The Art of InfoSec – Chapter 7

Chapter 7 – Armed Contest – is something of a psychological take on engaging in battle, and as such its application to InfoSec is a bit more direct, once we look past the particular examples. When read carefully, this chapter makes a great deal of intelligence gathering on the enemy – without which the maneuvers cannot begin to work.

What is difficult in the armed contest is to turn the long and torturous route into the direct, and to turn adversity into advantage. Thus, making the enemy’s road long and torturous. Lure him along it by baiting him with easy gains. Set out after he does, yet arrive before him. This is to understand the tactic of converting the torturous and the direct.

While the passage here seems rather obvious, they are worth exploring for their implications. First, most every road – i.e. every project worth doing – is long and torturous. If it were not, the project would have already been completed. Thus, one should have the expectation that all things in the information security realm take extreme time, effort, resources, and competence – at least if done right. Second, difficulties arise when we become reactionary, instead of responsive. The more complete discussion of the difference can be found here, but the takeaway is that response is a calculated and deliberative act, that requires time and effort spent in deliberation – something we tend to lack when forced to (re)action by the latest crisis. Third, the adversity (which is part of the torturous road), cannot be turned to advantage without deep knowledge and a thorough investigation. This means that the reality we face can only be turned to our advantage through leveraged intelligence and effort.

With that expectation in mind, we should invest heavily into the kinds of people and resources that will, in the long-term, make the efforts easier. These kinds of investments are inherently investments in intelligence. Knowing the kinds of threats and defenses that we are working with, allows us to find or create shortcuts ahead of time – instead of relying on an ad hoc approach in the moment of crisis.

Sunzi follows this line of thinking, as he continues:

Therefore, unless you know the intentions of the neighboring states, you cannot enter into preparatory alliances with them; unless you know the lay of the land… you cannot deploy the army on it; unless you can employ local scouts, you cannot turn the terrain to your advantage.

Obviously, intelligence and preparatory considerations based on it are an absolute requirement of hoping for a victory.

An entire army can be demoralized, and its commanders can be made to lose heart. Now, in the morning of the war, the enemy’s morale is high; by noon, it begins to flag; by evening it has drained away. Thus, the expert in using the military avoids the enemy when his morale is high, and strikes when his morale has flagged and has drained away.

Use your proper order to await the enemy’s disorder; use your calmness to await his clamor. This is the way to manage the heart-and-mind.

This section ties back into the “make yourself invincible, then wait for the enemy to make a mistake” idea of earlier chapters. However, there is a deeper factor at play here. Reactionary fear, as a consequence of a hack, opens gaps in our defenses, and throws the system into chaos. This fear is a matter of preparedness, but also of the kind of political landscape in which InfoSec personnel find themselves.

As with all other fields, when something goes wrong, attention turns away from a logical response, into a panic-induced reaction. We have seen glimpses of this problem generally, where social pressure wears down the public resolve and leaders are forced to action on behalf of a demoralized state/organization (e.g. the self-inflicted damage of corporations volunteering to provide their customers with expensive but generally ineffective services, as a way to appease the mob).

The disorder that comes from reactionary moves is the kind of panicked flailing about, in which logic has fled. It makes us incapable of questioning premises – and thus we’re forced to “fix” things that are not broken, or devote the time and resources to irrelevant ideas. NPR, for example, still has on “experts” warning about tax return scams – despite the fact that the scam, and it’s accompanying methodology, became moot about 8 years ago. But the public insists on protection against threats they’ve heard about (“that one time”) that no longer exist, and the InfoSec field is being asked to provide it – even if it means “checking the gigabytes.”

In the long-term, these kinds of demoralizing and bad-law results are far more harmful to the information security community than the data-breaches themselves.

To await disorder with your order, should then be taken as a preparatory activity – whether it is educating the public or the lawmakers, or the CEOs of companies, or some other activity entirely – to prevent the outbreak of chaos that can be used to further cause long-term damage to the CS field.

Use your closeness to the battlefield to await the far-off enemy; use your well-rested troops to await his fatigued; use your well-fed troops to await his hungry. This is the way to manage strength.

While the physical proximity, weariness, and hunger are not a functional part of information security, the passage here offers a rather interesting insight into the level of intelligence required by Sunzi. To know where the battlefield will be, is the first requirement – i.e. knowing where your enemy is headed. To know which troops to engage requires that we know when the enemy will arrive, and the state of his forces and resources. None of these things are possible unless we have gathered intelligence ahead of time, have chosen the battlefield, and are essentially guiding him to us, while keeping a close eye on his movements. That is to say, one cannot effectively engage the enemy without being armed with functional intelligence well ahead of time.

Do not intercept an enemy that is perfectly uniform in its array of banners; do not launch the attack on an enemy that is full and disciplined in its formations. That is the way to manage changing conditions.

While no one relishes the idea of retreating before the enemy, it is sometimes the most functional strategy. Taking the servers down for a day or 3 has a cost, but it is likely far lower than getting hit directly by a serious hack. Again, however, knowing when to back off is premised on serious intelligence operations – so that the enemy banners and formations can be seen before the fight erupts.