I recently had the privilege of discussing the applicability of Sun Tzu’s The Art of War to information security with Amit Yoran, Chairman and CEO of NetWitness.
Mr. Yoran’s experience in military, government, and private information security domains provided valuable insights on the value of this military treatise. Below are highlights from the podcast.
The Art of War
Sun Tzu’s influence is felt across disciplines – business, politics, and sports.
According to Mr. Yoran, “There are an amazing number of parallels between The Art of War and the information security business. In its very basic form – knowing your enemy – knowing how cyber vandals, miscreants, criminals, and even nation-state actors use cyber attack and cyber exploitation for their various objectives.”
In a cyber landscape, we face adversaries that, in some cases, employ advanced techniques in their attacks.
“Cyber security is an asymmetric form of warfare,” says Yoran. The issue of attribution compounds the difficulties associated with cyber security.
According to Mr. Yoran, attackers rely on anti-forensic attack techniques to cover their tracks.
In response, NetWitness’s network monitoring technologies apply “forensic rigor” to the examination of network traffic. This allows the attack target to gather intelligence on the attacker.
Mr. Yoran states that this focus on forensic analysis enables strategic and tactical agility.
Sun Tzu stresses the importance of understanding yourself as well as the enemy. It is important to recognize how your existing assets can be positioned to compete successfully.
Mr. Yoran agrees. “There’s no way for you to flip a switch and have people change their perception, processes, or mode of operation. Nor should they abandon the security infrastructure they’ve invested in. These are necessary. They are also insufficient when dealing with advanced threats.”
However, this awareness allows organizations to invest strategically to enhance their defenses.
The Cyberspace Review
In the July installment of my Art of War column, I detailed Sun Tzu’s perspective on the Obama Administration’s Cyberspace Review document. This article outlines three scenarios where government oversight can hamper the effectiveness of security leaders.
When asked about his perspective, Mr. Yoran conceded that parts of the plan relate to government agencies and are not applicable to the private sector.
He stressed, however, that matters of cyber defense is an all-inclusive responsibility given that the vast majority of these resources are developed, owned, and operated by the private sector.
He feels it is appropriate for the government to set the rules of engagement on the battlefield. “It is illegal – criminal - to use offensive methods in your defensive strategy,” said Yoran.
By doing so, we would be no better than those attacking us.
The Conditions for Victory
Sun Tzu said that “the winning army realizes the conditions for victory before fighting.”
When asked about these conditions, Mr. Yoran replied that the conditions for victory in the cyber battlefield do not align with those of conventional warfare.
“We must accept that, in this venue, the advantage goes to the aggressor,” said Yoran. “Any medium to large scale enterprise is compromised already or significantly vulnerable to compromise.”
Given the recent cyber attack on government web sites, this statement is particularly salient.
“If we are going to win in cyber,” said Yoran, “we must be prepared for our systems to be comprised. We need to be able to operate our businesses, and conduct our government and public services, in a state where we know or we can reasonably assume that parts of our IT infrastructure are comprised.”
This aligns with Sun Tzu’s advice to assume that the enemy will attack and act accordingly.
Sun Tzu offered that foreknowledge of the enemy’s plans is critical to success. The Art of War dedicates a chapter to the different types of spies one can employ for intelligence gathering.
When asked about cyber espionage, Mr. Yoran discussed the magnitude of this threat.
“FBI has estimated that over 100 nations have offensive cyber capability and organizations that have offensive mission around the world,” said Yoran.
He cited a National Research Council policy framework that states that the capabilities of these nations are at least as sophisticated as what we see from cyber criminals.
“Our own national infrastructure is perhaps more vulnerable than most given its size, its age, and the fact that we are adding interoperability technologies and communications on top of an existing platform,” Yoran continued.
Mr. Yoran cited increased coordination between government and private sector practitioners as a positive step in dealing with those vulnerabilities.
Leadership in the Modern Enterprise
Sun Tzu highlights the importance of balanced leadership composed of the following attributes: intelligence, trustworthiness, humaneness, courage, and sternness.
I asked Mr.Yoran to comment on which of these attributes are needed to tackle the current business risks.
“Trustworthiness is always at the core,” said Yoran. “By that I mean trustworthiness in government, in the private sector, and in the relationship between government and the private sector.”
Mr. Yoran also emphasized that trust must be developed between the cyber warriors/defenders and leadership.
This mutual trust has been hampered by the fact that these groups speak different languages. We need to focus on how we can improve those communications with an eye on engendering trust between these communities.
Mr. Yoran cited intelligence as a critical attribute a leader must develop.
“The better we understand our own vulnerabilities, our own exposure, and our own reliance on technology – the better [able] we are to address the business risk and modify our behavior so we are mitigating the risk.”