The Art of InfoSec – Chapter 2

In Chapter 2, Sunzi turns to some basic cost assessments of war. At first glance this may not seem to be a functional analogy for InfoSec. However, once we dig a bit deeper, we find two elements that deserve serious consideration. The style of Sunzi’s writing is to first present a general thesis at the start of the chapter and stress its importance. Then, he follows it up by an analysis of conditions, ideas, or actions necessary to make the initial thesis actionable. Thus, I would highly recommend re-reading the chapter, to experience the thesis again, this time in light of the conditions necessary for its functionality.

In joining battle, seek the quick victory. If battle is protracted your weapons will be blunted and your troops demoralized. If you lay siege to a walled city, you exhaust your strength. If your armies are kept in the field for a long time, your national reserves will not suffice… Thus in war, I have heard tell of foolish haste, but I have yet to see a case of cleverly dragging on the hostilities. There has never been a state that has benefited from an extended war. Hence, if one is not fully cognizant of the evils of waging war, he cannot be fully cognizant either of how to turn it to best account.[1]

While this section might best be exploited by the hacking end of the InfoSec equation, there are several key takeaways for the security side, especially in terms of the Dao and commander elements from chapter one. First, there is a recognition of the humanity of the tools a commander works with – i.e. human beings. While human beings are capable of performing at peak capacity, they cannot be made to do so indefinitely. Recall the idea of wearing down an opponent, to create an advantage; the wearing down is simply a matter of forcing the opposing side to constantly function at peak performance. Sooner or later, when the demands overwhelm the individuals, a vulnerability is exposed. Even high-performance engines can blow a gasket. This realization should tell us something about the way (tao) in which the organization needs to perform, to keep itself from blowing that gasket. Sunzi particularly emphasizes speed, or rather the idea that one should expect peak performance in bursts that accomplish the goal. Getting to the point where security is functional in these short bursts is a matter Sunzi will address later in this chapter.

Second, this passage makes this recognition of humanity the responsibility of the commander – who is responsible for devising the appropriate way (tao) in which the organization functions – in light of the humanity of both himself and subordinates. An Arab proverb says: “you cannot give what you do not have.” Meaning on one hand that the operational capacity of the commander is dependent on his/her own capacity. On the other hand, it also means that the commander must be acutely aware of his/her operational capacity – by knowing the people, equipment, the state/organization etc. otherwise, they risk making plans that require more than they have to offer. Again, we return to the idea of intimate knowledge of systems, people, and resources, if one is to have any chance of winning a war.

Third, the idea of war as evil is important to stress here – especially in terms of evil as ȇ; a subpar outcome of a situation. Lao Tzu (a contemporary of Sunzi) comments on war:

Fine weapons are instruments of evil… Weapons are instruments of evil, not the instruments of a good ruler. When he [a good ruler] uses them unavoidably, he regards calm restraint as the best principle. Even when he is victorious, he does not regard it as praiseworthy, for to praise victory is to delight in the slaughter of men.[2]

In considering this passage, we should think of what it means to possess “fine weapons.” Namely, fine weapons represent a great investment of money, time, resources, and humanity in a project whose best-case outcome is the “slaughter of men.” Meanwhile, the same resources are unavailable for any other project. Thus, to have fine weapons, and use them, means to rob the society of all the things it could have used to create a better society and to advance in new and innovative ways. For Lao Tzu, war is evil because of the sub-par social use of resources.

However, one does not simply forego the military or military expertise. By understanding the sub-par nature of war, or need for security in our case, one can act in ways that minimize the kind of damage war/security does to the society/organization. That is, understanding the full costs of security is the tool that allows us to best use security, and to do so in a way that optimizes its effectiveness, and minimizes the kinds of costs that it creates – especially when mismanaged. By being cognizant of the costs of security, we can find ways to best maximize their use. This is not to say that one should skimp on security, but rather that security requires a serious and critical investment, done right, so that the effects on the organization can be minimized; that the organization can do what it is supposed to do, with knowledge that security has been appropriately dealt with.

By contrast, we tend to think of security primarily when things go wrong – that is, when we are faced with the fact that we have not made appropriate security investments. In these cases, we are often forced into a reactive role; technologically patching the problem, while offering apologies to clients, offering all sorts of additional (and costly) amends, etc. As a result, we can say that by failing to appreciate the necessary “evil” of great security, we immerse ourselves in a far greater “evil” in the long-term.

The expert in using the military does not conscript soldiers more than once or transport his provisions repeatedly from home. He carries his military equipment with him, and commandeers his provisions from the enemy.[3]

Raising the soldiers only once means raising sufficient personnel for the task; transporting provisions means securing necessary resources for the task. Although the passage is brief, it carries at least five crucial implications for both Sunzi and InfoSec.

First, the commander must know the enemy; otherwise there is no way to calculate the necessary provisions and personnel. Second, the commander must be acutely aware of the circumstances in which he is to act, in order to adequately account for the provisions and personnel. Third, the commander must know the order of importance of objectives, if he is to devise a functional strategy (protecting the farms while the capitol burns is generally a bad idea; yet protecting the capitol while the food stores are destroyed only means starvation later – the situation and order of objectives must be known). Fourth, the commander must develop a strong strategy for dealing with the enemy, and must have accounted for the various contingencies, in order to coherently talk about necessary provisions and personnel. Fifth, the strategy must be enacted only at its appropriate time – rushing a strategy means moving when not fully prepared, and thus the necessity of raising additional personnel and resources.

Knowing the enemy, the circumstances, the order of objectives, preparation of strategy, and timing in implementation – all in order to properly define the required personnel and resources – are then the five implications of Sunzi’s statement. Note that these elements are the means by which we ensure that victory is to be a quick one. Requiring additional personnel or resources takes time, board meetings, expenditure approvals, etc. all of which inherently delay the strategy.

Information security is often faced with problems that stem from these (and similar) issues: whether by an “enemy” that is ill defined, or lack of clarity and knowledge about the circumstances we operate in, or lack of a solid vision for security, or the need to “just do something” instead of taking the time to coherently understand and respond to a problem, not to mention the lack of investment in training the next generation of InfoSec elites.

Getting these elements right, by contrast, means long-term investment in infrastructure, personnel and resource development, proper budgeting (InfoSec is not where you should look to save money), and a vision for the future of the security of the organization. As commonsensical as some of this may seem, it should be noted just how often buggy programs and software hits the market. The initial roll out of Affordable Health Care was a disaster, because of the lack of foresight on the circumstances, order of objectives, and timing in implementation. It resulted in a nearly endless cause for complaints by the opponents of the bill (while they might have found reasons to complain anyway, there’s no use in giving ammunition to the opposition). The 2012 Diablo 3 release was so buggy as to make the game unplayable. It took months of patching and adjusting before the functionality was restored. If Blizzard was not the powerhouse that it is, that game release could have done irreparable damage to the brand – not to mention its funds.

For Sunzi, the approach to war starts with the acknowledgment of its evils – i.e. the fact that it drains resources, places us in a potentially bad situation, etc. Thus, the best way to engage in war is in as limited a form as possible; a quick victory. However, the quick victory has a host of conditions which must be met (some by the organization, some by its commanders), starting with the noted five. You’ll notice that several of the noted conditions are only possible with a healthy dose of intelligence about the enemy etc. without which strategies cannot be formed. While Sunzi has not stated it explicitly, we are again faced with the conclusion that security and intelligence must go hand-in-hand.

The next two chapters (Planning the Attack and Strategic Positions) are the key to shifting the present ideas about information security, CTI, and modern warfare in general, toward a more functional paradigm and military ideology.


[1] Sun Tzu. “The Art of War.” Pg. 75.

[2] Lao, Tzu. “Tao-Te-Ching.” 1963. Translated by Wing-tsit Chan. In Masters of Chinese Political Thought; from the Beginnings to the Han Dynasty., edited by Sebastian De Grazia. New York: Viking Press, 1973. Pp. 261-2.

[3] Sun Tzu. “the Art of War.” Pg. 76.