The Art of InfoSec – Chapter 13

Chapter 13 is the concluding chapter of the Sunzi. While he has continuously stressed the critical importance of intelligence and deliberation in war, he did not reveal the source of this information. In the concluding chapter, he turns solely to that source, and designates it as the most important factor of warfare.

To understand the opening lines of this chapter, and specifically the kind of detestation Sunzi shows towards the commander who fails to procure intelligence, it is useful to refer back to the definition of war by Lao Tzu (noted in Chapter 2), especially in terms of evil as ȇ; a subpar outcome of a situation caused by a failure to properly understand and adapt to one’s context.

Fine weapons are instruments of evil. They are hated by men.
Therefore, those who possess Tao turn away from them.
Weapons are instruments of evil, not the instruments of a good ruler…
When he uses them unavoidably, he regards calm restraint as the best principle.
Even when he is victorious, he does not regard it as praiseworthy,
For to praise victory is to delight in the slaughter of men. He who delights in the slaughter of men will not succeed…
For the slaughter of the multitude, let us weep with sorrow and grief.
For a victory, let us observe the occasion with funeral ceremonies. [1]

In considering this passage, we should think of what it means to possess “fine weapons.” Namely, fine weapons represent a great investment of money, time, resources, and humanity in a project whose best-case outcome is the “slaughter of men.” Alternately, they represent all the time, resources, and effort spent not doing socially constructive things. The need for such tools may be inevitable, but to use them properly requires the understanding of their role. Thus, to have fine weapons, and use them carelessly, means to rob the society of all the things it could have used to create a better society and to advance in new and innovative ways. For Lao Tzu, and for Sunzi, war is evil because of the sub-par social use of resources.

However, one does not simply forego the military or military expertise. By understanding the sub-par nature of war, or need for security in our case, one can act in ways that minimize the kind of damage war/security does to the society/organization. That is, understanding the full costs of security is the tool that allows us to best use security, and to do so in a way that optimizes its effectiveness, and minimizes the kinds of costs that it creates – especially when mismanaged. By being cognizant of the costs of security, we can find ways to best utilize it. This is not to say that one should skimp on security, but rather that security requires a serious and critical investment, done right, so that the effects on the rest of the organization can be minimized; that the organization can do what it is supposed to do, with knowledge that security has been appropriately dealt with.

Sunzi opens Chapter 13 with the following passage:

In general, the cost to the people and to the public coffers to mobilize an army of 100,000 and dispatch it on a punitory expedition of a thousand li is a thousand pieces of gold per day. There will be upheaval at home and abroad, with people trekking exhausted on the roadways and some 700,000 households kept from their work in the fields. Two sides will quarrel with each other for several years in order to fight a decisive battle on a single day. If, begrudging the outlay of ranks, emoluments, and a hundred pieces of gold, a commander does not know the enemy’s situation, his is the height of inhumanity. Such a person is no man’s commander, no ruler’s counselor, and no master of victory.[2]

Sunzi opens with a somewhat startling assessment of the costs of war – the costs that are inherent in the very idea of waging a war, regardless of the side. There are monetary costs, human costs, costs of disruption, man-hours invested, etc. Given the costs inherent in war, the failure to invest in knowing the state of the opposition – so as to increase the probability of victory and achieve that victory with minimum additional costs – is an act of a pathologically homicidal and destructive (including self-destructive) individual.

Given the aforementioned stance on fine weapons and the use of war, Sunzi’s assessment of an ignorant commander is something of a clinical diagnosis. To be sure, such a person may have the official position and rank of commander or counselor, and may even achieve a victory. However, in reference to the definition of such an individual (as per the idea of zhengming), such an individual is the worst kind of human being – by definition. The gathering and analysis of intelligence is, therefore, the means by which a commander is made a commander. Otherwise, it is merely an empty title, given to the undeserving; no different than granting the title of “doctor” to your local knife-wielding hobo.

What’s especially telling, is Sunzi’s build-up to the question of gathering information. The inherent costs of war are so high, as to make the intelligence expenditures infinitesimal.

Similarly, the cost of information security is fairly high. An average InfoSec cost for companies ranged between $3,000,000 (medium), and $10,800,000 (large) in 2014.[3] At such a starting cost, it is unconscionable to fail to invest in proper intelligence gathering and analysis. If nothing else, the failure to do so severely undermines the rest of the cost paid for InfoSec  services, in terms of their functionality and ROI to the organization.

So, where does this information come from? Sunzi says:

Thus the reason the farsighted ruler and his superior commander conquer the enemy at every move, and achieve successes far beyond the reach of the common crowd, is foreknowledge. Such foreknowledge cannot be had from ghosts and spirits, educed by comparison with past events, or verified by astrological calculations. It must come from people – people who know the enemy’s situation.[4]

This idea is central to both Sunzi and any notion of InfoSec intelligence; information must be gathered from actual people on the ground! It cannot be had from studying theory (ghosts and spirits), it cannot be educed from past events, it cannot be found through mere statistical research (astrological calculations). Why not? Because war is never a static system; it is a dynamic, ever-shifting, living phenomenon, which must be experienced and engaged as such. Sunzi noted as much in Chapter 7, where he concluded: “Thus an army does not have fixed strategic advantages or an invariable position.[5]

To miss this point is to misunderstand the very notion of security, and see it as a product, instead of a process. This is the crucial problem behind the various backward-looking security policies which secure us from past methods of attack – but do nothing for the fact that the enemy is using ever-changing tactics. As noted in the previous chapter, the major issue for proper analysis is creative, forward-looking assessment of threats, not mere protection against those tactics successful in the past – which the enemy has undoubtedly abandoned in favor of the kinds of attacks we are less likely to see coming.

The question then becomes, “who are these people on the ground who should be used for intelligence-gathering?”

There are five kinds of spies that can be employed: local (yin) spies, inside agents, double agents, expendable spies, and unexpandable spies. When the five kinds of spies are all active, and no one knows their methods of operation (tao), this is called the imperceptible web, and is the ruler’s treasure.

Local spies are the enemy’s own countrymen in our employ.
Inside agents are enemy officials we employ.
Double agents are enemy spies who report to our side.
Expendable spies are our own agents who obtain false information we have deliberately leaked to them, and who then pass it on to the enemy spies.
Unexpendable spies are those who return from the enemy camp to report.[6]

For our own consideration, Sunzi’s “spies” are modes of intelligence-gathering, to be carried out by the appropriate individuals. The notion that these are the “ruler’s treasure” should be self-evident by this point. Every consideration and every maneuver Sunzi has recommended in the preceding 12 chapters has been based on having access to the right kinds of intelligence and analysis. The very ability to meaningfully engage in war, or in our case security, is based on intelligence, and intelligence is based on possessing such avenues of intelligence gathering and analysis. This intelligence is the source of all security, and if that does not qualify it for the title of a “treasure,” then nothing does.

We will consider these specific roles in detail below. For now, Sunzi comments on the status of such individuals:

Thus of those close to the army command, no one should have more direct access than spies, no one should be more liberally rewarded than spies, and no matters should be held in greater secrecy than those concerning spies.[7]

The question of access is paramount for intelligence to be put to proper use. Lawrence Wright’s The Looming Tower (now also a show on Hulu), demonstrates how the failure to get intelligence to the highest levels of decision-making led to the U.S. failure to prevent the 9/11 attacks. Mere possession of intelligence by the organization is utterly meaningless unless that information is in the hands of those individuals at the top, where it can, and will, be put to actionable use.

The question of reward is another pressing concern. Intelligence sources often risk much to share that information. In some cases, they risk the life of themselves, their friends and families, etc. If their compensation is not commensurate to the risk, there is little incentive for them to work with us. During the Cold War, it was the offer of moving to America and being provided top-level security that helped incentivize numerous Soviet agents to defect and reveal all they knew. On the flip-side, the failure of the US and UK to take in the native guides and translators from Afghanistan and Iraq (whose help was indispensable, but made them and their families direct targets for the Taliban and Al Qaeda), means that no sensible local in any such country will be willing to work with the Western forces again.

Finally, the question of secrecy should be a foregone conclusion. Not only does failure to keep secret the identity and the intelligence of such spies reduce the value of the intelligence provided, it also undermines our ability to further recruit such agents – as most enemy organizations will be on heightened alert for any possible leaks, and may even engage in organizational purges.

It is necessary to find out who the enemy has sent as agents to spy on us. If we take care of them (yin) with generous bribes, win them over and end them back, they can thus be brought into our employ as double agents. On the basis of what we learn from (yin) these double agents, we can recruit and employ local and inside spies. Also, from (yin) this information we will know what false information to feed our expendable spies to pass on to the enemy. Moreover, on what we know from (yin) this same source, our unexpendable spies can complete their assignments according to schedule. The ruler must have full knowledge of the covert operations of these five kinds of spies. And since the key to all intelligence is the double agent, this operative must be treated with the utmost generosity.[8]

The idea of using enemy spies is fairly straightforward: First, we are taking an enemy asset off the board; second, we are adding an asset to our side; third, the asset is already well-placed within the enemy ranks; fourth, the asset intelligence grants us a deep insight into the system of the enemy – allowing us the better infiltrate the organization. In information security, the double agent is the enemy hacker we can track down and “persuade” to come to our side.

Local spies are simply the people well-connected to the medium in which our enemy operates. For example, hackers native to, say, Ukrainian black-hat scene, are conversant in the kinds of trends (not to mention language and jargon) that are particular to the Ukrainian scene. These are bottom-level individuals, who are simply present enough to have meaningful sense of the goings-on.

Inside spies are actual members of hacking groups and collectives. This can range from organized crime to anarchy groups. The key factor is that they are active participants in a medium where the intelligence and strategic information-sharing occurs. Therefore, they have a much more insight into the details of their particular organizational happenings. Obviously, such agents are far more difficult to come by, and their intelligence is a way of clarifying some particular issues noted by the local agents, as well as providing specific organization-dependent data.

Expendable spies and false data are based on the idea that, when we understand the particular scene and the ideas behind certain enemy organizations, we have a profound insight into their motivations, goals, methods, etc. This allows us to leak information in a way that will allow us to direct their efforts where we wish, or to gather additional data by getting feedback on their reaction. For example, by creating a false exploit – or rather, creating an exploit to nowhere – we can gauge the relative strength of the enemy forces, their connections to other organizations, rate of response to our false data, etc. This can provide us with a much more penetrating insight into the kinds of opposition we face, as well as their resources and abilities.

Unexpendable spies are the most critical agents, in terms of their mission objectives. One way to think of them is as full-on saboteurs, the kinds of agents who can – with the right information – wreak havoc on our enemies’ functionality. That may involve doxxing them, striking them with a targeted attack, getting the local law-enforcement to break down their doors, etc. The crucial point is that the unexpendable spies are the means by which the fires are set inside the enemy camp; the enemy is led into a position where they can be annihilated. Unexpendable spies are, for the lack of a better term, ninjas.

Yet, the only way such action is possible is by ensuring that they are provided with the kind of information that will enable them to identify and move against such targets. The actions of unexpendable spies are the absolute pinnacle of expression of actionable intelligence. In order to be successful: the ruler must be farsighted and prudent; the commander must be intelligent, discrete, foreseeing, and wise in regard to things that may pose a danger; the enemy spy must be found and fully exploited to become a double-agent; the local spies must be cultivated; the inside spies must be employed; the expendable spies must be fully utilized; all this data must be properly analyzed and understood in order to identify the correct targets, develop a meaningful plan of action, set it off at the correct time, and set in motion the unexpendable spy.

While supremely difficult, the actions of unexpendable spies are nothing short of miraculous. Consider, for example, the Stuxnet attack (from Wikipedia):

Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Stuxnet reportedly ruined almost one fifth of Iran’s nuclear centrifuges. Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.

Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the propagated copies of the worm; and a rootkit component responsible for hiding all malicious files and processes, preventing detection of the presence of Stuxnet. It is typically introduced to the target environment via an infected USB flash drive, thereby crossing any air gap. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the codes and giving unexpected commands to the PLC while returning a loop of normal operations system values feedback to the users.

Consider the sheer quantity of intelligence-gathering necessary for such an operation, and keep in mind that the entire system is not remotely accessible. The ability to infect the host came from a person physically entering the plant, inserting a USB drive into the machine to which they presumably had legitimate access (either that, or they were literally a ninja), and walking away. This step was executed by the unexpendable spy, without whom the entire project would have failed – but who, without an incredible spy network, would never have been in the position to act.

There is also the matter of analysts whose work was able to turn the intelligence into an actionable comprehension of the system, which gave the commanders the ability to develop the devious worm in a way that crippled a multi-billion-dollar project of an entire nation. Without their efforts, all the intelligence remains only so much noise.

These particular roles are not the only ways to understand the modes of intelligence-gathering, but they are demonstrative of the kinds of intelligence-gathering modes that are crucial to the ability to conduct security meaningfully.

Thus, we see the critical nature of establishing an intelligence network, and doing so properly. Sunzi notes:

Thus only those farsighted rulers and their superior commanders who can get the most intelligent people as their spies are destined to accomplish great things.[9]

Here, I will make an addition to Sunzi’s spy system; namely the role of analysts in the modern setting. While I have noted the crucial nature of analysts before, they deserve their own consideration – especially in light of the idea that one ought to get “the most intelligent people as their spies.”

In the InfoSec context, the “most intelligent spies” comment should be understood to include one’s own personnel which take in the incoming intelligence and make it actionable, by parsing through the data and finding the most effective and creative ways to understand that intelligence. However, this process requires genius-type personnel[10] if it is to be fully utilized. Why? Because the sheer volume of the incoming intelligence is overwhelming; much of it is flawed, deeply flawed, or outright false; and the ability to instinctively recognize complex patterns is not a common trait.

The proper kind of analyst one should employ is always engaged in strenuous critical thinking and analysis. They do not take authoritative sources of information as inherently true, and frequently discover the pitfalls in analyses presented to them. These are the kinds of people whose “smell test” of published and generally accepted information knows not only that there are flaws in the information, but can pinpoint where they are located. These are people who track coherence of claims across all systems, and have an instinctive red flag when anything is amiss. If one fails to employ at least one such analyst, the information provided by the spies is likely to be of less than full utility. If spies are the “ruler’s treasure,” genius-type analysts are the crown-jewel.

As the very last line of The Art of War, Sunzi summarizes the functional essence of Chapter 1 idea that, “Warfare is the art of deceit” by concluding:

Intelligence is of the very essence in warfare – it is what the armies depend upon in their every move.[11]

While the full consideration of the way these notions relate to CTI will be considered in later posts, it should be clear that, for Sunzi, the very notion of war is premised on intelligence – or rather, the very notion of InfoSec is premised on CTI. To even attempt to engage in war (analog or digital) without intelligence, is to willingly make yourself dumb, deaf, and blind, while placing yourself squarely in the path of existential danger. In essence, failing to couple these two concepts is to disqualify yourself from any meaningful sense of acting in the security field. While you may have the title, it reflects nothing of reality.

With the chapter-by-chapter analysis of the Art of War complete, we will next turn to a brief outline summary, as an overview of its lessons. Following that, we will turn our attention to CTI; considering the state of the field, and considering the implications of the preceding lessons.



[1] Lao, Tzu. “Tao-Te-Ching.” 1963. Translated by Wing-tsit Chan. In Masters of Chinese Political Thought; from the Beginnings to the Han Dynasty., edited by Sebastian De Grazia. New York: Viking Press, 1973. Pp. 261-2.

[2] Sunzi. Pg. 123.


[4] Sunzi. Pg. 123.

[5] Sunzi. Pg. 92.

[6] Sunzi. Pp. 123-5.

[7] Sunzi. Pg. 125.

[8] Sunzi. Pg. 125.

[9] Sunzi. Pg. 125.

[10] Genius-type here refers to those individuals who are not only supremely competent in the field, but have the creative quality that allows them to create new and innovative solutions to existing problems, but also to anticipate future problems and create means to counter them before they manifest.

[11] Sunzi. Pg. 125.