The Art of War applied to Information Security – Part 2

  • Ashton Jones
  • May 16, 2019

This is the second part in a seven part series dissecting The Art of War.

This part focuses on Principles Two and Three. 

Principle Two – Waging War

Waging war is about first understanding war. Some extracts from the Art of War:

War is costly. The longer the battle, the more weary your fighters and more dull their weapons. A prolonged war cannot be sustained and never benefited anyone.

It takes experience to understand how to carry out a successful and prolonged campaign.

Forage off of the enemy to sustain the army rather than resourcing from home. In order to kill the enemy, men must be appropriately motivated. Reward your army who successfully take enemies’ equipment by allowing them to keep it for future battles.

Use the conquered foe to augment one’s own strength.

Once war is waged don’t delay. Don’t make the mistake of sorting out every last detail.

Let your great object be victory, not lengthy campaigns. 

Relevance to Cyber Warfare

Unlike actual warfare, there doesn’t appear to be an end to the wider cyber war that we are engaged in.

Rather than looking at cyber war holistically, I believe we can take meaning from this principle in the sense that each individual battle (read cyber incident) should be dealt with quickly and effectively. You don’t want prolonged incidents; the longer left untreated, the more costly and more damaging cyber security events can be. This is very true in our experience. The longer that an attack goes undetected and unmitigated, the wider it spreads, more damage is done, and more clean-up is required.

Minimise the time you take to detect, respond, and remediate a cyber incident.

Experience is also important. You need someone who knows cyber security to carry out a successful strategy to minimise your risk exposure.

In terms of foraging from the enemy – we can learn a lot from both successful and unsuccessful attacks on our own and other organisations to better protect ourselves. Understanding an enemy’s failed attempts gives insight into their thought process, and what they might try next. This can help you stay one step ahead.

Finally – your objective should be victory. You should define what victory looks like to you. We are now helping clients define risk appetite statements that act as goals and a measuring stick for success. A risk appetite statement is the amount and type of risk that an organisation is willing to take in order to meet its strategic objectives.

Principle Three – Attack by Stratagem

As the principle title states, Principle Three is all about attacking with a plan to outwit the enemy.

Here are some key extracts from the text:

Take a country whole and intact, otherwise it’s not profitable.

To fight and conquer in all your battles is not supreme excellence; supreme excellence consists of breaking the enemy’s resistance without fighting.

The best method is to balk the enemy’s plans. Next best is to prevent the junction of the enemy’s forces. The next is to attack the enemy’s army in the field. The worst is to besiege walled cities.

It is the rule in war, if our forces are ten to the enemy’s one, to surround him, if five to one, to attack him; if twice as numerous, to divide our army into two. If equally matched, we can offer battle; if slightly inferior in numbers, we can avoid the enemy; if quite unequal in every way, we can flee.

If the general is the bulwark (protector) of the state: if the bulwark is complete at all points, the state will be strong; if the bulwark is defective, the state will be weak.

Three ways a ruler may bring misfortune to his army:

  • By commanding the army to advance or retreat, being ignorant of the fact that it cannot obey.
  • By attempting to govern an army in the same way as he administers a kingdom, being ignorant of the conditions which obtain in an army.
  • By employing the officers of his army without discrimination, through ignorance of the military principle of adapting action to circumstances.

When the army is restless and distrustful, trouble is sure to come.

The five essentials for victory, he will win who:

  • Knows when to fight and when not to
  • Knows how to handle both superior and inferior troops
  • Whose army is animated by the same spirit throughout all ranks
  • Prepared himself, waits to take the enemy unprepared
  • Has military capacity and is not interfered with by the sovereign

If you know your enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself, but not the enemy, for every victory gained your will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. 

Relevance to Cyber Warfare

In terms of cyber security, the real battle is when the enemy has penetrated your defences. Guard your treasure tightly and you won’t need to worry as much about fighting the small battles.

A strong cyber security leader will make a big difference to the capability of your organisation’s ability to protect itself and its treasure. A strong leader will design and deliver a well thought out strategy. They will empower and enable their teams to do their best work, and will propagate key communication up and down the organisation. A weak leader will be much less effective.

You should understand the types of attacks that you face and have a plan to deal with targeted, advanced (superior) attacks as well as simple (inferior) attacks (inadvertent breaches, drive by attacks etc.).

Strategy and scenario planning is key to understanding how to balk the plans of the enemy. Think around the problem, look for angles of defence that might be been overlooked.

Ensure you have sufficient resources (people, process, and technology) to sustain the battle and be prepared for the enemy at all times.

Ensure you have the ability to know when the enemy has attacked, so you can respond immediately.

Maintain a level of autonomy internally and know when your team should be able to break the business norms to respond to threats.

Finally – know yourself:

  • What data is important to you?
  • What compliance requirements do you have?
  • What matters to your business?
  • Where are your strengths and weaknesses?

Know your enemy:

  • Who is targeting you?
  • What threats exist that are relevant to you?
  • Who wants your data?
  • What motivates your attackers?
  • What information do they have on you? (intel)

Missed Part 1? Click here to read it.