The Art of InfoSec – Chapter 3

Chapter 3 of the Sunzi is divided into two sections. The first section focuses on the core strategies of thinking about military engagement – i.e. crucial guidelines in how to approach the threat of, and engagement in. war. The second section focuses on the implications of failing to do so. Interwoven throughout, is the idea of functionality and efficiency as directly proportional to the actionable military intelligence. This idea continues the trend we saw in Chapter 2, viz. the question of effective victory and military costs. The focus on intelligence also continues the trend of connecting InfoSec and CTI at the most fundamental level.

Contrary to the endless movies, where the focus is always on the action, and planning is seemingly absent, or at best fits into a 2-minute montage, planning is the stage where all the actual work is generally done. Shifting tactics, ad hoc solutions, or just winging it may work on occasion, but every such “in the moment” decision is both a failure to plan appropriately, and runs an increased risk of complete failure – owing to the lack of preparation. All reliable success stems from properly grasping strategy, embodying it, and honing oneself to perfection; that no defense can withstand the cunning attack and no offense can penetrate the crafty defense. For Sunzi, strategy is essentially the polar opposite of brute force.

In chapter 1, Sunzi laid out the elements to compare for predicting victory. In chapter 2, he provided an outline of strategy and broad conditions for attaining it. In this chapter, Sunzi fills in the details for properly grasping the order of strategic operations, and conditions on which they depend. As with the other chapters, Sunzi balances somewhere between clarifying/expanding on earlier ideas, and introducing new ones that will require later clarification. Once again, he stresses a strong relation between the ideas of command and having intelligence.

It is best to keep one’s own state intact; to crush the enemy’s state is only a second best. It is best to keep own’s own army, battalion, company, or five-man squad intact; to crush the enemy’s army, battalion, company, or five-man squad is only a second best. So, to win a hundred victories in a hundred battles is not the highest excellence; the highest excellence is to subdue the enemy’s army without fighting at all.[1]

The passage here alludes first to the classical Chinese experience of war as an essentially unceasing activity, where the enemies abound and no one victory settles the issue. Preservation of self takes the highest level in the order of operations, and the destruction of the enemy alone is ultimately a subpar result. This again highlights the contrast between the Chinese and Western ideologies, because the costs of victory must be accounted for (particularly evident in the difference of Go/Chess models of war), and the state of continued functionality is crucial. For example, a victory that hobbles the state is worse than a minor loss that leaves it operational, because the long-term impacts of such a victory are far more likely to produce severe harm to the state.

Thus, the concluding line of the first passage notes that the mere act of victory through continuous fighting is itself a subpar result – or rather a kind of failure. While this may seem counterintuitive at first, it makes a lot more sense when we consider some of the already noted elements. For example, Sunzi already warned about the need to make military operations short, and that continued use of force results in weakening of the state – militarily and economically. This translates into the simple fact that the cost of military use – even where victorious – compounds over time, and weakens the state in the long run. We can also ask how it is that, having won 99 battles, there is anyone still willing to go to war with us? The only coherent response is that the victories we have claimed were either generally a matter of luck, not skill; or alternately, that the cost of winning has left us in a weakened state that a reasonable enemy can expect to leverage into a victory for themselves. In either case, that makes the battle victories a type of failed strategy. The victory without fighting is the aforementioned quan sheng, and will be explained below.

In terms of InfoSec, this section makes some rather interesting points. First, we have the idea that the preservation of the organization (i.e. its continued functioning) should take precedence over defeating an attack. Again, though apparently contradictory, the point goes to the question of continued functionality, and the question of how to best preserve oneself. Taking a minor hit today is, for Sunzi, preferable to avoiding a hit at a far greater long-term cost.

A good example may be the 2017 ransomware attacks. When the ransomware began initially popping up, preemptively taking down our servers for analysis and decontamination would have been a costly measure. However, getting hit by the same wave of ransomware is more expensive, both in terms of loss of functionality, as well as the additional ransom costs – not to mention the difference in incidence response when conducted preemptively and post mortem.

The costs of a constantly embattled InfoSec team are an additional factor to consider. A top-notch team can spend weeks or months deconstructing an attack, digging through every system to find possible sleeper remnants, and tearing apart the infecting code. All this work is usually done against a hard deadline, and results in round-the-clock work. One such incident leaves the team drained. Several in a row leave them comatose. Besides not making progress on other projects, the team loses functionality – that is the cost of victory. When the functionality loss comes during a lull in attacks, the consequences are minor. When it comes on the heels of another attack, the costs become very real.

Therefore, the best military policy is to attack strategies, the next to attack alliances, the next to attack soldiers, and the worst is to assault walled cities.[2]

Winning without fighting sounds well and good, but also a bit like the old Bob Newhart skit, where the therapist simply yells “stop it!” as a cure. However, Sunzi is not about empty claims, but about demonstrating actionable solutions. The order of policy above has a directly proportional relation to the degree of actionable intelligence possessed. That is, the better the policy, the higher the degree of actionable intelligence required.

Starting at the bottom, walled cities are fixed features, and cannot be moved. Their location is known to all, and thus assaulting them requires no intelligence, only men. They are easy to attack, but difficult to capture, and carry inordinate costs for success. By means of example, the US military liberation of Mosul from ISIS has taken more than 2 years, and had estimated civilian casualty rates at some 8,000, with another 800,000 displaced – and over 4,500 liberating soldiers wounded and 800 killed. Keeping in mind that the ISIS forces are militarily a joke – especially when compared to the overwhelming technological and destructive power of the US – the costs of taking a city should be clear. In terms of InfoSec, taking a walled city is an equivalent to taking down Anonymous, as a group – damn-near impossible and costly beyond belief. The one public attempt resulted in the hired help getting hacked instead – much to everyone’s embarrassment.

Soldiers, especially as part of a large unit, are easy to see. However, they can move, and their offensive and defensive capabilities are contextually dependent (top of hill or in a ravine), and so require that our knowledge and timing is at least timely. Soldiers, by the nature of their profession, are also likely to put up a fight, meaning that the costs associated with attacking soldiers is also significant. In terms of InfoSec, we can liken the attack on soldiers as an attack against specific hackers. Again, the process is grueling, uses up immense resources, but is fairly straightforward, and requires relatively little intelligence. Its rate of success, however, is also fairly low.

Alliances may be public, but can often be made in secret or have secret content, that becomes clear only when it is too late to do anything about it. A great pop-culture example is Littlefinger double-crossing Ned Stark; by the time Ned learns of the Littlefinger/Cersei alliance, he’s already under arrest (Game of Thrones, Season 1 – spoiler alert!). Although they require more intelligence to uncover and attack, dismantling alliances reduces the enemy fighting power, and may even prevent attacks entirely, by taking away key resources. While they may be secret, alliances come with a paper trail, and successful CTI operations can unearth them – along with their full content.

Since alliances are brokered deals, they usually depend on both parties fulfilling some obligation in exchange for support. If these obligations can be interrupted, or if the allies can be enticed away from the enemy with better terms, the alliances break down and the enemy is left in a state that generally prevents him from being a threat. This is a Chinese take on the old “divide and conquer” line. By attacking alliances, we can gain crucial information about the enemy, about their plans, timelines, and needs.

Attacking strategies requires the most actionable intelligence, has the best victory success rate, and carries the least military cost. The obvious problem in attacking strategies is that they are the most difficult to discover – since they do not come from a manual, and are likely located primarily in the heads of a few individuals. Adding to the complexity is the fact that new strategies can be hatched, and then they require additional discovery, and so on. Thus, finding out the strategy is exceedingly difficult, but leveraging it into actionable implementation is exceedingly easy.

Once a strategy is known, it becomes exceedingly easy to counter. Robbers waiting for you down this alley? Go down a different alley. A speed trap behind that turn? Slow down. A military ambush on this road? Take a different one or call in an airstrike on their position. A hack scheduled for Tuesday between 3:00 and 5:00 am? Take servers offline for maintenance.

Reading the enemy strategy ahead of time provides us not only with the intended plan of action, but also with the conditions necessary for their strategy to work. Even if the strategy itself cannot be beaten, so long as the necessary conditions can be prevented, the whole thing collapses.

 Therefore, the expert in using the military subdues the enemy’s forces without going to battle, takes the enemy’s walled cities without launching an attack, and crushes the enemy’s state without a protracted war. He must use the principle of keeping himself intact to compete in the world.[3]

In this passage, as brief as it is, Sunzi gives us the core of what it means for the commander to be successful, in the sense of highest excellence: to obtain actionable intelligence (zhi), in a way that eschews force and violence and preserves the self by leveraging intelligence (shi). Such a commander attacks strategies, preventing the actual conflict from materializing (quan sheng). The lesser commanders, by increments of decreasing aptitude and proportionally decreased access to actionable intelligence, are forced to attack alliances, then soldiers, and finally walled cities – relying less and less on their own strategy, and increasingly on brute force and violence – increasing the costs of operations and decreasing chances of success.

Yes, the expert also subdues the enemy forces and takes the walled cities, but he does so in a way that lacks the component of expanding resources on force. A great example of using the military in this way can be found in the 627 AD Muslim defense of Medina against the combined military might of Southern Arabia. By using a series of trenches to block access to the city, the 3,000 defenders turned back the 10,000 attackers without fighting. In 630 AD, the Muslim conquest of Mecca also went off without firing a shot – as the 10,000-strong army materialized on the city outskirts, marching in before the defenders were aware of them – and forcing the city to surrender. This is the difference between the expert and the layman.

Sunzi completes this theme by noting that the expert relies on the noted self-preservation approach, and does so in order to be able to compete in the world. Victory loses its meaning where the costs run too high, because the momentary victory sets up long-term failure. Militarily, the Napoleonic and Nazi invasions of Russia faced these exact problems. While both Napoleon and the Nazis were continually successful in their war efforts, the accumulating costs eventually snatched defeat from the jaws of victory. We can also note that the successful elements of Napoleonic and Nazi victories came predominantly during the blitz portions of their engagement, where the efforts were swift – as opposed to the prolonged campaigns against Russia. We can also look at the game of Risk as a decent example of costly momentary victory – where a player conquers a large region, but leaves it minimally defended, followed by getting the whole region steamrolled within a turn or two.

In terms of InfoSec, this passage has again stressed the interrelated nature of InfoSec and CTI. It has additionally pointed to the kinds of information security costs that must be accounted for, when considering the nature of security in a space that does not admit of a final victory. The expert at InfoSec, to paraphrase Sunzi, uses actionable intelligence to prevent an attack from connecting meaningfully. If that cannot be done, he uses intelligence to reduce the rate and severity of attacks. If that cannot be done, he attacks the individual intrusions. If that cannot be done, he seeks to dismantle the infecting code. At each level, the level of intelligence required is less, the costs are higher, brute force plays a larger part of operations, and the rate of success is reduced.

We should also note that, while the InfoSec side is trying for the actionable intelligence (zhi) and application (shi), the hackers are doing the same. As Sunzi warned us at the start, this is a matter of life and death. And as the terminology itself made clear, this struggle must be understood relationally, in the context of all the sides struggling.

The 20th century German philosopher Martin Heidegger famously noted that we never simply “think,” we always “thing about.” Similarly, we are never engaged in security, we are always “securing against;” and the collection of intelligence is both “intelligence about” and “intelligence from” a source. Informationally, Sunzi’s highest excellence is about the ability to discover the enemy, as well as discover our own strengths and weaknesses before they’re exploited (zhi). Actionably, this intelligence is about creating an impenetrable defense before the exploitation – and thus preventing the attack (shi) – or rather, preventing the attack from connecting. Consequently, we must understand that leveraging actionable intelligence is the lifeblood of war and security, without which we remain entirely at the mercy of our enemies.



[1] Sun Tzu. The Art of War. Pg. 79

[2] Ibid.

[3] Ibid.