InfoSec, Sun Tzu and the Art of Whore

18 min read Original article ↗

Fri Jul 2 14:42:30 CDT 2010

swtornio & jericho

Sun Tzu / Roadkill Lately, you can't swing a dead cat without hitting someone in InfoSec who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security?

In "The Art of War," Sun Tzu's writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren't terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu's work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote.

"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." - The Art of War

This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don't need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don't see a particular need to upgrade or improve those areas.

Information security is not warfare (leaving aside actual warfare, of course). The bulk of security practitioners are working to protect private and public networks and do not strike back against any enemy. Even penetration testers conduct their 'battles' within a limited scope, under supervision and governed by laws. A pen test is absolutely NOT knowing your enemy. Turning your own people, or agents you employ, against your own networks to test their security tells you nothing about your attacker. It is an exercise in better knowing your own strengths and weaknesses. It's also not "thinking like your enemy." If you can't identify who your enemy is, you can't think like him. All you can do is apply your own offensive techniques against your own position. The only application of Sun Tzu's work today might be relevant for the bad guy attacking a specific target.

Sun Tzu makes many statements about victory in war, none of which apply to InfoSec, since the war cannot be won. We don't have one enemy, we have an inexhaustible supply of a wide variety of enemies, and most don't even care who we are. Do you know your enemy? If you answer 'yes' to that question, you already lost the battle and the war. If you know some of your enemies, you are well on your way to understanding why Tzu's teachings haven't been relevant to InfoSec for over two decades. Do you want to know your enemy? Fine, here you go. your enemy may be any or all of the following:

What's more, these enemies have our networks under siege, which Sun Tzu says is no way to win a war.

The rule is, not to besiege walled cities if it can possibly be avoided. The preparation of mantlets, movable shelters, and various implements of war, will take up three whole months; and the piling up of mounds over against the walls will take three months more.

Um, yeah. Sun Tzu's not helping us here. How about that popular one about knowing your enemy?

Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.

But of course, there is no winning. You can take the time to try to know all the different kinds of attackers hitting your networks, but you can never claim victory. If we board up our windows against a hurricane, we don't "win" if our homes and windows survive the storm. It would make more sense for InfoSec practitioners to learn from hurricane or flood preparedness than Sun Tzu. For most of us, attacks on our networks are more like the constant and varied attacks from weather, and rather than try to wrap ourselves up in the glorious wisdom of Chinese philosophy and the excitement of some amorphous global "cyberwar", we should probably focus on the mundane, boring details of maintaining and monitoring our networks.

Sun Tzu "Sun Tzu was an ancient Chinese military general and strategist who is traditionally believed to have authored The Art of War, an influential ancient Chinese book on military strategy considered to be a prime example of Taoist thinking." Tzu's treatise on strategy, "The Art of War" is available in all shapes and sizes, translated by dozens of scholars. Further, it has been translated or adapted to be made relevant to all walks of life including managerial strategy, achieving life goals, spirituality, writing and more. Given the writing deals more with the mindset, logistics and strategy of war, it is trivial to apply many of its concepts to almost any facet of life. The book is a fascinating read and highly recommended for people of all ages, profession or culture.

Unfortunately, the application of The Art of War is often too aggressive, short-sighted or otherwise lacking in relevance. In some cases, this broad philosophy and mindset is applied to a very minute aspect of society or life. In other cases, some aspect of our society may change and people fail to consider that Tzu's writings may not be entirely appropriate any longer, or simply not valid most of the time.

The Art of War has become increasingly popular in Western culture over the last decades. Some attribute this to popular movie references, others suggest it is "more accessable .. and has a less specialised vocabulary". The computer security industry has firmly embraced it, as references to the work permeate "cyber security" literature.

References to Tzu's work are diverse in the computer security world, but mostly demonstrate an adolescent obsession rather than a basic comprehension of the material and accurate analogy to similar circumstances in a digital world. Because Tzu's work is considered "sexy" to many, they tend to shoehorn his thoughts on engaging in war to disparate disciplines that did not exist 2,500 years ago.

Now, it is common to see arbitrary quotes with very loose tie-ins to a presentation, training courses based on or centered around Tzu ("What do Sun Tzu's teachings have to say about C compilers.." really?) and security companies named after him (also suntzudata.com / saecur).

The following are examples of the numerous misunderstandings we see in Information Security, when Sun Tzu fanboy mentality overides the logical interpretation and understanding of his work.

Before you decide to convince your boss not to build a wireless network for your intranet, think through how you can solve the problems we have outlined. The problems may be scary, but that's why you are reading this book. Once you know the methods a hacker can use to attack the wireless network, you can protect yourself by closing those holes. If you have read The Art of War by Sun Tzu, then you should know this saying: "If you know the enemy and know yourself, you need not fear the result of a hundred battles."
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Perhaps the most often quoted line from the Art of War, and the most obviously bad analogy in today's world of information security. At some point in time, sooner rather than later, your company will be compromised, will be 'hacked', will lose information or will fall victim to some form of security incident. You can pretend to know your enemy, you can reflect on your company all day long and 'know yourself' better than anyone, and it simply will not make a difference sometimes.
[Dmitri Alperovitch] said that Russia defines cyberwar as a force multiplier while China views cyber war as a way to get control of an enemy without the need for engaging on a physical field of battle. "It's straight out of Sun Tzu," he said.
I speak of controlling the following things white man: military expenditure, general's irritation, success through cultivation of moral law, large forces (your own), soldiers (your own), the forces of victory and council-chamber situations. I do not talk about controlling an enemy, on or off a battle field.
This convoluted news sound-byte really makes no sense at all. Worse, the paragraph before Alperovitch says the U.S. is "in the midst of a cyber Cold War". Uh, the "Cold War" was not an actual war, did not have a battlefield (physical or virtual) and really isn't a topic Tzu covered.
The idea that a less-capable foe can take on a militarily superior opponent also aligns with the thoughts of the ancient Chinese general, Sun Tzu. In his book "The Art of War," the strategist advocates stealth, deception and indirect attack to overcome a stronger opponent in battle.
It is the rule in war, if our forces are ten to the enemy's one, to surround him; if five to one, to attack him; if twice as numerous, to divide our army into two.

If equally matched, we can offer battle; if slightly inferior in numbers, we can avoid the enemy; if quite unequal in every way, we can flee from him.

Hence, though an obstinate fight may be made by a small force, in the end it must be captured by the larger force.

Did you even read the damned treatise?
Sun Tzu would send an assassin to the enemy's camp and kill the opposing general right before the battle (in technology that is called a zero-day attack). The ensuing chaos made victory nearly certain.
Whether the object be to crush an army, to storm a city, or to assassinate an individual, it is always necessary to begin by finding out the names of the attendants, the aides-de-camp, and door-keepers and sentries of the general in command. Our spies must be commissioned to ascertain these.
First, Tzu never said anything about assassinating the enemy general. While it is possible he employed that technique in battles, we have not found citation to confirm it. Second, the one reference to 'assassination' in the Art of War, quoted above, talks about the practice in general and even says "an individual".

If the opposing general is the leader figure, then the analogy today would be more akin to taking out the CEO, CSO or some leadership role. If the opposing general represents a technological lead, then perhaps an analogy to a denial of service attack against the security infrastructure of a target company would be appropriate. Either way, the idea of slaying the opposing general is nothing akin to a "zero-day attack", an attack based on exploiting a vulnerability "unknown to others or undisclosed to developers". The threat of a dead general, be it to assassin, disease or accident, was a known threat. Further, while a suddenly dead general would cause chaos to the enemy, a zero-day attack likely remains undetected and undiscovered, not bringing about chaos. Failed analogy all around.

Sun Tzu Demise Perhaps the most fundamental flaw most people seem to exhibit is their desire to compare Sun Tzu's Art of War to today's issues, when it was really only applicable twenty or more years ago. Back then, administrators found themselves in a situation where they could know their attacker, or come to know them. Perhaps the most well-known case of this is Cliff Stoll and his tale outlined in the Cuckoo's Egg. This was one administrator against one attacker and what turned into a long cat and mouse game. Their virtual struggles are more in line with Tzu's outlines regarding knowing an ememy and knowing one's self.

Today? See the list earlier in this article. There are thousands of people scanning your system every day. The motive for their activity is as diverse as the people on the other side of the keyboard. No matter how well you get to know one, keeping that one out will do nothing to protect you from the other thousands. Today's Internet and system defense isn't a chess game any more. Rather, it is a game of dodgeball where the other team has a thousand players, do not use regulation equipment and are throwing at a deaf and blind opponent. Enjoy the baseball to the groin as you finally figure out who one of the thousand opponents are.

Warfare in the days of Tzu was about a large army led by one general and a handful of officers. Anyone below the rank of a general was a soldier and there generally wasn't a lot of free thinking related to battles. "Knowing the enemy" was about knowing the small command structure (i.e., general, officers) and logistics of the opposing army (e.g., troop count, location, weaponry). Tzu's treatise was written with this type of warfare in mind, and it was brilliant. In this day and age, warfare is different, and no matter how you try to shoehorn his work in, it will be very uncomfortable in some spots.

It is also interesting to note how security professionals love to quote Tzu in a capacity that contradicts some of security's old maxims. For example, the extremely popular and often parroted, "security through obscurity is no security at all!" As a long-time advocate of "security through obscurity" as one of many methods to achieve a secure environment, it is refreshing to see more professionals accept this basic truth. Unfortunately, many found this acceptance by latching on to various passages in the Art of War and realizing that obscurity can be a valuable tool.

Paris Hilton If Sun Tzu isn't a good choice for InfoSec analogies, who is? After considering many of the frequent examples above, the obvious answer is "just about anyone else". In the last 2,500 years, if a more suitable and timely treatise has not been written governing ideas behind warfare, perhaps we should just admit that a new treatise should be written governing computer attack and defense. And please, no treatise on "cyberwar", or we'll be forced to write another rant.

Until that new magical treatise is written, let us consider other notable figures that can guide us on computer 'warfare' just as well as Sun Tzu. When considering their lessons, it may be surprising to you to find how they are seemingly more relevant to today's security threats and dealing with thousands of enemies at a time. It is interesting that so many in the industry are such fans of Tzu, while not using Carl von Clausewitz' Vom Kriege or Niccol� Machiavelli's Dell'arte della guerra.

Perhaps we can gain insight into today's computer security by looking at other notable historical figures?

Genghis Khan While Tzu was a formidable military strategist, he was not one who put that strategy to use as other generals did. Genghis Khan was the founder and backbone of the Mongol Empire, the largest contiguous empire in history. He revolutionized warfare for his time and put his strategy and military tactics to decisive use. Running campaigns on multiple fronts, he expanded the Mongol Empire in opposite directions at the same time. Comparing Khan's military tactics to today's entrenched companies is more appropriate than Tzu by far. One could easily argue that Khan thought beyond 'chess' in battle; he would also come at you with every possible weapon, tactic and strategy at the same time if it ensured victory. Khan himself did not lead all of the Mongol offensives, as he gave absolute trust to his generals. "Know the enemy" takes on new meaning when you must know the ruler and every one of his generals, who were empowered to lead as they saw fit, and frequently used their own ideas and tactics in battles.

Mark Twain Samuel Langhorne Clemens, better known to most as Mark Twain, was fascinated with science and scientific inquiry. With a few inventions and patents under his belt, we should actually look toward his humorist side for insight into computer security. Some of the fun quips from this famous author may seem light and frivolous on the outside, but can be just as relevant to the protection of your virtual assets, if considered in the right light. Sure, some of his more profound thinking can be applied to that pointy haired boss rather than the firewall, IDS or wiley hacker that seeks to plunder your network. However, that doesn't make his wisdom any less relevant to your organization.

question mark With Tzu coming up short, and those who "study" his works coming up shorter, it really can be left up to the imagination for relevant material to be dragged into the computer security discipline to be forged into future bad analogies. Apparently it doesn't matter that security professionals find the need to dumb down computer security for their audience, be it executives, users or the audience of a presentation. Instead of focusing on that being the issue, most are happy to traipse about bad-analogy land instead of truly educating users through more focused material. If that's the case, why go with the old favorite of Tzu? Why not branch out and have fun with your audience? After all, if you have to compare today's technology and the threat of computer criminals to your network, why settle on a 2,500 year old general who only had experience with an abacus? Jump to a more modern set of heroes that can give us wisdom on attack and defense, conquering hearts and minds, knowing the enemy and/or the appeal of a filbert.

If these examples demonstrate that falling back to the same Tzu quotes aren't necessary, we encourage you to pick a random figure from history and see if his or her notable quotes apply to information security. The next presentation that flashes a Tzu quote will prompt us to walk out. The next presentation that equates the ideas of Joan of Arc, Shrek or Charles Manson to information security should be entertaining and engaging. If these aren't interesting or you can't find their relevance to computer security, our last idea of who you should consider quoting, that may seem really outlandish and mind-blowing, are some of the pioneers of information security. Anderson's "Computer Security Technology Planning Study", Ware's "Security Controls for Computer Systems" or Myers' "Subversion: The Neglected Aspect of Computer Security" can all offer insight into the security problems we face today, despite being written thirty years ago (or more).

To borrow a quote from Tzu, and use it to our ends:

"The general (presenter) that hearkens to my (our) counsel and acts upon it, will conquer: let such a one be retained in command! (praised) The general that hearkens not to my (our) counsel nor acts upon it, will suffer defeat:--let such a one be dismissed!" (boo'd off stage)

Copyright 2010 by Steve Tornio and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Cupcake and Lyger.

Should you feel generous, please donate a couple of bucks to any 501(c)(3) non-profit that benefits animals or computer security on our behalf.

main page ATTRITION feedback