Steve Tornio and Brian Martin just published a 5,000 word rant against anyone who dares utter the name Sun Tzu in connection with information security. According to Tornio and Martin, Sun Tzu – the principal strategic authority who’s seminal work has served to guide China’s military and civilian leadership for 2500 years, is “not relevant to modern day InfoSec” because “information security is not warfare (leaving aside actual warfare, of course”.
That’s a pretty huge stipulation considering that the People’s Republic of China has been heavily invested in information technology R&D to revolutionize both its Armed Forces and its civilian infrastructure simultaneously for the past 20 years or so. The same is true for the Russian Federation (sans Sun Tzu, of course).
I’d love to hear either of these two gentlemen discuss where they make the distinction between InfoSec for the enterprise versus InfoSec as an “expression of warfare by other means” (to paraphrase Clausewitz) or their thoughts on the implications of China’s recent reorganization of its defense and civilian funding for priority IT research through one agency, thus making it easier to persist the illusion of plausible deniability while further blurring the line between civilian and military technology.
Then we come to your assessment of Sun Tzu’s advice regarding knowing your enemy:
You can take the time to try to know all the different kinds of attackers hitting your networks, but you can never claim victory. If we board up our windows against a hurricane, we don’t “win” if our homes and windows survive the storm. It would make more sense for InfoSec practitioners to learn from hurricane or flood preparedness than Sun Tzu. For most of us, attacks on our networks are more like the constant and varied attacks from weather, and rather than try to wrap ourselves up in the glorious wisdom of Chinese philosophy and the excitement of some amorphous global “cyberwar”, we should probably focus on the mundane, boring details of maintaining and monitoring our networks.
The reason why you don’t know how to assign or even begin to think about attribution is because you are too consumed by the minutia of your profession. Frankly speaking, the high tech company executive who accepts what you advocate from his own InfoSec people has put his company squarely in the 10 ring of the target that an adversary state like China or Russia is shooting at. Instead, that executive would better serve his corporation’s interests if he took the advice of someone like Dan Geer:
When you are losing a game that you cannot afford to lose, change the rules. The central rule today has been to have a shield for every arrow. But you can’t carry enough shields and you can run faster with fewer anyhow.The advanced persistent threat, which is to say the offense that enjoys a permanent advantage and is already funding its R&D out of revenue, will win as long as you try to block what he does. You have to change the rules. You have to block his success from even being possible, not exchange volleys of ever better tools designed in response to his. You have to concentrate on outcomes, you have to pre-empt, you have to be your own intelligence agency, you have to instrument your enterprise, you have to instrument your data.
Dan Geer, in my opinion, is one of this country’s best minds in the field of Information Security partly because he approaches this problem in the same way that successful Generals have assessed battlefield strategy from the time of King Leonides and Sun Tzu to the present – at the 10,000 foot level.
Once you understand that the scope of this problem extends far beyond the firewall logs, you’ll be in a better position to organize a solution for attribution by categorizing actors at the State and State-sponsored level then working your way down to the technical forensics of the attack. The only reason why some (OK, many) InfoSec engineers haven’t put 2+2 together is that their entire industry has been built around providing automated solutions at the microcosmic level. When that’s all you’ve got, you’re right – you’ll never be able to claim victory.
Fortunately, the tide is beginning to turn away from that position and towards one that I and Project Grey Goose researchers have been advocating since 2008 – an all-source approach that combines server-level data with actor data eventually allowing decision makers (whether in the boardroom or the White House) to at least “know their enemy”, even if they still don’t adequately “know themselves” – but that’s an article for a different day.
Comments