russian proxies like Darkside. Soon after the attack, Darkside suspended operations due to losing access to some of its infrastructure, including its blog, payment servers, and funds. Consequently, they lost the resources and perhaps the will to maintain their ability to operate.7  

State cyber actors, with a greater willingness and more access to resources, would have shifted to or acquired other infrastructure. Additionally, state cyber personnel are more committed to maintaining operations due to a combination of patriotic motivations and legal protection. However, if state actors were to dissolve, they would not end cyber competition. Other actors and states would rise to fill the space. This fluidity of players entering and exiting the area of competition is another indicator of cyber competition’s infinite nature.

Therefore, the CMF must orient its organizations and culture to engage in perpetual play. The following sections will present recommendations focused on shifting the organizations and cultures governing the CMF from playing a finite game to an infinite one. The recommendations propose leveraging federal research centers to generate new knowledge, utilizing generative artificial intelligence (AI) to reduce the negative impacts of staff’s poor technical literacy, and further integrating automation to improve the U.S. information-sharing coalition. These recommendations propose practical initiatives that the CMF can implement to mitigate organizational and cultural shortfalls and transition away from using a system for a finite conflict while competing in an infinite competition. 

Knowledge Generation

In finite games, players win by acquiring key knowledge that leads to the conclusion of the game. Conversely, in infinite games, players must constantly generate new knowledge because of its fleeting impact—knowledge only provides a competitive advantage for a moment. New knowledge ushers in new phases of competition, enabling players to increase their advantage or close the gap between themselves and the leaders. Consequently, all players seek to generate new knowledge. Players who stagnate and fail to innovate fall behind. In the infinite game of state cyber competition, continuously generating new tactics, ideas, and insights, and effectively executing them in the domain, enhances or sustains the organization’s competitive edge.

New knowledge is generated from the dynamic interplay between tacit and explicit knowledge. Tacit knowledge is personal, experiential, and often challenging to formalize, while explicit knowledge is easily articulated and shared through written documents like manuals and standard operating procedures. Ikujiro Nonaka, professor emeritus at Tokyo’s Hitotsubashi University, and Hirotaka Takeuchi, a professor in the Strategy Unit of Harvard Business School, argue in their seminal work, The Knowledge-Creating Company, that the interplay between these two types of knowledge is what generates innovative ideas.8 The authors’ insights were developed by researching Japanese businesses’ ability to generate new knowledge in the 1990s and produced a model to understand knowledge generation.

The SECI Model—Socialization, Externalization, Combination, and Internalization—describes the dynamic process between tacit and explicit knowledge that creates new knowledge.9 Socialization involves the exchange of tacit knowledge in interpersonal settings. Externalization refers to codifying tacit insights into explicit formats, such as guidelines or manuals. Combination is the synthesis of explicit data from various sources to create new understandings. Internalization occurs when individuals assimilate explicit knowledge through practical application.

Although knowledge management—managing how information and knowledge move within an organization—does exist within joint force doctrine, the CMF has struggled to create an environment that reflects the SECI model. This discrepancy exists because knowledge management (KM) offices are systemically understaffed, under-prioritized, and underfunded, as knowledge management is not a high priority for organizations built to play a finite game. This perspective is informed by firsthand involvement and relevant projects and direct interactions with KM processes and personnel. This carry over approach from finite organizations of knowledge management undermines efforts to create an organizational environment that can effectively generate and implement new knowledge essential for infinite play. Part of the problem stems from the armed services managing and staffing the CMF. Their contributions to the problem include multiple factors stemming from the services’ history, priorities, and administrative processes. Consequently, the armed services that govern the CMF are ill-suited to support them because they require persistent knowledge generation to play an infinite game.10 

In defense of the armed services, militaries are built to conduct war, a finite game within the infinite one of geopolitics. The military’s personnel rotation schedule is an example of the services’ organizational policy that undermines knowledge generation. Personnel move unit assignments approximately every three years. For instance, Lt. Gen. Charles “Tuna” Moore retired in 2022 after about five years at U.S. Cyber Command, where he held the position of second in command under Gen. Paul Nakasone. He was unable to remain because of longstanding personnel management policies.11 

Lt. Gen. Moore’s knowledge was difficult to acquire and forcing him to leave due to rotational policy rather than a strategic change meant the organization could not benefit from the knowledge he gained over his tenure. His replacement, lacking Lt. Gen. Moore’s experience, may lead the organization into repeat situations, wasting valuable time and resources. Lt. Gen Moore remained in his position longer than most mid-tier and junior ranks, who are transferred to new assignments after just three years. This short rotation period results in worse knowledge loss among mid-level ranks than in the senior ranks. The policy dictating the rotation and retirement of military personnel not only leads to a significant loss of tacit knowledge from the organization, but also undermines its ability to generate new knowledge.

The SECI model necessitates that tacit knowledge, acquired by personnel through years of experience, be transferred in a tacit-to-tacit exchange with younger, inexperienced members. This exchange can occur through simple verbal discussions. However, its realization is undermined both by experienced members leaving, as in the case of Lt. Gen. Moore, and by the military command culture, which discourages relaxed discussion between ranks.

Experienced members’ knowledge could be captured and codified into explicit material such as standard operating procedures and doctrine. However, the rapid rotation of personnel, without a strong knowledge management office to capture this knowledge, ensures its loss. Dedicated personnel would be required to systematically collect, organize, codify, and properly store and disseminate knowledge to the broader command. Consequently, without a robust knowledge management office to undertake this additional work, the rotation periods will continue to hinder the organization’s ability to generate innovative knowledge. 

In addition to knowledge loss from service members leaving the organization, the services’ inability to recruit and retain skilled cyber personnel further hampers the CMF from generating knowledge.12 In the event of staff shortages, the CMF will prioritize its limited resources and talent on current operations, leaving little time or personnel to ensure the organization’s knowledge moves through the SECI model.13 The concept of placing the mission above organizational development is embedded in various military doctrines and principles across the armed forces. If the CMF continues to allow acquired knowledge to dissipate when personnel depart, it will struggle to enhance its competitive advantage, risking a steady decline in its cyber capabilities relative to adversaries even though it is mission focused.

To mitigate the service branches’ inability to provide trained cyber-service members who remain for extended periods, the CMF should increase the use of research centers like Federally Funded Research and Development Centers (FFRDC) and University Applied Research Centers (UARC) to innovate and generate knowledge. This recommendation aligns with the 2023 National Defense Science and Technology Strategy, which calls for increased partnerships with research centers to enhance innovation and capitalize on development opportunities.14 

Research centers house an immense wealth of intellectual capital, chartered to support U.S. national security. Furthermore, they do not compete with private industry, allowing their interests to focus on the national mission. Research centers are ideal partners in pursuing knowledge generation because they can leverage knowledge generated across multiple government projects—insights and knowledge gained by research personnel from one project are then brought to new projects. 

However, leveraging federal research centers to generate new knowledge requires stable fiscal support. Projects with funding gaps create a volatile research environment and risk losing skilled and knowledgeable researchers, who must pivot to more stable projects to stay gainfully employed. To align knowledge generation to the infinite nature of state cyber competition, the CMF should dedicate funding to research centers to support persistent innovation instead of approaching knowledge generation and innovation finitely. 

Leveraging the knowledge and brainpower at research centers to mitigate policies intended for a finite game will require the CMF to integrate research center personnel into their organization. Integration is essential for sharing insights, developing a mutual understanding of problems, and facilitating the smooth transfer of knowledge and innovation back to the government sponsor. If research personnel are not properly integrated, the CMF will not be able to properly facilitate the information flows required to leverage the research center’s knowledge economy. Research center personnel should permeate the organization, enabling it to capture new opportunities and ensure its efforts align with organizational needs. Embedded personnel can then relay opportunities for further study to research center teams, who can provide the brain power and resources to make innovative ideas a reality. 

Although many personnel at research centers have security clearances, approaches can be taken to leverage a larger research population while continuing to safeguard classified information. For example, sanitization involves removing classified or sensitive information from a document or dataset so that it can be shared with individuals who do not have the necessary clearances or should not have access to the full details to conduct their work. This will require more resources and potentially personnel to ensure materials are sanitized and transferred, but sanitization has been used before in projects of national strategic importance. For example, the Manhattan Project exemplifies the successful use of sanitization and allowed roughly 130,000 people to work on parts of the Manhattan Project without exposing them to information that could compromise national security or sensitive methods and sources.15

An example of a UARC that could be better integrated into the CMF is the Johns Hopkins Applied Physics Lab (JHU/APL). Founded in 1942 to aid the United States during wartime, JHU/APL epitomizes the quintessential role of a UARC in providing the government with innovative solutions and new knowledge. Operating at the intersection of theoretical research and practical implementation, JHU/APL has significantly contributed to national security, space exploration, and health sciences, aligning with governmental and societal objectives. JHU/APL has developed sophisticated ballistic missile systems, cyber warfare capabilities, and informed defense policy and strategy. Its matrixed structure provides its government sponsors with a strong economy of knowledge—a system where knowledge is the primary production factor. Research centers’ economies of knowledge, developed over decades by successfully executing an organizational model reflective of SECI, are powerful resources for the CMF. JHU/APL and similar centers should play a more significant role in the CMF’s enduring knowledge generation efforts. Doing so would ensure the United States maintains a relative competitive advantage.16

Leader and Staff Technological Literacy

Maintaining a relative competitive advantage indefinitely will require the entire force, not just a small percentage, to be technically literate. Technical literacy—the ability to meaningfully observe, understand, and make decisions about technology—shapes staff’s understanding of facts and assumptions. In an infinite game, personnel who lack foundational knowledge reduce the speed by which the organization can operate and limit the organization’s ability to think creatively and critically in operational planning. However, by leveraging Large Language Models (LLMs) the command can provide non-technical staff with an on-demand assistant to help them leverage the command’s collective knowledge and mitigate the negative impact they may have on the organization’s relative competitive advantage.

Technical literacy encompasses understanding basic computer principles, software use, and technological planning. Currently, the services assign personnel to staff positions at U.S. Cyber Command like they would to any other combatant command and consequently many staff members lack a cyber or technical background and, as a result, they face challenges in making meaningful contributions. For instance, staff in capabilities development sections without a cyber background struggle to allocate resources effectively for developing cyber capabilities and ensuring investments are pragmatic and operationally relevant. Conversely, tech-savvy staff are better equipped to support and plan cyber strategies and operations because they comprehend the domain’s technological limitations, possibilities, and challenges.

Technological literacy is essential in an infinite cyber competition because it enables adaptation, problem-solving, communication, and effective decision-making. In a domain where the terrain constantly changes—vulnerabilities are patched, and new hardware and software are introduced—staff must stay abreast of the latest tools, relevant software, and methodologies to develop creative solutions. Staying current on terrain changes, new opportunities to leverage the domain, and technical requirements is only possible when staff have a strong technical foundation. Without solid technical knowledge, staff may procure inappropriate technology, invest in misguided initiatives, and pursue unattainable capabilities—such as the absurd notion of a ‘cyber bomb.’ Mistakes arising from this lack of technical expertise generate friction within the organization, slowing processes and hindering the achievement of a competitive advantage over adversaries. Individuals lacking basic technical knowledge or skills significantly diminish the group’s overall performance.

Bruce Tuckman, a psychological scholar, researched group dynamics and developed a five-phase model for how groups form as members interact with each other: forming, storming, norming, performing, and adjourning. During the ‘storming’ stage, conflicts often arise due to differences in skills and knowledge levels.17 This stage is particularly challenging for cyber units, where a lack of technical literacy among staff members can slow the group down to accommodate new members’ knowledge gaps. The constant influx of military personnel lacking technical literacy extends the storming phase indefinitely. As members without specific cyber knowledge cycle in and out of cyber units, the group remains perpetually stuck in storming. This situation burdens more proficient members, who must compensate for those less knowledgeable, leading to frustration, fatigue, and decreased morale. Furthermore, the military rank culture deters subordinates from pointing out senior members’ shortcomings, leaving senior group members unaware of their technical deficiencies and their negative impact on cyber operational decision-making. Some sections, lacking individuals with advanced technical literacy, fail to recognize that their decisions and planning efforts undermine the larger organization’s ability to improve and compete effectively.

Traditional U.S. Army officers argue that cyber leaders need not be technical. Yet, officers who do not understand the terrain cannot assess risks or identify opportunities. They are blind to the digital domain around them. Ukraine’s move of government data to the cloud during the Russian invasion provides an example of how understanding the underlying technology informs operational and strategic decision-making. In February 2022, Ukraine migrated terabytes of critical government data, including property records, to the Amazon Web Services cloud. This defensive maneuver was aimed at thwarting Russian offensive cyber-attacks intended to wipe out government data. By dispersing data to the public cloud, which can create redundant copies more easily and disperse them geographically, Ukraine mitigated the impacts of digital and kinetic attacks targeting on-site government servers.18 Furthermore, by migrating the data to an American cloud service provider whose server farms are located outside the geographic borders of Ukraine, the country was able to leverage Amazon’s cybersecurity capabilities to protect its data. This operation necessitated an understanding of cloud technology, its functionality, and how it could operationally frustrate Russian offensive operations.

To address staff members’ lack of technical literacy, United States Cyber Command should leverage AI, specifically LLMs, to provide staff with an accessible assistant trained in the lessons and knowledge of the command. CrowdStrike’s LLM, Charlotte AI, is an example of such AI, which augments staff’s knowledge. Charlotte AI empowers individuals across the expertise spectrum, enabling custom responses. Built upon the foundation of CrowdStrike’s extensive security data, aggregated from trillions of security events, Charlotte AI offers nuanced insights and actionable recommendations, streamlining the learning and development of CrowdStrike’s personnel.19 This advancement accelerates CrowdStrike’s ability to respond to cyber threats and addresses the critical cybersecurity talent shortage, and an in-house AI for United States Cyber Command could mitigate the CMF’s similar shortfalls.

The CMF could leverage technologies like Charlotte AI by training their own generative AI on high-quality organizational knowledge. This approach would enhance the capabilities of each member of the CMF, thereby raising the overall quality and performance of all personnel. For instance, an LLM could provide a customized onboarding experience to new members, increasing the staff’s organizational, operational, and technical literacy baseline. Furthermore, an LLM could incorporate narrative-based responses by providing information in the context of past operations. 

Narrative-based learning is an effective tactic for retaining knowledge because it allows people to emotionally engage and find relatable contexts. Narratives align with the brain’s natural information-processing structure, evoke emotions, enhance memory and recall, and present information within a familiar framework.20 This familiarity makes complex concepts more understandable and memorable. Stories encourage critical thinking and reflection by presenting scenarios for analysis. Additionally, they cater to various learning styles—auditory, visual, and kinesthetic—making them versatile approaches for diverse learners.

By leveraging LLMs to deliver on-demand information and knowledge to staff in cyber units, the CMF can mitigate the negative impacts of personnel who are not technically literate. This option allows personnel to ask pertinent and specific questions, and through the delivery of narrative-based responses, non-technical personnel can effectively leverage the organization’s historical knowledge with higher retention rates. Raising the tide of staff technical literacy in the CMF can reduce self-inflicted friction caused by a lack of knowledge and increase the friction the organization can place on the adversary, enhancing the U.S. relative competitive advantage.

Information-sharing Partnerships

In an infinite game, leveraging the contributions and knowledge of allied players is essential. In cyber competition, information sharing involves exchanging operational best practices, such as defensive strategies, and tactical information, like indicators of compromise and malware hashes. The international partnerships established to counter Star Blizzard, a Russian threat group, vividly illustrate the effectiveness of partnerships. This collaborative effort between the Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre, the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the National Cyber Security Centre-New Zealand, National Security Agency, Federal Bureau of Investigation, and the Cyber National Mission Force (CNMF) provided participants detailed insights into Star Blizzard’s tactics and techniques. This enhanced awareness and preparedness, enabling them to begin making configuration changes to their networks. The shared information facilitated the implementation of more robust defenses for both government organizations and privately run critical infrastructure.21 In a game aimed at maintaining a relative advantage over adversaries, sharing information with allied players collectively elevates each other’s relative advantage and heightens the friction of adversary players. Enhancing the quality and speed of information sharing will further strengthen the United States’ competitive advantage. 

First, the U.S. must streamline the number of information-sharing touchpoints—quantity does not necessarily equate to quality. Currently, the Department of Homeland Security has initiated over thirty partnerships.22 The extensive array of government-initiated partnerships in the cybersecurity realm reflects a solid commitment to collaboration but has introduced supplementary challenges, such as resource competition and the risk of overlapping or duplicative endeavors. Senior government officials often have restricted time to dedicate to these partnerships, leading to lower-level executives stepping in. However, lacking the requisite authority or expertise to spearhead these initiatives, these representatives are unable to instigate meaningful cultural change. The considerable number of efforts has also impacted the private sector, which faces participation costs with so many disparate efforts. These costs range from a significant time commitment to opportunity loss, and in some cases, participation can lead to reputational or brand risks. Creating a solitary cybersecurity threat and vulnerability information clearinghouse, structured as a nonprofit institution, offers a potential solution to streamline partnerships. However, establishing another organization could compound issues if prior partnership initiatives remain intact. Rather than forming a new entity, endeavors should focus on harmonizing and automating information sharing through information technology. 

A notable advantage of the collaboration to counter Star Blizzard was its capacity to coordinate responses adeptly to these threats. CISA’s affiliations with civilian government sectors, private industry, and CNMF’s operational authorities guarantee a unified and effective strategy for addressing Iranian cyber activities.23  However, this was a highly targeted endeavor that relied on the relationships between key individuals. Achieving similar efficiency with information dissemination necessitates automation. 

Automation facilitates the standardization of information exchange and minimizes procedural obstacles. Star Blizzard represents just one campaign; the United States and its allies must establish a framework to counter the substantial rise in attacks witnessed over recent years. Automation increases the efficiency and speed of information transfers. Automation supports increasing the speed and scalability of information transfers, increasing accuracy and consistency by reducing the likelihood of human errors, supporting filtering and customization so recipients can quickly find specific information, reducing labor costs, and providing analytical insights to inform decision-making. By automating as much of the information-sharing process as possible, the CMF can increase its positive impact and free up resources to focus on other areas that increase relative competitive advantage. 

Matthew H. Fleming, a fellow with the Homeland Security Studies and Analysis Institute (HSSAI); Eric Goldstein, the current Executive Assistant Director for Cybersecurity at CISA; and John Roman, an economist and senior fellow at the University of Chicago, in their article titled “Evaluating the Impact of Cybersecurity Information Sharing on Cyber Incidents and Their Consequences,” delve into the role of information sharing within the Department of Homeland Security. While acknowledging the intuitive benefits of sharing cybersecurity information to mitigate vulnerabilities and threats, the authors highlight the dearth of empirical evidence substantiating its effectiveness. They propose a framework for empirically assessing the impact of information sharing on the frequency and severity of cyber incidents, suggesting metrics for evaluation, and discussing methodological challenges in measuring such effects.24

Conclusion

The CMF’s current organizational framework and cultural norms, rooted in finite military operations, may hinder its ability to effectively compete in the infinite game of state cyber competition. If the CMF continues to prioritize actions based on traditional military norms rather than adapting to the dynamics of cyber conflict, the United States risks losing ground to adversaries who have recognized the indefinite nature of cyber competition and decided to play accordingly. Drawing from Carse’s concept of the infinite game, this analysis advocates for practical organizational and cultural initiatives within the CMF to enhance its competitiveness in this evolving landscape. By aligning strategies and priorities with the principles of infinite play, the CMF can better position itself to thrive in the ongoing state cyber competition.

While these recommended initiatives offer practical steps toward aligning the CMF with the dynamics of an infinite game, there may still be underlying finite policies and practices that impede this alignment. Further research into these structural and cultural barriers is crucial to fully understand the obstacles that need to be addressed. By identifying and addressing these finite policies, the CMF can more effectively foster a culture and build an organizational structure that supports infinite play and achieves a competitive advantage over adversaries indefinitely.

Image: HP 1813-0091 Top Case Removed, April 14, 2023. Retrieved from: https://commons.wikimedia.org/wiki/File:HP_1813-0091_top_case_removed.jpg, used under Wikimedia Commons. 

[1] James P. Carse, Finite and Infinite Games: A Vision of Life as Play and Possibility (New York: Free Press, 2012).

[2] United States Cyber Command, “Command Vision for U.S. Cyber Command: Achieve and Maintain Cyberspace Superiority,” (Fort Meade, MD: US Cyber Command, 2018), https://nsarchive.gwu.edu/sites/default/files/documents/4421219/United-States-Cyber-Command-Achieve-and-Maintain.pdf. 

[3] Carse, Finite and Infinite Games, 3.

[4] Michael Warner, “US Cyber Command’s First Decade,” Lawfare News (blog), Lawfare, 3 December 2020, 28, https://www.lawfareblog.com/us-cyber-commands-first-decade;  Kim Zetter, “New Evidence Links a 20-Year-Old Hack on the US Government to a Modern Attack Group,” Vice, 4 April 2017, https://www.vice.com/en/article/vvk83b/moonlight-maze-turla-link.   

[5] Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike, 5 June 2020, https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/. 

[6] Mary-Ann Russon, “US Fuel Pipeline Hackers ‘Didn’t Mean to Create Problems,’” BBC, 10 May 2021, https://www.bbc.com/news/business-57050690. 

[7] Jen Easterly, “The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done Over the Past Two Years | CISA,” CISA, 7 May 2023, https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years. 

[8] Ikujirō Nonaka and Hirotaka Takeuchi, The Knowledge-Creating Company: How Japanese Companies Create the Dynamics of Innovation (New York: Oxford University Press, 1995).

[9] Nonaka and Takeuchi, The Knowledge-Creating Company, chapter 3.

[10] Nonaka and Takeuchi, The Knowledge-Creating Company, chapter 3.

[11] Suzanne Smalley, “Cyber Command’s Rotation ‘problem’ Exacerbates Talent Shortage amid Growing Digital Threat.” CyberScoop, 18 August 2022, https://www.cyberscoop.com/military-rotation-norms-challenge-cyber-command/. 

[12] Government Accountability Office, “Military Cyber Personnel: Opportunities Exist to Improve Service Obligation Guidance and Data Tracking,” GAO-23-105423, (Washington, DC: 2022), https://www.gao.gov/assets/gao-23-105423.pdf.

[13] US Department of Defense, Joint Publication 3-0 Joint Operations, (Washington, DC: Joint Chiefs of Staff, 2011), 1-1, https://www.moore.army.mil/mssp/security%20topics/Potential%20Adversaries/content/pdf/JP%203-0.pdf.

[14] US Department of Defense, 2023 National Defense Science & Technology Strategy (Washington, DC: Department of Defense, 2023) 2, https://media.defense.gov/2023/May/09/2003218877/-1/-1/0/NDSTS-FINAL-WEB-VERSION.PDF. 

[15] Anne McKusick (contributing Scientist) in “Voices of the Manhattan Project” interviewed by Cindy Kelly, American History Foundation, 16 April 2013, https://ahf.nuclearmuseum.org/voices/oral-histories/anne-mckusicks-interview/. 

[16] “Impact,” Johns Hopkins University Applied Physics Laboratory, accessed 20 February 2024, https://www.jhuapl.edu/work/impact . 

[17] Bruce Tuckman, “Developmental sequence in small groups,” Psychological bulletin 63, no 6 (1965): 384.

[18] Ryan White, “How the Cloud Saved Ukraine’s Data from Russian Attacks,” C4ISRNet, 22 June 2022, https://www.c4isrnet.com/2022/06/22/how-the-cloud-saved-ukraines-data-from-russian-attacks/. 

[19] Michael Sentonas, “CrowdStrike Introduces Charlotte AI, Generative AI Security Analyst – CrowdStrike,” Crowdstrike, 30 May 2023, https://www.crowdstrike.com/blog/crowdstrike-introduces-charlotte-ai-to-deliver-generative-ai-powered-cybersecurity/. 

[20] John Sweller, “Cognitive load theory in Psychology of learning and motivation, vol 55, Academic Press, (2011): 37-76.

[21] Cybersecurity and Infrastructure Security Agency, “CISA and International Partners Release Advisory on Russia-Based Threat Actor Group, Star Blizzard | CISA,” CISA, 7 December 2023, https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-partners-release-advisory-russia-based-threat-actor-group-star-blizzard. 

[22] Melissa Hathaway, “Why Successful Partnerships Are Critical for Promoting Cybersecurity | Belfer Center for Science and International Affairs,” Belfer Center, 7 May 2010, https://www.belfercenter.org/publication/why-successful-partnerships-are-critical-promoting-cybersecurity. 

[23] Cybersecurity and Infrastructure Security Agency, “CISA, Cyber National Mission Force Leaders Share How They Partner: First-Ever Ops Revealed to Industry,” CISA, 25 April 2023, https://www.cisa.gov/news-events/news/cisa-cyber-national-mission-force-leaders-share-how-they-partner-first-ever-ops-revealed-industry. 

[24] Matthew H. Fleming, Eric Goldstein, and John K Roman, “Evaluating the Impact of Cybersecurity Information Sharing on Cyber Incidents and Their Consequences,” Available at SSRN 2418357 (2014), https://doi.org/10.2139/ssrn.2418357. 

Related Posts