The Art of War applied to Information Security – Part 1

  • Ashton Jones
  • Apr 8, 2019

The Art of War, written by Sun Tzu in 500 B.C, is the oldest known military dissertation in the world. Considering its age, it’s impressive to learn of its continued use and relevance to military and business people today.

The book is made up of thirteen principles of war that have been studied and implemented by many military specialists around the globe.

I recently re-read the book giving thought to how the principles are relevant to our industry of cyber security and the idea of cyber warfare.

Below, I have summarised the first principle and given my take on how it relates to cyber security and the battle we find ourselves in.

This will be followed up with a series of articles covering the remaining twelve principles.

These articles are not meant to be a complete review of the various components of the principles, just my reflection on key takeaways.

Principle One – Laying Plans

This principle is about understanding your position in the war and having calculated tactics for defence and offence. Warfare is based on deception.

  • When we are weak, we must appear strong.
  • When we are able to attack, we must seem inactive.
  • If your enemy is secure at all points, be prepared for them.
  • If they are superior in strength, evade them.
  • The general who wins a battle makes many calculations. The general who loses makes but few calculations.

When applying this principle, you need to figure out.

  • Who has the most ability.
  • Who is better trained.
  • What your motivation is as well as the motivation of your enemy.
  • What does the battle ground look like and who has the advantages derived from this.
  • Who has the most discipline.
  • Who is going to be loyal to their ruler and to what point will they continue.
  • If you are basing your strategy on assumptions or abstract principles you are more likely to fail.
  • You should build your plans with all of these things in mind.

Relevance to cyber warfare

I think we are all aware that our enemies are stronger in numbers, stronger in ability and are able to work outside of the constraints of the law. Recent research by (ISC)2 places the shortage of cyber security professionals around the globe at just under 3 million. This changes the battlefield for corporate New Zealand significantly. How do we respond? In the words of Sun Tzu – when we are weak, we must appear strong! It comes down to laying plans.

As a business you need to consider the following:

  • Where and who your enemies are. They could be bad actors external to your organisation exploiting internal staff, or an insider threat.
  • Your ability and the ability of these bad actors.
  • The motivation of the attacker against your organisation. What are they going to “attack” and why?
  • Once you have a clear understanding of these things, make plans to “evade” the enemies.
  • Build and implement a strategy that takes into consideration your most critical assets and your biggest risks, based on impact and likelihood.
  • Plan, test the plan, and be prepared to fail and respond to failure.
  • Have a roadmap for how you will strengthen your position and be prepared to adapt this as the battlefield changes.
  • You may lose a battle, but never lose the war.