The principle:
“So in war, the way is to avoid what is strong and to strike at what is weak.”
Strength and Weakness Are Temporary
Sun Tzu emphasized that strength and weakness are dynamic rather than static. Although this principle may seem self-evident, it is often overlooked in practice. Many individuals disregard straightforward strategies, mistakenly believing that complexity is required. This oversight often leads to the violation of previous strategic principles or “lessons learned”, indicating a lack of genuine understanding.
It is essential to recognize that what appears robust today may become fragile in the future, while seemingly vulnerable elements can become decisive with time and increased awareness.
Power, whether military or digital, shifts with context.
The critical factor is not the quantity of resources, but the ability to perceive the entire operational landscape. Vulnerabilities arise not only from an adversary’s strengths, but also from areas where situational awareness is lacking and the speed at which adaptation occurs when new realities emerge.
In contemporary contexts, both nations and security architects often neglect this fundamental principle. There is a tendency to focus on constructing increasingly formidable defenses rather than developing adaptive strategies. Regardless of the scale of these defenses, adversaries require only minor vulnerabilities to compromise their effectiveness. Always remember, your adversaries only need to find a tiny leak in the walls to bring the entire system down.
Predictability: The Modern Weakness
Even the most secure fortresses eventually become familiar terrain for attackers. Cyber adversaries do not rely on brute force; instead, they employ strategic analysis. They examine organizational habits and exploit vulnerabilities such as unpatched servers, unmanaged privileged or service accounts, unchanged passwords, and the susceptibility of executives to social engineering.
Their success depends not on force, but on the predictability of organizational behaviors.
Nations exhibit similar vulnerabilities. Bureaucratic routines solidify into doctrine, which can devolve into dogma. Adversaries exploit these predictable patterns, waiting for repetition before executing successful attacks.
Historical events, such as the Pearl Harbor attack, the September 11 attacks, the Gulf of Tonkin incident, and numerous cyber intrusions, demonstrate that deficiencies in critical thinking, complacency, rigidity, and hubris significantly increase the likelihood of successful surprise attacks.
When Comfort Masquerades as Strength
Many organizations and governments allocate excessive resources to familiar areas, fostering a false sense of security. This environment allows risks to proliferate unnoticed, undermining overall resilience.
Cybersecurity teams often spend millions fortifying infrastructure while leaving users untrained.
Organizations frequently monitor technical metrics while neglecting human behavior. The most significant vulnerabilities often arise from areas presumed to be under adequate management.
System failures are typically attributable not to insufficient funding, but to misaligned priorities.
This pattern is evident at the national level as well. Large militaries and substantial budgets often obscure underlying fragilities, including slow adaptation, reliance on outdated assumptions, unstable alliances, and insufficient strategic foresight regarding emerging forms of conflict.
Historical Lessons of Misguided Strength
The First World War began with nations convinced that industrial might and rigid plans guaranteed victory. Those plans dissolved within months under the weight of modern weapons and static thinking.
During the Vietnam War, a major power misinterpreted its capacity for endurance as a guarantee of superiority. The Viet Cong’s guerrilla tactics transformed conventional advantages into significant liabilities.
Even the rapid success of Operation Desert Storm fostered complacency. Efficiency was mistaken for enduring security, and the perceived triumph was erroneously interpreted as evidence of invincibility.
Each era reaffirms the principle that the most conspicuous assets are not necessarily the most powerful.
Flexibility as True Power
Sun Tzu’s insight was to conceptualize power as dynamic movement. He advocated that a general should emulate water, seeking the path of least resistance and adapting to the terrain.
Within the cyber domain, the operational landscape evolves rapidly, with new threats, actors, and vulnerabilities emerging on a continual basis.
In this context, strength is defined by agility:
- Rotate keys and credentials regularly.
- Automate but verify.
- Decentralize authority so teams can act without waiting for hierarchy.
The most effective defenders are those who demonstrate the greatest adaptability, learning and evolving more rapidly than adversaries can adjust their tactics.
Lao Tzu’s Echo
Lao Tzu put it simply:
“Water overcomes the stone not by strength, but by persistence.”
Endurance surpasses dominance. Properly understood, flexibility is not a sign of weakness but of resilience, characterized by the capacity to absorb disruption and recover to an original state.
In the digital context, resilience is reflected in recovery planning, redundancy, and organizational culture. The true measure of strength is not the infrequency of failure, but the speed of recovery following a compromise.
Turning Weakness Into Insight
All systems possess inherent flaws. Denial of these vulnerabilities allows them to remain concealed until a crisis occurs. Proactive defenders employ audits, red-team exercises, and transparent communication to identify weaknesses at an early stage.
Transparency transforms potential liabilities into opportunities for organizational learning.
Nations could use the same humility.
Public acknowledgment of mistakes enhances credibility, whereas concealment increases risk. The most resilient governments are not those without flaws, but those capable of adapting transparently before their constituents.
From Awareness to Action
Identifying vulnerabilities constitutes only part of the challenge; addressing them effectively demands both discipline and restraint.
In cybersecurity, this approach entails prioritizing remediation over self-congratulation, thorough preparation prior to disclosure, and critical evaluation before taking action.
In policy contexts, this requires deliberate prioritization, engaging only in actions where the anticipated outcomes justify the associated costs.
Misapplied strength can become a source of vulnerability, whereas a thorough understanding of weaknesses can provide strategic foresight.
The Next Step: The Flow of Force
Sun Tzu ends this chapter with motion: the strong shifting to the weak, the weak transforming to the strong.
He implies that awareness must evolve into timing. The wise general aligns his force with the moment, not against it. And that, “All men can see the tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.”
This concept serves as a transition to the subsequent lesson, which focuses on the dynamics of energy in motion and the strategic management of power with balance and rhythm.
We’ve learned where to stand. Next, we’ll learn how to move. As Master Tzu concludes Chapter VI:
Military tactics are like unto water; for water in its natural course runs away from high places and hastens downwards. Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions.
Leading us directly back to this lesson’s seemingly simple principle: “So in war, the way is to avoid what is strong and to strike at what is weak.”
Matt Shannon, Security Pro 