Advice from Sun Tzu and John Boyd on winning at cyberwar

Summary: While we’re enmeshed in 4th generation wars we don’t know how to fight, (let alone win) a new form of conflict arrives. Least we repeat our feckless habit of fighting then thinking, let’s develop strategies before serious clashes begin. Chet Richards helps us decide if the military classics can help us, or has new tech made them obsolete?  {2nd of 2 posts today.}

“Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.”
— Sun Tzu in The Art of War.

 

Chet Richards comments on

“InfoSec, Sun Tzu & the Art of Whore“
by Steve Tornio and Brian Martin.
Posted At Attrition, 2 July 2010.

.
The authors did a great job. I found nothing to argue with in their article. But they appear to have underestimated the power of Sun Tzu’s advice, even in the unique realm of cyberwar.

I can’t argue with their observation that if you try to follow the specific prescriptions of of The Art of War,  you’re either going to be playing with analogies or you must find an opponent willing to act like a Chinese army of the Warring States Period (475-221 BC).

However, when viewed from another perspective it’s possible to see beyond the specifics of long-ago technology for deeper insights. These insights are rooted in human nature and so may prove as useful to cyber war as to any form of conflict.

Their criticism, for example, of how people tend to apply Master Sun’s advice also applies to the works of the late John Boyd (Colonel, USAF), whose major briefing, Patterns of Conflict, appears to be all about war, and mostly about the German Blitzkrieg. But to find deeper meanings, let’s start with what Boyd said about Sun Tzu’s Art of War, on Patterns of Conflict chart 13. First, he talks about some of the “themes” he finds in the work:

• Harmony and trust,
• Justice and well being,
• Inscrutability and enigma,
• Deception and subversion,
• Rapidity and fluidity,
• Dispersion and concentration,
• Surprise and shock.

An organization engaged in any kind of conflict might well find some of these useful for destroying the cohesiveness, and thus the effectiveness, of an opposing organization while ensuring its own. As an aside, note that the elements of these pairs seem to reinforce each other (e.g., “harmony and trust”) with one apparent exception. This is typical of how Boyd did his own syntheses.

Then he relates these to Sun Tzu’s strategy (remember, these are Boyd’s interpretations. Yours may — should — differ):

• Probe the enemy’s organization and dispositions to unmask his strengths, weaknesses, patterns of movement and intentions.
• “Shape” the enemy’s perception of world to manipulate his plans and actions.
• Attack the enemy’s plans as best policy. Next best disrupt his alliances. Next best attack his army. Attack cities only when there is no alternative.
• Employ cheng and ch’i maneuvers to quickly and unexpectedly hurl strength against weaknesses.

Let’s look at this list in a little more detail because if you’re going to get anything useful from The Art of War, or from  Boyd, you can’t take their texts as dogma.  Master Sun to the contrary, for example, there are sometimes good reasons to attack cities: You might intend to draw the opponent into battle at a time and place that is favorable to you (e.g., you’ve prepared an ambush). Also, forcing a quick capitulation of a fortified city can demoralize your opponents. In fact, quickly obliterating anything that the opponent considers safe can have this effect. Might there be cyber equivalents to cities? To name just one possibility, picked at random out of the blue, might the same logic apply to personnel databases? This is not to say that databases are analogous to cities but that both are instances of heavily defended, valuable resources.

Taking this to another level, if you loudly announce that you’re following Sun Tzu, your foe might become confused, disoriented and demoralized when you avoid his army to demolish a major city. Soldiers from other cities in his realm might well desert to protect their homes. Does he have to split his army up and try to defend them all?

The point is that you shouldn’t take any text as a cookbook for tactics. Boyd would often say “Don’t be a member of Clausewitz’s school because a lot has happened since 1832. And don’t be a member of the Sun Tzu school because an awful lot has happened since 400 b.c.” Read military classics as sources of ideas, however, and you could find something useful. For millennia this has proven true of Sun Tzu.

Incidentally, don’t be a member of Boyd’s school, either. And by the way, the one seeming exception to the reinforcing nature of Boyd’s “Themes of Sun Tzu” really isn’t.

About the author

Ph.D. Mathematics.  Colonel, USAF, retired.  Long-time editor of the original Defense and the National Interest website (archived here; others may be phishing sites — exercise caution), certified yoga instructor (RYT 200), colleague of John Boyd, and blogs at Slightly East of New.  Chet was an Adjunct Professor of Strategy and Quantitative Methods at Kennesaw St. University in Atlanta, and author of:

• A Swift, Elusive Sword: What if Sun Tzu and John Boyd Did a National Defense Review? (2003).
• Certain to Win: The Strategy of John Boyd Applied to Business (2004),
• Neither Shall the Sword: Conflict in the Years Ahead (2005), and
• If We Can Keep It: A National Security Manifesto for the Next Administration (2008).

For More Information

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about Sun Tzu, about cybersecurity, about military theory, and especially these…

• How America can survive and even prosper in the 21st Century.
• The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace by Marcus Ranum.