The Art of Cyber-Security Faruk Rahmanovic, Ph.D.

This is an analysis of Suzi’s The Art of War, through the lens of the modern medium of Cyber-Security.
For more details, including assessment of the validity of this project, as well as a primer on terminology
etc. please go to www.actionablecs.com. The translation used for this analysis is:

Sun Tzu “The Art of Warfare.” Tr. Roger T. Ames. In The Book of War. Ed. Caleb Carr. New York: The
Modern Library, 2000.

Chapter 1: On Assessments

As we move through the Sunzi, the goal is to find the aspects of each chapter that most clearly map onto
our Cyber-security (CS) and CTI (Cyber Threat Intelligence) ideas, not to do an exhaustive analysis of
every line or try to stretch the analogy. While we’re primarily focused on the CS/CTI aspects, it should be
noted that the same analysis yields results for either hacking or pen-testing. That is, a proper
assessment of the ideas requires us to think on the offensive and defensive.

The first Chapter of the Sunzi deals with the basic idea of understanding the role of war and assessing
military engagement. Sunzi begins:

War is a vital matter of the state. It is the field on which life or death is determined and the road that
leads to either survival or ruin, and must be examined with greatest care.1

As to the vital nature of security, that seems to be a foregone conclusion in the CS field. While the
economic costs of hacks are still fairly uncertain, companies incur the costs of the post-mortem analysis
and reconstruction, followed by largely self-inflicted costs – depending on the nature of the business.
For some companies, however, the hack may be the end, either by loss of public confidence or loss of
contracts, or both. One would expect that companies like OneLogin will have a difficult – if not
impossible – time recovering from the hack, given the nature of the services they provide.

Therefore, to gauge the outcome of war we must appraise the situation on the basis of the following
five criteria, and compare the two sides by assessing their relative strengths. The first is the way (tao),
the second is climate, the third is terrain, the fourth is command, and the fifth is regulation.

The way (tao) is what brings the thinking of people in line with their superiors.2

There are two ways to understand this notion within CS: 1) bringing the thinking of the organization in
line with the security aspects of the organization; and 2) bringing the thinking of the security aspects in
line with the functional realities of the organization. While these two positions may seem to be at odds,
another way of understanding this requirement is in terms of making sure the organization is working as
a unified whole, headed in the same direction, and not working at cross purposes. Thus, the security
element will do the most with what it has, and the organization will fall in line with the security

1
Sun Tzu “The Art of Warfare.” Tr. Roger T. Ames. In The Book of War. Ed. Caleb Carr. New York: The Modern
Library, 2000. Pg. 73.
2
Ibid.

1
The Art of Cyber-Security Faruk Rahmanovic, Ph.D.

assessments and requirements; for example, not introducing rogue devices onto the company network,
or not entrusting their login information to third-party vendors.

We can also consider “bringing of thinking in line” as a way of effectively governing/running the
organization, so that the focus that goes into maintaining security does not diminish over time. On the
flip side, for hackers, wearing down defenses is a great avenue of attack - making you open that email or
attachment by making you lose focus on security.

Climate is light and shadow, heat and cold, and the rotation of the seasons.

Terrain refers to the fall of the land, proximate distances, difficulty of passage, the degree of
openness, and the viability of the land for deploying troops.3

To keep from stretching the analogy, we will combine these two criteria into a single point. The climate
and terrain map pretty well onto holistic understanding of the security environment, including elements
like network topography, OS use, firewalls, proxy servers, physical access security, etc. Without a clear
understanding of what vulnerabilities lurk in our security, we cannot adequately account for them. Note
that this means that outsourcing security makes us ignorant of a crucial part of Sunzi’s assessment: we
do not know the climate and terrain of our own security because it is not, in fact, our own.

Command is a matter of wisdom, integrity, humanity, courage, and discipline.4

From this point forth, “command” and “commander” refer strictly to the CS element of the organization,
and particularly to the heads of those departments. This part of the assessment deals with the question
of qualification of the CS head – i.e. how good is your general? While the specifics of the qualities listed
above will be clarified and demonstrated in later chapters, we can already glimpse some of their
meaning. For example, the question of humanity refers to the treatment of subordinates, which ends up
translating into the kind of practices that enable the hiring and development of the best available talent,
or ending up with another run-of-the-mill CS department – where the only thing between you and a
hack, is the interest of the hackers.

And regulation entails the organizational effectiveness, a chain of command, and a structure for
logistical support.5

The last criteria seems to map directly onto the CS environment. However, there is more here than
meets the eye. Organizational effectiveness and logistical support are also an aspect of the tao, as is the
chain of command – which is also an aspect of command. Additionally, logistical support has two
separate elements that are at play, which will become more apparent in later chapters,6 but which we
can generally divide into internal and external categories – i.e. organizational structure and CTI.

Without some form of CTI, the organization and the commanders are left in the dark about the threats
and nature of threats they face. Unless there exists a solid structure of CTI logistical support, the

3
Ibid.
4
Ibid.
5
Ibid.
6
Specifically Chapter 13: Using Spies, but also as an implication of proper command throughout the text -
specifically in reference to Zhi and Shi.

2
The Art of Cyber-Security Faruk Rahmanovic, Ph.D.

commanders will be unable to fully utilize their skills and act to respond to the issue – rather than
reacting to it after the hack.

All commanders are familiar with these five criteria, yet it is he who masters them who takes the
victory, while he who does not will not prevail.7

If you’ve been feeling like this portion has not introduced you to anything you do not already know,
Sunzi agrees! The criteria are not some magical new approach; they are the core that all people in the
field know (or should know). He introduces it anyway, but lays the stress not on knowing the criteria,
but on their mastery. That is to say, knowing is different than being: many students know what to do to
get the most out of a course and master the subject, but only the exceptional few embody that
knowledge and become the kind of people that actually master the subject – and they’re the ones who
end up on top.

The path to mastery is the subject of the rest of the book, as Sunzi presents us with the actions and
thought processes of an ideal commander.

Reflecting on the earlier points of assessment, Sunzi notes:

If you heed my assessments, dispatching troops into battle would mean certain victory, and I will stay.
If you do not heed them, dispatching troops would mean having certain defeat, and I will leave. 8

The phrase can also be read as “if a commander does not… dismiss him” Indicating that the crucial
attitude may extend to either the master strategist, or to the ruler’s assessment of commanders.

This position demands of the ruler/employer that they employ only those strategies that are sound, and
that they demand that their employees follow those assessments. However, for the prospective CS
employee, or head of CS, it requires that they place their professional integrity above profit. If the
organizational structure of a company is such that clear warnings of the experts will not be heeded – i.e.
if the emotions of the higher-ups will take precedence over expertise – the “right” thing to do is refuse
the job, as an organization that undervalues the critical staff is one where the talents of the experts will
be wasted.

Having heard what can be gained from my assessments, shape a strategic advantage (shih) from them
to strengthen our position. By “strategic advantage” I mean making the most of favorable conditions
(yin) and tilting the scales in our favor.9

The idea of strategic advantage (shih) begins at this point, and continues throughout the book. What’s
crucial to notice is that shih is not something one simply has, or something that happens, but is to be
gained by “shaping” – i.e. extracted from the existing situation by directed effort, with a clear goal in
mind. Notice also that this shaping occurs separately for each instance of military action; it is not a thing,
but a context-dependent process, which necessarily takes into account the specific circumstances of
each action.

7
Sun Tzu. “The Art of War.” Pg. 73.
8
Sun Tzu. “The Art of War.” Pg. 74
9
Ibid.

3
The Art of Cyber-Security Faruk Rahmanovic, Ph.D.

Finally, notice also that, in order to make the most of one’s favorable conditions, we must be fully aware
of the full variety of circumstances, our situation, enemy situation, their goals and ours, their strengths
and weaknesses and ours, etc. Since the notion of shih relies on the idea of leveraging information in
order to win, it necessarily depends on having access to the variety of information – including the
previously noted structure for CTI logistical support.

Warfare is the art (tao) of deceit. Therefore, when able, seem to be unable; when ready, seem
unready; when nearby, seem far away; and when far away, seem near. If the enemy seeks some
advantage, entice him with it. If he is in disorder, attack him and take him. If he is formidable, prepare
against him. If he is strong, evade him. If he is incensed, provoke him. If he is humble, encourage his
arrogance. If he is rested, wear him down. If he is internally harmonious, sow divisiveness in his ranks.
Attack where is not prepared; go by way of places where it would never occur to him you would go.
These are the military strategist’s calculations for victory – they cannot be settled in advance.10

These core strategies read like a “how-to” list for hackers. While the focus here is primarily on a kind of
“offense” limited to the hacking (non-CS) side of the equation, getting a thorough grasp on the best
offensive strategies is the key to developing a functional idea of defense. This is especially true in cases
like ours, where the focus of security is on getting ahead of the hacking curve – instead of reactive, post-
facto patching.

The idea of enticing the enemy with an “advantage” is wonderfully demonstrated in the kinds of hacks
that target services and products that people and corporations use to gain a competitive advantage, or
simplify aspects of their work. For example, the recent ransom of major Hollywood films was
accomplished by hacking a third-party service provider used by the studio. The OneLogin hack targeted a
third-party security provider aimed at simplifying user experience. While the hackers did not create the
service-providers that were hacked (which would have been the full meaning of enticement), they
understood the enticement of such services, and targeted them instead.

The question of wearing-down the enemy is about overloading the effort, funds, and focus available,
seeking to create and exploit a flaw. Constantly changing passwords, security modifications, resistance
to even the most benign DDoS attacks; all these activities place stress on the organization members, and
persistence in attacks increases the likelihood of security making a mistake, thus allowing for the actual
breach. These kinds of harassing tactics also serve well to distract the target from the actual attack,
which may go after an entirely different target, and in an entirely different way.

Attacking by way of places that would never occur to security, is a point of deceit, but more importantly,
it is also an issue of guaranteeing success. While the gains may not be spectacular, attacks against
undefended targets do have the distinct advantage of success before engagement. This will become a
key issue in the next two chapters. For now, we can note that it may be possible to escalate privilege
through the most innocuous point of access. Therefore, a guaranteed victory that may not seem
particularly big, carries the potential for additional victories down the line – if it can be exploited in the
right way. For the security end of this equation, this Sunzi principle emphasizes a holistic approach to
security (not focusing only on the top tier), and compartmentalization, so that a single uncontested loss
does not snowball into a full-blown crisis.

10
Ibid.

4
The Art of Cyber-Security Faruk Rahmanovic, Ph.D.

Finally, the military strategist’s calculations for victory explicitly note what has already been mentioned
here, and in several earlier articles: there is no single, static, product-like way to achieve success in
either hacking or security. The entire notion of warfare and security is a fluid one, requiring detailed
understanding of each situation and its context, to address it functionally. This is why the traditional
Western model of warfare, so often represented by chess, is ultimately defunct.

Besides treating the entire situation as a field of war where the only means of success is the
unconditional surrender of the opponent, regardless of cost, chess also gives us a symmetrical situation,
where the possibilities are brute-force calculable, where the possible moves are constrained by a host of
rules – so that the only way to surprise the enemy is by their own failure to calculate. We’re now also
seeing the failure of the traditional military approach on the physical battlefield, because the enemy is
specifically avoiding traditional war engagement, the fight is deeply asymmetric, and the enemy does
not play by the rules. To then adopt the traditional war strategy in a medium that is perfectly suited for
a heterodox approach, is the height of folly. A much more effective game-model of warfare, especially
for cyber-war, is the game of Go (also known as Baduk and Weiqi), which is perfectly in-line with the
Sunzi ideology of war.11

It is by scoring many points that one wins the war beforehand in the temple rehearsal of the battle; it
is by scoring few points that one loses the war beforehand in the temple rehearsal of the battle. The
side that scores many points will win; the side that scores few points will not win, let alone the side
that scores no points at all.12

The temple rehearsal is, essentially, war games focused on a specific conflict one may enter into, in
order to determine strategy, etc. The key aspect of this passage lies first in the act of rehearsal
preparations, whereby the varieties of offensive and defensive measures are tested – something akin to
pen-testing. Without a thorough rehearsal, we remain in the dark regarding our own defensive (and
technically, offensive) capabilities. But this also tells us something else; in rehearsal, the quality of attack
and defense reveals the height of our own quality, ingenuity, and understanding. Pen-testing that
reveals no weaknesses indicates either perfect security (unlikely), or the failure of the red team to find
and exploit weaknesses (you should bet on this option).

The question of scoring points is particularly crucial for the last category – scoring no points. This option
is only achievable by utter failure of skill, or more realistically by failure to participate. Without
preparation and rehearsals, we stand no chance against an attack, and have no sense of our own
resources, strengths, and weaknesses. Without rehearsals against exceedingly strong opposition, we
create a false sense of security, which opens us up to further vulnerabilities in the long-run. Without
being part of the rehearsals, we leave ourselves in the dark as to the realities of our situation. The last
option is the result of outsourcing security, and relying on their for-profit reports of their capability and
success. At a risk of holding an overly cynical position, misreporting and misrepresentation of results is
essentially standard across the entire spectrum of industries – and believing the CS industry to be
somehow immune seems too big a leap of faith to bet your security upon.

Thus far, Sunzi has only provided a brief introduction, focusing on issues that are generally well-known,
but with the additional emphasis on the mastery of those issues. He has also already laid the

11
Rahmanovic, Faruk. “Go and Sun Tzu.” https://www.academia.edu/31360844/Go_and_Sun_Tzu
12
Sun Tzu. “The Art of War.” Pg. 74

5
The Art of Cyber-Security Faruk Rahmanovic, Ph.D.

groundwork for the kinds of necessary functions that will require knowledge of both internal systems, as
well as information-gathering factors – which creates the start of the intersection between CS and CTI.
Finally, he has introduced the kind of relational thinking that is required for successful assessment, by
considerations of both sides engaged in a conflict, and a need for understanding the nature of offense to
develop a functional defense, and vice-versa.

In the coming chapters, Sunzi will turn to key qualities of an ideal commander and war ideology, and
then proceed to flesh out the ideas noted briefly in this introduction, and those noted in the next two
chapters.