Tabletop RPGs evolved from wargames, which has somewhat stunted their growth with regards to most conflicts which don’t involve killing things. As board games show us, though, we can easily develop satisfying mechanics for a whole range of things other than combat. For the Cyberpunk Chimera, we’re envisioning a world that, while potentially violent and dystopic, doesn’t center around monsters or a national enemy or anything else that assumes that the majority of problems can be solved by killing.
The difficulty in developing these mechanics compared to the difficulty of developing combat mechanics is simply that we’re starting with a clean sheet. The last article showed how we can extrapolate both existing Cyberpunk 2020 mechanics and some design assumptions regarding the nature of combat and come up with a workable framework. When looking at other conflicts, like social conflicts and computer hacking, we don’t have that luxury. You may say “wait, Cyberpunk 2020 did have a hacking system”, and you’d be right, but I don’t want to derive anything from it, both because the rules don’t work very well and because 2020’s assumptions about computing are, to put it lightly, completely wrong. While Cyberpunk Red has revised these mechanics to make them more playable, they’re still more detached from reality than what I would prefer to design.
So we’re starting from zero. In order to make mechanics satisfying, they must feel as robust as the combat mechanics, as well as have similar stakes. Hacking is a subsystem which accomplishes this fairly well (one reason it shows up in so many present-day and sci-fi games), so we’ll focus on designing something which reflects reality but can still be fun. Social conflicts are going to get some meat around how characters get what they want and how they interact with others, but also around what happens when people and organizations want something from a character, including the desire for that character to not be alive anymore.
Putting it bluntly, hacking in most games, tabletop, digital, or otherwise, is a roundup of terrible depictions. There are exceptions, like Cryptomancer on the tabletop side, but generally speaking hacking mechanics are either reductive or flat-out wrong. Cyberpunk’s use of the “the digital world as physical world” trope that we got stuck with in the 80s puts it in the latter category, so we need to dump it completely. The fact that the mechanics didn’t even work well further emphasizes this. I’m going to start from a real-world framework to develop new hacking mechanics: the Cyber Kill Chain. The Cyber Kill Chain is an adaptation of a military framework for describing attacks, typically used defensively to identify places to “break the chain” and stop an attack from happening. It also happens to describe the attack process concisely, and we can build around that. The seven step version of the Cyber Kill Chain I’ll use comes from Lockheed Martin, so we’re at least starting from a place of cybersecurity reality.
- Reconnaissance: The attacker gathers the information they need to carry out an attack.
- Weaponization: The attacker chooses and acquires or creates their mode of attack (“weapon”)
- Delivery: The weapon is delivered to the target
- Exploitation: The weapon makes use of a vulnerability in order to run on the system
- Installation: The weapon successfully compromises the system
- Command and Control: The attacker is granted access privileges to the compromised system
- Action on Objective: The attacker uses their access privileges to accomplish their goals
Games tend to do step 7 pretty well, sometimes step 6. Step 2 can be decent, that’s where all the ICE stuff comes in and program vs. program nonsense. Steps 3, 4, and 5 are completely overlooked, and that’s where anything in hacking that could be called interesting really happens.
One thing hacking mechanics in many games, Cyberpunk 2020 included, get right is the consideration that you are hacking into a network or system, not just into a computer. However, the representation of a computer system as another dungeon of connected nodes isn’t quite right. Computer systems are designed to be usable, and as such there’s rarely anything more complicated, security-wise, than a set of concentric circles.
Imagine the computer system for a research firm. The outermost ring of their system is their public-facing website. Now, not all companies will have a website linked to their computer network, but a research firm, like software-as-a-service companies and some others, must have their website double as a log-in point for their clients. The next ring in is the client facing portal, where paying customers access whatever reports, data, or other product they have. The next ring in is usually a production environment, the part of the system where employees of the company upload, stage, and publish new material. The final ring is the actual company intranet.
Where the concentric circle analogy somewhat falls apart is in points of access. The outermost rings are likely to be *more* hardened against exploit and intrusion because they’re so easily accessible. Security tends to fail on the innermost rings because the only real hardening is giving access rights to fewer people. There are exceptions, like air-gapped systems, but the reality is that your company makes you do a cybersecurity training every year because one person messing up will generally expose their entire system and there isn’t much that can be done about it after the fact other than try to contain the damage.
So how do we make ‘real hacking’ fun? You know, lying to people over the phone to get their passwords, surreptitiously leaving infected USB drives in public places, exploiting and skimming public wi-fi, those sorts of things. Well, according the Cyber Kill Chain above, you need a point of delivery, and you need an exploit. Most systems are robust enough that there are no public-facing delivery points, you’re going to need to get to someone’s computer. Once you have access, you need to know if, with the exploit you have, you can do what you need to do. This is partially a function of whose computer you got access to and partially a function of how strong the exploit is. For the sake of simplicity, we can envision three basic levels of access: client access (controlled access to customer areas), intranet access (access to the backend network an organization does business on), and privileged access (access to restricted systems like customer databases, SCADA systems, security systems, and so on). This can be extrapolated to fit many different scenarios: I talked about a pretty white-bread corporation above, but you can envision a coffee shop with just client access (their public wi-fi) and privileged access (their point-of-sale system).
Each part of a network is going to have a vector of access and difficulty of access. A company intranet could be accessed through an employee’s computer or through a VPN, while that coffee shop wi-fi could be accessed just by signing on. The difficulty of access has more to do with what you might consider ‘actual hacking’. Wireless routers are not very secure out of the box; installing a man-in-the-middle exploit on a coffee shop wifi network is something that I could learn to do in a weekend. VPNs are quite secure, most companies which allow their employees to work remotely do so with a VPN which is both well-encrypted and driven by device-based whitelisting, meaning that it’s significantly easier to just get into an employee’s computer than try to attack the VPN directly. That said, if a large VPN provider like RSA had a zero-day exploit at some point…you could run an entire adventure around it.
So each system has points of access, with difficulties of attack. Social engineering will be easier than software-driven exploits, but software alone can get you places. Now we go down to the bottom of the Cyber Kill Chain, specifically Command and Control. This is where the hacker long game comes in. You can envision the classic Cyberpunk paradigm of being told to go steal a certain piece of data, but in reality hackers only have a very broad idea of what they want (or where it is) when they attempt to access a secured computer system. A smash and grab will light up all sorts of alarm bells in any company’s IT department, and you need to be very careful to keep the door open, so to speak. Each exploit, depending on how good it is and how often the hacker uses it, will have a chance of being discovered. In the ‘mission’ paradigm this doesn’t matter much, but one could easily envision a hacker character keeping a set of exploits around, pulling data from them and trying to keep them hidden. These could even be salable.
Hacking in this system won’t look like runs against mainframes any more, it’ll look like smaller exploits against neglected devices, social engineering and password farming, and privilege escalation attacks from the IoT devices and personal devices compromised in those steps. The mechanics will still have conflict aspects but also have a crafting aspect, finding and building exploits to get into specific networks and types of systems. But because social engineering will continue to be crucial, hacking, interestingly enough, ties into social conflict mechanics quite nicely.
Social interaction in RPGs is classically done ‘at the table’, because there’s a logical fallacy present where game designers assume that talking is less of a skill than swinging a sword, and more importantly a skill that players already have. If RPG Twitter can actually teach us anything, it’s that neither game designers nor game players typically have any skills in convincing people to do what they want. As much as role-play is an important part of the game (duh), players should no more have to do actual convincing at the table than actual sword fighting.
So what are we mechanizing? Well, the negotiation and convincing parts get put into skills, yes, but socialization is also a skill. The important consideration here is which aspects of social interaction have a game impact, and which aspects can safely be left to table talk.
As far as a game is concerned, there’s two reasons to interact with other people: either to get something you want from them, or for the sake of socialization. Socializing for the sake of socializing isn’t necessarily covered in games much (read: at all), but if we’re going to be putting in organization rules later, it’s something to consider. Not necessarily in-depth mechanics, but something of consequence that happens if a character spends time seeking out other people…maybe a player-facing NPC generation mechanic.
Getting other characters to do what your character wants is more of the time-honored social mechanic that we’re used to seeing. In essence, any interaction focused on getting something you want involves giving something to the other person that they want in return. If both people think the exchange is fair, that’s that. When both sides are aiming to get something material out of the deal, that’s when we call it Negotiation, Haggling, or Bartering. The social aspects are where it gets interesting, and why socializing for the sake of socializing shouldn’t be ignored. Getting someone to do something for you in exchange for you liking them more or the person’s feelings about their social capital both fall under what many games call Charm. Getting someone to do something for you in exchange for you not hurting them is Intimidation. Finally, as a bit of an aside, getting someone to do something for you by lying about what they’d get in return is usually described as Bluff or Deception.
There’s really three skills at work here: lying effectively is a skill. Talking effectively is a skill. Finally, social awareness and/or perception is a skill. Many games make it more complicated than that, but it really isn’t. Intimidation may be modified by your appearance or strength, but being skilled at it is more about knowing whether a person can be made to fear you and what they fear. Seduction is merely understanding what the other person is sexually attracted to, and presenting yourself as capable of being or delivering that. The other key thing which comes into running these interactions in a game context is that someone who is good at talking can fail to get what they want with fewer consequences.
In looking at other games, everyone does the “roll to see if you convince” thing. Some games (Genesys, for example) key different resistance rolls to different skills, making it more tactical. I don’t think that’s the right approach. A man who is “good at seduction” will not have an effect on most straight men, that’s not difficulty (and it’s kind of insulting to model your sexual orientation as a difficulty rating, to boot). There are two things to do here: figure out what someone wants, and then figure out how to give it to them. Where the mechanics are going to be beefed up is in coming up with a shorthand way to describe NPC wants and needs that doesn’t become mechanically overwhelming. Genesys is going to be an example here again, with its four motivations: desire, fear, strength, and flaw. This is a good framework, but contextually in Genesys it’s intended to be high-level, describing an NPC’s overarching personality. We need it to work situationally also…you can have an NPC whose desire is for recognition, but at the same time whose desire in the context of a club on a Friday night is to get drunk and maybe go home with someone. One of those informs much better than the other how that NPC will react when a character buys them a drink.
We could also create some NPC stats that inform their susceptibility to the game trifecta of Charm, Intimidate, and Seduce (Bluff can be dealt with more through skill checks). Instead of creating multiple skills, the player’s choice of approach will affect the difficulty accordingly. These could also be modified by situation: a club may have more people feeling affectionate, whereas a riot might have more people fearing for their safety.
Another thing we can get rid of is the reaction roll, though not the reaction modifier. Generally, especially in modern society, people start at neutral with everyone. Personality traits like those above may define if and how they reach out to others, but there isn’t really randomness to how a stranger sees you. That said, it becomes important to track whether people like or really don’t like you, and what they’ll do about it. At the extreme end (always an end we eventually come to in games), someone may try to come after you.
‘Pursuit’ rules aren’t chase rules. Rather, ‘pursuit’ is meant to work like the ‘star rating’ in Grand Theft Auto, though not just for police. How much trouble are you in, and what are people doing about it?
In most RPGs, trouble is not a cascade of infinitely-spawning police cars. Trouble may start as random tails and a degree of hostility in certain parts of town. It intensifies from there, ending with more direct attempts to get you out of the picture. The Cyberpunk genre has its fair share of assassination attempts, because it’s a great way to emphasize the point that the corporations are big and the characters are small.
So what purpose is there to mechanize the amount of trouble your PCs can get up to? Well, for a sandbox it can drive a lot of narrative. If we don’t assume that the game is necessarily going to come with a packaged plotline, having some mechanics that help the GM decide who’s noticed the PCs will make the game more dynamic. They also provide great distractions after the PCs have already glommed onto a different target.
The details of Pursuit or Heat rules are wrapped up in organizational rules because of how the size of an organization creates perspective. Large organizations, at least as a trope, tend to have a non-linear threat response. If you move against them in a small way, steal from them, or otherwise annoy a local executive, you’ll be ignored. The minute, though, that you’re perceived as an actual, you will be crushed. Smaller organizations, especially those under pressure, tend to lash out quicker.
In building Pursuit or Heat into an actual mechanic, both this reaction and the extent of the resources the organization has at its disposal will affect what you end up seeing. We can envision four levels to this: monitor, deny, harass, and attack. Monitor is just what it sounds like, and it’s when characters may notice tails, bugs, or other reconnaissance pointed in their direction. This will be especially true if the characters are anywhere that is clearly in the organization’s sphere of influence. Deny is when the organization decides it doesn’t really want you in their sphere of influence. Maybe you’re suddenly not let into that club you like because of its main investor. They don’t like you, and they’re going to push you away. Harass is when the organization is going to push you further by making your life difficult. Stop and frisk by the cops is an example of this, as well as other “random” violence. Attack is, of course, when someone decides to end you. At the lower level this may just be thugs beating you up to make a point, but organizations with the necessary resources will likely make an attempt on your life.
So the organizations affect what the response looks like. How to moderate that response is up to the characters, but making themselves scarce should work…at least after the fact. Generally the actual encounters will stop if the entity behind them thinks they made their point. Of course, if your characters keep up with pissing people off, the responses will continue as well. The exact mechanics of this can vary, but I’d imagine two factors: the organization with which the characters have a relationship, and the location they’re at. Enter a hostile organization’s sphere of influence, and you’ll trip a roll to see what happens. When the dice build up, eventually even your home base triggers such a roll…and that’s when we get the sniper, or the arson, or the bomb.
There are many vectors of world interaction in a Cyberpunk game. Digital, social, and organizational interactions are just as important as physical ones, so we want to make sure that the rules for them provide the same number of levers to pull. All three of these potential subsystems highlight a glaring absence, which I’ll need to correct before any of them can be built out in more detail. That absence is organization rules, the mechanics for modeling corporations, gangs, and government agencies (among many others) in our sandbox. The organization rules tie into many things and will get a whole article devoted to them. For now, though, we’ve built frameworks around how characters will interact with people and the digital world, both with and without violence. The next step is to start building out an implied setting. A Cyberpunk game needs cybernetic enhancements, an ubiquitous digital world, and more broadly, cool tech. In the next article, I’ll start brainstorming all of those for this Cyberpunk Chimera.