The Art of InfoSec – Chapter 3 (cont’d)

In the first half of Chapter 3, Sunzi focused on the elements of engagement in, and waging of,war. This information pertains primarily to the commander, though the ruler should be familiar enough with it – if he’s to ensure that the commanders under his rule are good. The second half of Chapter 3 shifts focus towards the interplay between the state and the commander, and provides a glimpse of what happens if the advice of the first half is ignored. The need to define and maintain the correct relationship between the state and the commander cannot be overstated: as even the best generals are powerless when hobbled by the bureaucracy and the “sage” advice of armchair generals.

The commander is the side-guard on the carriage of state. When the guard is in place, the state will certainly be strong; where it is defective, the state will certainly be weak.[1]

Having addressed the nature of strategy in the kind of commanders that preserve the state, Sunzi turns to the issue of ruler’s relation with the commanders – roughly equivalent to the CEO/board relation with the security department. For Sunzi, the commander belongs at the side of the ruler, implying constancy of presence, advising, closeness, and loyalty. However, the presence or absence of the commander is not up to the commander, but the ruler. Thus, the relation between the two is determined by the ruler – on the assumption that the commander fits the noted description.

To a certain extent, the willingness of the commander to take up and keep on in that role depends on the treatment he is afforded. Poor treatment, inadequate compensation, lack of loyalty, unwillingness to listen to expertise, unwillingness to provide timely infrastructure and readiness investments, etc. are all factors that can drive a strong commander away from the ruler – as the former realizes that the it is impossible to actually complete their job effectively. No commander will willingly serve a state that is weak, and that cannot be strengthened because of the ineptitude of the ruler.

Sun Bin, the successor to Sunzi some 200 years later, establishes the ruler/commander relation in a crossbow analogy: The Ruler determines the target; the commander aims the crossbow and fires; the military is the bolt which is fired and strikes the target. The division of labor depends on the division of responsibility – and thus the different points of expertise. If any part of this process is carried out by the non-expert, or expert in the wrong field, the process goes awry.

Open lines of communication, and the ability to put aside the ego in order to meaningfully depend on the expertise of others, is a crucial point in this relation. Even in the context where the commanders were the property of the emperor (i.e. his slaves), and where his word was law, Sunzi argues that the ruler should not speak beyond expressing his general desire, and never on the topic of military management – as that is not his area of expertise. Thus, he argues:

There are three ways in which the ruler can bring grief to his army.
To order an advance, not realizing the army is in no position to do so, or to order a retreat, not realizing the army is in no position to withdraw – this is called “hobbling the army.”
To interfere with the administration of the army while being ignorant of its internal affairs will confuse officers and soldiers alike.
To interfere in military assignments while being ignorant of exigencies will lose him the confidence of his men.
Once the army has become confused and he has lost the confidence of his men, aggression from his neighboring rulers will be upon him. This is called sowing disorder in your own ranks and throwing away the victory. [2]

In all three examples, Sunzi notes different ways in which ignorance of the non-expert compromises first the particular military operation, then the military as an institution, and finally the survival of the state as a whole. The complexity of security is the reason why specialized ranks of security experts exist in the first place. Presumably, that is also why companies pay 6-figure salaries to obtain and retain these experts. To acknowledge the need for expertise and invest in experts, only to then disregard their expertise and blindly stumble about, is the height of stupidity. However, that is also the unfortunate reality for many organizations.

Instead of being asked for their expert opinion on the state of events, too many InfoSec personnel are told from on high what they should do – i.e. are being micromanaged regarding specific policies – by non-experts. As noted earlier, the legal framework in the cyber-security space is also created by non-expert lawmakers who, in their infinite hubris, backed by ignorance of all relevant things, make laws that make the information security community collectively face-palm. Thus, the personnel are already under pressure from one group of non-experts, and adding another layer of such non-expert intrusion can severely hobble the security space.

Sunzi reminds us that, even where the commander is competent, and where he follows the kinds of ideology that should make victory inevitable, poor leadership can always snatch defeat from the jaws of victory. For the commanders of old, this could very well mean death-by-incompetent-ruler. In the modern context, the situation is little better, and can result in career suicide. It is for this reason (among others) that the chapter 1 noted the need for the commander to recuse himself from service if the ruler failed to live up to the required division of labor based on expertise (i.e. meritocracy).

Sunzi concludes the chapter with a bit of pertinent poetic phrase, both summing up the discussion so far, and opening up the next section of the text.

He who knows the enemy and himself
Will never in a hundred battles be at risk;

He who does not know the enemy but knows himself
Will sometimes win and sometimes lose;

He who knows neither the enemy nor himself
Will be at risk in every battle.[3]

To know the enemy and self means to have access to zhi, and thus be able to leverage actionable information to attack strategies (shi) – in which case, the path to victory is broad (quan sheng), while defeat is the kind of anomalous outcome that almost requires a desire to fail.

To know the self, without knowing the enemy, means that we can at least identify our own strengths and weaknesses, and thus have some idea about where more work is needed. At the very least, this position has the potential for survival and improvement.

To know neither self nor the enemy is equivalent of swinging about, blindly, hoping to “win” even though we neither know what we are fighting, nor whether we’re doing well. This is tantamount to a blind archer, firing arrows at random, in random directions, hoping that his actions will somehow defeat an enemy he can neither see, nor can even be sure is there.

Again, there is the connection between InfoSec and CTI, but more importantly there is a pair of additional issues. First, there is no situation in which one can know the enemy and not know the self. This is a logical consequence of the fact that, if the self is not known, there is no way to determine that someone or something is a threat. If the self is not known, the enemy is, by default, unknown. Unfortunately, this is the state of much of the outsourced InfoSec space, and greatly contributes to the extent of damage suffered at the hands of hackers.

The second issue is that, if war is the “field on which life and death is determined,” then the means by which that determination is made is through knowledge – not through force. In fact, history is full of examples of knowledge overthrowing brute force, because with the right knowledge, far less force is necessary. It takes inhuman force to move a boulder by main strength; or it takes a properly placed lever and a few pounds of accurate pressure. This is the difference between force and actionable knowledge.

This interplay between knowledge of self and knowledge of the enemy is the primary subject of the next chapter.


[1] Sun Tzu. The Art of War. Pg. 80

[2] Ibid.

[3] Ibid.