The Art of InfoSec – Chapter 12

Chapter 12, Incendiary Attack, carries a host of deeper interpretations – given that fire can be used as a metaphor in a great deal of ways.

There are five kinds of incendiary attack: The first is called setting fire to personnel; the second, to stores; the third, to transport vehicles and equipment; the fourth, to munitions; the fifth, to supply installations.

In order to use fire there must be some inflammable fuel (yin), and such fuel must always be kept in readiness. There are appropriate seasons for using fire, and appropriate days that will help fan the flames.[1]

The idea of an incendiary attack is an approach that does not attack the enemy, as such, directly, but instead attacks the organization and its ability to remain organized. The purpose of incendiary attacks is to weaken the enemy, in order to take advantage of the ensuing chaos – or rather to create the conditions for victory.

The five listed kinds of attacks can be reduced to 3, in InfoSec terms, and can be understood as:

  1. Attacks against personnel – the kind that hinder or remove their ability to participate in security operations – or other crucial organization positions
  2. Attacks against general resources – which reduces the general operations of security and organization
  3. Attack against equipment – which compromises the ability of security to use their defenses

It does not stretch the analogy to consider as incendiary attacks the leaking of political information during an election. Thus, the Podesta email hack, the DNC email leak, etc. are attacks against critical personnel, against the resources (in terms of the personnel participation, population good-will, etc.), and even the communication method of the organization.

In the InfoSec field, as with all security, the ability to compromise or expose critical personnel is a serious concern. Public embarrassment aside, the “shocking revelations” can be accompanied by massive hits to stock values. For example, Facebook stocks lost some 24% of their value (around $134 Billion) as a result of the Cambridge Analytica scandal.[2] This tactic can also be used to force a resignation of, say, a highly competent head of security, and to take advantage of the ensuing chaos.

The fuel to be kept at the ready is precisely the kinds of dirt – one way or another – that can be used to throw the organization into disarray. This ties back to the Chapter 11 strategy of setting too many fires for the enemy to deal with. The seasons and days can also be understood as strategic timing of release of such information, so as to generate the maximum “oomph” and create disorder at the maximum level.

What can be done about such tactics is limited, because they often rely on private actions of private individuals. However, the part that can be controlled is the order and cohesion in the face of such tactics. Commonly, people are thrown under the bus as an instinctive preservation tactic of organizations – in order to appease the public. This turns into a self-inflicted injury, and self-created weakness. The correct approach is a response, not a reaction – measured and calculated in light of security considerations.

A ruler cannot mobilize his armies in a rage; a commander cannot incite a battle in the heat of the moment. Move if it is to your advantage; bide your time if it is not. A person in a fit of rage can be restored to good humor and a person in the heat of passion can be restored to good cheer, but a state that has perished cannot be revived, and the dead cannot be brought back to life. Thus the farsighted ruler approaches battle with prudence, and the good commander moves with caution. This is the way (tao) to keep the state secure and to preserve the army intact.[3]

While I am not sure what hacking in a fit of rage would look like, the passage provides an explanation of the wrong states of mind in which to act. The good ruler is a farsighted one who acts with prudence (intelligence, discretion, foresight, wisdom) – thus the bad ruler is one who acts out of short-term interests and emotionally. Any number of instances of self-inflicted damage fall under this category. The good commander moves with caution – thus the bad commander is one who is not cautious. But the term caution comes from the notion of “prudence in regard to danger” – and the idea of a cautious commander is better understood as one who is intelligent, discrete, foreseeing, and wise in regard to things that may pose a danger. All these elements require both intelligence and deliberation – hence, a commander who lacks caution is not carefree because of a lack of danger, but because of their own blindness – which becomes hazardous to the troops and the organization as a whole.

The farsighted nature of both the good ruler and commander also indicate that both have access to intelligence and deliberate over it, in order to make and carry out plans in the long-term. The success of the long-term plans is the real functional measure of victory. But to achieve this success in the long-term, good intelligence, as well as exceptional analysis and interpretation are absolutely necessary. They are needed as a constant and consistent source of understanding our own situation and the realities on the ground – not merely as an initial starting point from which one develops plans, and then ignores the ever-shifting contextual landscape in which they are to implement that plan.

The farsighted ruler and commander are such precisely because they have a constant stream of new information, which they functionally integrate into their vision; overcoming obstacles or adjusting their plans in a way that preempts the appearance of the problems. Everyone is capable of identifying the problem which has manifested itself – e.g. a hack in progress. It takes a different kind of effort to find the potential for that particular problem to arise, and to preempt it before it has the opportunity to manifest – e.g. patching an exploit discovered by internal audit/pen-test.

For information security, this means finding new and innovative ways to attack their own defenses, to creatively pre-empt hacking schemes. By way of example, the ISIS use of Twitter and other social media platforms for recruitment was an innovative strategy. Because it was a creative approach not anticipated by various defense and security systems, it was wildly successful in global recruitment. After discovery, the lack of creative solutions resulted in a game of whack-a-mole with ISIS accounts, with 3 new ones springing up for every one taken down.

The key takeaway is that successful attacks rely on sowing internal disorder, and striking with speed (e.g. WannaCry). Therefore, the successful defense must be a farsighted one – relying heavily on intelligence gathering and analysis – and must incorporate creative ideas of threats and defenses, if one is to survive.


[1] Sunzi. Pg. 121.


[3] Sunzi. Pg. 122.