Rethinking CTI – Classical Ideas of Security

Classical Chinese thought understood humans to be unique in their relation to the universe – a common theme in (nearly) all non-modern civilizations. Nature, which ultimately functioned as an extension of the harmonious dao was perfect by the fact that it existed. That is, no tree can be any more or less a tree than it already is; it’s potential is always maximized. Humans, on the other hand, do not have this completed nature, and must strive to reach their potential (again, this is a common non-modern idea of humans).

In a general sense, a person should act in a way that follows the dao. While the specifics depend on the particular individual and their circumstances, the common thread is the need to 1) understand the world, 2) know yourself in relation to the world, and 3) pursue excellence in all actions. In this way, the focus in attaining success – for individual and the state – was turned towards achieving self-perfection, not worrying about external factors. As we shall see, part of this ideology stems from the fact that one cannot control external circumstances, but they can control their reaction to such circumstances, and thus always follow the most optimal course of action.

Despite the role of sages in leading the way, the understanding/knowledge/excellence were understood to be qualities internal to each person, and could not be bestowed on people by others. Instead, they had to be cultivated by each individual (“you can lead a horse to water, but you can’t make it drink”). Merely parroting the ideas and behaviors of others was understood to be the wrong path. Sages did not serve as strict rule-makers or source of actions to be blindly imitated, but as exemplars of the kind of thinking that provided effective problem-solving (namely: deep, long-term, aimed at the root of the problem). Similarly, the purpose of a math teacher solving the problem 2+2, is not so the student will take the solution (4) and apply it to every math problem. The purpose is to demonstrate the principles by which effective problem-solving in math takes place. If we merely blindly imitate, the solutions work only as long as we happen to face the exact same problems as we did in the past.

Confucius believed the sages had mastered the dao and that, by emulating their example, one could achieve the same. However, this reflection was not a guided by a desire to return to the previous age. Rather, it was a means of understanding the relevant principles, and applying them to the present circumstances. In the same way that virtuous action (de) consists of actions in particular circumstance, so the sages’ mastery of the dao lies not in abstract understanding, but rather in their application of knowledge to utilize their situations. Therefore, the Confucian ideal is one of reflection on the sage of old in order to understand and apply their wisdom to the present.[1] As such, it is a progressive model of moral and political thought.[2]

Writing towards the end of the 550 years of war, Xunzi (the last great Confucian of the classical period) argued that understanding how to create stable states requires that we first understand human nature – and that nature is evil (e). That is, it is generally not in human nature to seek understanding, knowledge, and excellence, but rather to that the path of least resistance (why work hard, when a pre-scripted ransomware, or basic phishing scheme will make the money with far less effort?). However, Xunzi was not a pessimist. He argued that this natural inclination can be remedied by education and exemplary leadership – the job of the state. For the state, taking these steps was incentivized by his argument that states with excellent citizens made for stronger, more stable, and longer-lasting states.

If he [the ruler] regulates the teachings of his government properly, examines carefully the rules and proposals of his officials, and encourages and educates his people, then the day will come when his armies can stand up against the strongest forces in the world. If he practices benevolence and righteousness, honors the highest principles, makes his laws upright, selects worthy and good men for his government, and looks after the needs of his people, then the day will come when his reputation may match in fairness that of any ruler in the world.[3]

The power of virtue, for Xunzi, is not simply a high-minded ideal. Instead, the virtuously guided state wields considerable power directly – through a unified population – and indirectly by the means of influence wielded standing as a counterpoint to the tyrannical state whose very populace is fractured and oppressed. This idea is further supported by Xunzi’s reflection on ancient rulers whose rule was strengthened and preserved by their internal ordering.[4]

This notion of internal strength by perfection is a near 1:1 relation to modern security. The organization, managers, supervisors, etc. must embody the understanding/knowledge/excellence qualities, and seek out the best people based on merit – in order to create a strong InfoSec team and provide the organization with effective security. If they themselves are not excellent, they cannot find the best, nor get the most out of them, and so the team and the organization suffers.

The focus is always the development of internal power by excellence – it is never external. That is, one can make themselves into the best possible version of themselves, but they cannot control the circumstances into which they may be thrown. The great Legalist writer, Han Feizi, summed up the critical need to focus on internal perfection as follows:

A true king is one who is in a position to attack others, and a ruler whose state is secure cannot be attacked. But a powerful ruler can also attack others, and a ruler whose state is well ordered likewise cannot be attacked. Neither power nor order, however, can be sought abroad – they are wholly a matter of internal government. Now if the ruler does not apply the proper laws and procedures within his state, but stakes all on the wisdom of his foreign policy, his state will never become powerful and well ordered.[5]

This sentiment was equally shared by Machiavelli some 1800 years later, as well as by Islamic injunctions regarding community-building. Relying on power outside yourself for security is risky at best, and disastrous at worst. The notion of security as a process, not a product, again comes to light. Purchasing security is reliance on external power. As such, you have no control over it, and any “compensation” for its failure comes only after the damage has been done.

Classical Chinese sources come to the same conclusion: the ability of a state (or in our case, an organization) to survive and prosper is based on its ability to perfect itself internally. Without this perfection, the state can never achieve true stability, and its continued existence was only the result of its weakness being temporarily ignored. As soon as that weakness was exploited, the state was destroyed. From an InfoSec perspective, we’re reminded of the two issues already mentioned: necessity for cultivation of local talent, and security as a process – not product.

Our first lesson from the classical Chinese theory is that security starts at home. Before we worry about the latest avenues of hacking, we must ensure that the Admin login is not admin:password. We must make sure that our organization is internally sound, that those employed are the best available to us, and that their functions are limited to their spheres of excellence. These issues are, unfortunately, the primary problems faced by so many companies today. The expertise is lacking, and they seek security through external means; imagining themselves to be safe, while failing to realize that the same vendors that sell security products get hacked themselves.

Internal security is up to us. If our security is perfectly established, we may still get hacked by a strange new technique – but that hack is unavoidable in any case. If we do not perfect ourselves, we are susceptible not only to the latest exploit, but to every hack available. I like to use an analogy of the devil, to drive this point home. The devil has a job: make you sin and send you to hell. You also have a job, namely keeping yourself from going to hell. Consequently, it’s no use blaming the devil; the only way you’re ending up hell-bound is if you failed to do your job. Since it is unlikely that hacking is going out of style anytime soon, that means that the hackers have a job, and so do we. And if we fail to do our job, we have no one to blame but ourselves – no, not even the security vendors whose software failed to protect us. Our security is solely our own job.

As Nikolai Gogol noted, “Don’t blame the mirror if your face is faulty.”


[1] Ames, Roger, T. The Art of Rulership. Pg. 4.

[2] Rahmanovic, Faruk. Three Theories of Just War: Understanding Warfare as a Social Tool Through Comparative Analysis of Western, Chinese, and Islamic Theories of War. Honolulu; University of Hawai’i, 2010. Pp. 48-9.

[3] Watson, Burton. Introduction. In Hsün Tzu: Basic Writings. Pg. 8. [Xunzi is the alternate transliteration, and one I prefer]

[4] Rahmanovic, Faruk. Three Theories of Just War. Pg. 61.

[5] Han, Fei Tzu. Han Fei Tzu: Basic Writings. Translated by Burton Watson. New York: Columbia University Press, 1996. Pg. Pp. 113-14.

1 thought on “Rethinking CTI – Classical Ideas of Security”

Comments are closed.