Advice from Sun Tzu and John Boyd on winning at cyberwar

Summary: While we’re enmeshed in 4th generation wars we don’t know how to fight, (let alone win) a new form of conflict arrives. Least we repeat our feckless habit of fighting then thinking, let’s develop strategies before serious clashes begin. Chet Richards helps us decide if the military classics can help us, or has new tech made them obsolete?  {2nd of 2 posts today.}

“Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.”
— Sun Tzu in The Art of War.

The Art of War
Available at Amazon.


Chet Richards comments on

InfoSec, Sun Tzu & the Art of Whore
by Steve Tornio and Brian Martin.
Posted At Attrition, 2 July 2010.

The authors did a great job. I found nothing to argue with in their article. But they appear to have underestimated the power of Sun Tzu’s advice, even in the unique realm of cyberwar.

I can’t argue with their observation that if you try to follow the specific prescriptions of of The Art of War,  you’re either going to be playing with analogies or you must find an opponent willing to act like a Chinese army of the Warring States Period (475-221 BC).

However, when viewed from another perspective it’s possible to see beyond the specifics of long-ago technology for deeper insights. These insights are rooted in human nature and so may prove as useful to cyber war as to any form of conflict.

Their criticism, for example, of how people tend to apply Master Sun’s advice also applies to the works of the late John Boyd (Colonel, USAF), whose major briefing, Patterns of Conflict, appears to be all about war, and mostly about the German Blitzkrieg. But to find deeper meanings, let’s start with what Boyd said about Sun Tzu’s Art of War, on Patterns of Conflict chart 13. First, he talks about some of the “themes” he finds in the work:

John R. Boyd (Colonel, USAF)

  • Harmony and trust,
  • Justice and well being,
  • Inscrutability and enigma,
  • Deception and subversion,
  • Rapidity and fluidity,
  • Dispersion and concentration,
  • Surprise and shock.

An organization engaged in any kind of conflict might well find some of these useful for destroying the cohesiveness, and thus the effectiveness, of an opposing organization while ensuring its own. As an aside, note that the elements of these pairs seem to reinforce each other (e.g., “harmony and trust”) with one apparent exception. This is typical of how Boyd did his own syntheses.

Then he relates these to Sun Tzu’s strategy (remember, these are Boyd’s interpretations. Yours may — should — differ):

  • Probe the enemy’s organization and dispositions to unmask his strengths, weaknesses, patterns of movement and intentions.
  • “Shape” the enemy’s perception of world to manipulate his plans and actions.
  • Attack the enemy’s plans as best policy. Next best disrupt his alliances. Next best attack his army. Attack cities only when there is no alternative.
  • Employ cheng and ch’i maneuvers to quickly and unexpectedly hurl strength against weaknesses.

Let’s look at this list in a little more detail because if you’re going to get anything useful from The Art of War, or from  Boyd, you can’t take their texts as dogma.  Master Sun to the contrary, for example, there are sometimes good reasons to attack cities: You might intend to draw the opponent into battle at a time and place that is favorable to you (e.g., you’ve prepared an ambush). Also, forcing a quick capitulation of a fortified city can demoralize your opponents. In fact, quickly obliterating anything that the opponent considers safe can have this effect. Might there be cyber equivalents to cities? To name just one possibility, picked at random out of the blue, might the same logic apply to personnel databases? This is not to say that databases are analogous to cities but that both are instances of heavily defended, valuable resources.

Taking this to another level, if you loudly announce that you’re following Sun Tzu, your foe might become confused, disoriented and demoralized when you avoid his army to demolish a major city. Soldiers from other cities in his realm might well desert to protect their homes. Does he have to split his army up and try to defend them all?

The point is that you shouldn’t take any text as a cookbook for tactics. Boyd would often say “Don’t be a member of Clausewitz’s school because a lot has happened since 1832. And don’t be a member of the Sun Tzu school because an awful lot has happened since 400 b.c.” Read military classics as sources of ideas, however, and you could find something useful. For millennia this has proven true of Sun Tzu.

Incidentally, don’t be a member of Boyd’s school, either. And by the way, the one seeming exception to the reinforcing nature of Boyd’s “Themes of Sun Tzu” really isn’t.

Chet Richards (Colonel, USAF, retired)

About the author

Ph.D. Mathematics.  Colonel, USAF, retired.  Long-time editor of the original Defense and the National Interest website (archived here; others may be phishing sites — exercise caution), certified yoga instructor (RYT 200), colleague of John Boyd, and blogs at Slightly East of New.  Chet was an Adjunct Professor of Strategy and Quantitative Methods at Kennesaw St. University in Atlanta, and author of:

For More Information

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about Sun Tzu, about cybersecurity, about military theory, and especially these…


2 thoughts on “Advice from Sun Tzu and John Boyd on winning at cyberwar

  1. These hackers warned the Internet would become a security disaster. Nobody listened

    IBM had a pentagon papers type event when a copy of document with details of unannounced 370 virtual memory makes into the hands of industry publication. Aftermath of the investigation … all internal IBM copier machines had (unique) serial number under the glass plate so it shows up on all copies made on that machine … shows up on this document copied nearly 15yrs later (“IBM-SJ-086”)

    Then during the future system effort in the early 70s, some past refs

    an attempt was to make all the documents available only in softcopy (to further inhibit copying). Online system was modified so access to documents, had to use special process that only allowed displaying documents on local, hardwired 3277 terminals (and all other functions were crippled). I had some dedicated weekend time in datacenter with one such system. I went in Friday afternoon to make sure everything was setup and ready. While there, some of the people wanted to brag that even if I was left alone in the machine room all weekend, their modified system would preclude (even) me from accessing the information. Unable to resist, I replied it would take less than five minutes … most of the time was spent isolating the machine so that nobody else could take advantage of what I was about to do. From the front console, I did a one byte patch of a branch condition instruction in the authentication routine such that *ALL* authentication requests returned valid. I then commented that the only really good countermeasure would involve encrypting the information.

    for the fun of it … some old crypto related email … including discussion of (public key) PGP-like implementation, a decade before PGP

    long ago and far away, we were brought in as consultants to small client/server startup that wanted to do payment transactions on their server, they had also invented this technology called “SSL” they wanted to use, the result is now frequently called “electronic commerce”. We did design/implementation using “SSL” for the electronic commerce webservers to the payment gateway (handled transactions between the internet and the payment networks) … and I know of no exploits of that implementation.

    However, we only could make recommendations about the client to server operation, many of which were almost immediately violated, accounting for many of the exploits that continue to this day.

    Somewhat because of having done “electronic commerce”, in the mid-90s we were invited to participate in the x9a10 financial standards working group that had been given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments (not limited to internet, aka *ALL*). We did some detailed end-to-end threat and vulnerability studies that led to the x9.59 transaction standard.

    One of the issues was that transaction information is used in dozens of business processes at millions of locations all over the world. One of the threats is attackers obtaining/skimming transaction information and using the information for fraudulent transactions. Because the enormous number of requirements for access to the transaction information, we’ve commented that even if the world was buried under miles of information hiding encryption, it still wouldn’t stop information leakage … aka an enormous “attack surface” (millions of places where attacks can happen). The x9a10 standard did nothing to reduce the “attack surface”, but it did reduce the “threat surface” by slight tweak to the current infrastructure that made information from previous transactions (including account nos) useless to crooks for doing fraudulent transactions. This also eliminated the need to hide/encrypt transactions, which has been the major use of “SSL” in the world.

    Note that about the same time we were invited to participate in the x9a10 financial standard working group, there were presentations at financial industry conferences by consumer dial-up banking operations and the motivation for their move to the internet (offload their significant consumer support costs for proprietary dial-up operations to ISPs). At the same time, there were presentations by cash management/commercial dial-up banking operations that they would *NEVER* move to the internet because of a long list of vulnerabilities (that mostly continue to this day). some past posts

Leave a Reply