The Trust Paradox
Cybersecurity Lessons from Social Deduction Board Games
When it comes to cybersecurity, trust is a precarious tool. It serves as the foundation for secure systems, yet it can also be the very weapon that malicious actors wield. This duality of trust is not unique to cybersecurity; it's a recurring motif in popular social deduction board games like Secret Hitler, Blood on the Clocktower, and The Resistance. In these games, virtuous players must collaborate to discern who is trustworthy and who might harbour hidden agendas.
Trust is essential for the smooth operation of any organisation. Employees, customers and partners must trust that their interactions and transactions are secure. Employees must trust that their colleagues have good intentions, that software is written following the latest security best practices, and that colleagues with the most access can be trusted to use it correctly. As Voltaire (and Spider-Man's Uncle Ben) once said, "With great power comes great responsibility".
Like games such as Mafia and Blood on the Clocktower, where players must establish trust to identify the villains, organisations must continuously assess and verify the trustworthiness of their users and systems. It is common for malevolent actors to masquerade as trustworthy for extended periods of time before eventually exploiting the trust they have cultivated for their own nefarious gains.
In March 2024, a supply-chain attack was discovered in a popular open-source compression tool called XZ. A supply-chain attack is where a bad actor attempts to compromise a piece of widely used software, in the hope that their malicious changes will be adopted up-stream by multiple larger targets. The most public example of this was the compromise of a piece of software called "SolarWinds" which was used by multiple government agencies and cloud data centers such as Microsoft’s Azure. The compromise of this utility software, eventually led to the perpetrators breaching much larger, higher value targets.
The XZ supply-chain attack started with the insertion of a malicious backdoor in the project's GitHub repository. The intention was for this backdoor to eventually be merged into the widely popular open-source SSH library "OpenSSH". The backdoor was inserted by a GitHub user named JiaT75, who had built up trust in the community over many years and was eventually granted permission to become a maintainer of the XZ library. The "nefarious gains" in this context refer to the potential for the attacker to gain unauthorised access to systems, steal sensitive data, or disrupt operations.
Just like in Blood on the Clocktower, where the main evil character (the Demon) has minions to help them do their bidding, it appears JiaT75 had a fellow bad actor helping them. A person named Jigar Kumar pressured the existing maintainer of the XZ project into giving JiaT75 permission to merge their commits into the main branch. Jigar Kumar's role in this incident was to vouch for JiaT75's trustworthiness, thereby manipulating the trust of the maintainer. Because JiaT75 had built up trust over many years, positively contributing to the project, this request for additional access, on the face of it, seemed harmless.
In the game Secret Hitler, the populace elects a president and chancellor to aid them in implementing liberal or fascist policies. It can often be beneficial to the player secretly playing as Hitler to be seen as a liberal, helping to implement a few liberal policies, in the beginning, to build up trust. This trust can be betrayed by gaining enough votes to become chancellor, a win condition for the fascist team. This is the exact tactic employed by JiaT75, where they appeared to be virtuous for multiple years, before revealing their true intentions at a later stage.
Effective threat detection and mitigation is important for maintaining organisational security. This involves monitoring systems for unusual behaviour, employing anomaly detection tools such as intrusion detection systems (IDS) and security information and event management (SIEM) systems, and conducting regular security audits. In Blood on the Clocktower, players must collaborate to identify the Demon among them by analysing behaviour and sharing information. Similarly, cybersecurity professionals must work together to uncover and respond to threats in real-time using data and behavioural analysis.
Often, in these games, all it takes for evil to prevail is for the virtuous players to remain silent or inactive. Sharing information is pivotal both in these games and in organisations. Only through collaboration, sharing information, and feeling empowered to voice concerns when something seems amiss can the virtuous triumph. In these games players will generally speak freely, but that is not always the case in organisations. Cultivating a culture where it is safe to speak up, even about someone more senior in the organisation, is crucial and necessary when it comes to cybersecurity.
Games like Secret Hitler, Mafia, and Blood on the Clocktower highlight the importance of vigilance, communication, and verification in maintaining security. Organisations can learn from these games by fostering a culture of security awareness, encouraging open communication about potential threats, and implementing multi-layered security measures. Verification in this context refers to the process of confirming the trustworthiness of users, systems, and data, and ensuring that trust is not blindly granted but continuously validated.
In cybersecurity, the balance of trust and vigilance is critical. By understanding the strategies of deception and manipulation used in social deduction games, which can include tactics such as misdirection, false information, and manipulation of trust, organisations can better prepare themselves against similar tactics employed by cyber attackers. It is essential that organisations trust (but verify), collaborate, and educate the workforce to stay one step ahead of potential threats.