The Art of InfoSec – Chapter 8

Chapter 8 (Adapting to the Nine Contingencies) deals with the requirements for commanders to adapt to a variety of contingencies – i.e. universal types of preparation for dealing with threats. To begin with, Sunzi presents a list of contingencies based on physical locations. Though the medium does not transfer over to InfoSec, what does transfer, and rather well, is the underlying ideology.

The most pertinent of the contingencies are the concluding lines:

There are roadways not be traveled, armies not to be attacked, walled cities not to be assaulted, territory not to be attacked, and commands from the ruler not to be obeyed.[1]

While disobeying a direct order is anathema in corporate world, Sunzi here makes a subtle point, alluding all the way back to the opening chapter – where he states that a commander must not take on the role unless guaranteed autonomy to properly exercise his expertise in fulfilling the task. That is, the role of war and security is of such crucial nature to the state (or organization) that non-experts must not be allowed to meddle in the operational execution of the mission – lest they jeopardize the very survival of the state. The rulers have the autonomy to decide that war is to be waged, but the execution of actual operations must be left up solely to the experts.

What it takes to reach the level of expert and be capable of disobeying a direct order (while keeping your head, or job) is a tricky business. For Sunzi, it is the expert commander he references that has the right and obligation to do so. As to what makes the expert an expert, Sunzi notes:

Thus, a commander fully conversant with the advantages to be gained in adapting to these nine contingencies will know how to employ troops; a commander who is not, even if he knows the lay of the land, will not be able to use it to his advantage. One who commands troops without knowing the art of adapting to these nine contingencies, even if he knows the five advantages, will not be able to get the most from his men.[2]

Earlier references to commander abilities have generally been aimed at doing, but now Sunzi shifts gears fully to knowing. For all the contingencies, the key factor is knowledge, and specifically the knowledge of the enemy and the threat. That is, the knowledge not of self – which is a given by this point, what with all the harping on that point in every preceding chapter – but of the other side. Though we’re still a few chapters away from Sunzi’s big reveal, a cursory critical analysis forces us to ask, “where is this information coming from?” Since it is not knowledge of self, which is gained through self-evaluation and self-reflection, the source must be from external information-gathering. That is, for a commander to be fully conversant with the contingencies, he must be engaged in significant data-gathering efforts about the world at large.

Sunzi throws in another detail about this data: it is not enough to have data, it must be fully understood in all its implications.

For this reason, the deliberations of the wise commander are sure to assess jointly both advantages and disadvantages. In taking full account of what is advantageous, he can fulfill his responsibilities; in taking full account of what is disadvantageous, his difficulties become resolvable.[3]

Clearly, deliberations require data to deliberate upon. Understanding the data is not some magical solution to all problems, but even the indicators of an upcoming problem – when properly understood – serve to minimize the kinds of damage that are coming our way. Perhaps there is no way to patch an exploit in time, but there is time to take servers down; perhaps there is time gain crucial information. There is no scenario where knowing the kinds of harms heading our way does not give us a significant leg-up in dealing with the consequences – short of a full-blown Greek Tragedy (see: Oedipus Rex). There is a reason that ancient cultures obsessed over divination – the art of telling the future – because any glimpse of what’s coming makes it more likely that we can survive it. The wise commander is the one who invests in gathering data, and dedicates time to properly understand it – and thus gets to live (more information on gathering data in later chapters).

Do not depend on the enemy not coming; depend rather on being ready for him. Do not depend on the enemy not attacking; depend rather on having a position that cannot be attacked.[4]

Here, Sunzi directly contradicts the standard Western basis for security; namely, the notion of deterrence. As noted earlier, the Western use of deterrence as a military strategy and a security standard has had a long history. However, in the context of InfoSec, the very notion falls apart. The classical Chinese difference in the approach to security is the exact reason Sunzi can actually offer valuable insight on the topic.

Sunzi stresses two separate points here: First, that an attack is always coming and people with malicious intent abound like weeds after a rain. Moreover, the deterrence position will not work – not when the historical context is that of dozens of states and their militaries constantly maneuvering for any advantage; and even if none are strong enough to fight you head on, you’ll die the death of a thousand cuts. Thus, always assume that harm is headed your way. Clearly, the classical Chinese context resembles much of the current InfoSec landscape from this perspective.

Second, do not depend on anyone but yourself to provide your security. Whether you live or die is a matter of your effort, not the good will of others. Thus, be ready and develop a position that cannot be (successfully) attacked. This development is up to you. Equifax, for example, did not suffer catastrophic failure due to some magical zero-day exploit; the hackers used an old exploit which had not been adequately patched by Equifax. Additionally, the idea of data gathering and analysis of threats fall under the purview of the commander’s job; i.e. that’s an element that is considered up to you and your efforts. Failure to see a threat coming, short of an act of God, is a failure of the commander to properly do his job.

A note on the unassailable position: as before, the idea of having a position that cannot be attacked is not about perfect security that cannot physically be breached. Instead, it is the combination of all the aforementioned strategic methods, including the best possible physical security.


[1] Sunzi. Pg. 97.

[2] Ibid.

[3] Ibid.

[4] Ibid. Pg. 99