Category: history

The Art of Cyberwar | Part IX | The Army on the March

“The Army on the March” — Illustrated for The Art of Cyberwar, Part IX. This artwork evokes the visual language of classical Chinese scroll painting, capturing the essence of Sun Tzu’s Chapter IX with striking thematic fidelity. The scene unfolds in layers across a sweeping golden landscape: tightly ordered battalions march along mountain paths, supply barges cross a winding river, and distant formations assemble beneath the rising sun. Each element reflects the logistical burden, psychological tension, and environmental dependence that define an army deep into foreign territory. At the foreground, a lone commander on horseback surveys the terrain, flanked by advisors whose varied stances suggest counsel, observation, and caution. His elevated vantage mirrors Sun Tzu’s emphasis on awareness — the practice of reading fatigue, momentum, and environmental signals before they harden into irreversible consequences. The river crossing, perilous and slow, symbolizes the fragility of overextension; the distant city, shimmering beyond the horizon, represents both ambition and the looming threat of exhaustion. The overall composition blends serenity with strain, grandeur with vulnerability. In doing so, it transforms ancient military wisdom into a timeless reminder for modern strategists: every march requires vigilance, and every expansion carries its cost.

The Principle:

“When you leave your own country behind, and take your army across neighboring territory, you find yourself in a position of dependence on others. There you must watch for signs of strain.”— Sun Tzu

The Signs Before the Fall

Sun Tzu’s ninth chapter is about perception.

Here he shifts from action to awareness. It’s about how a commander reads fatigue, imbalance, and internal decay before they destroy an army from within.

This is not simply a lesson in combat, but more importantly, it’s a lesson in foresight. This is a crucial distinction that often separates a near-flawless victory from a crushing defeat.

Because every empire, every enterprise, every cyber defense effort eventually faces the same drift:

  • expansion that outruns understanding
  • momentum that hides exhaustion
  • ambition that blinds leadership
  • reach that exceeds resources

Armies break this way.
Companies implode this way.
Nations lose coherence this way.

In martial arts, this is the moment a fighter looks powerful, but their footwork is mis-aligned, the subtle tell of hand movement, the delayed return to guard, or the half-beat of hesitation that usually precedes success but this time leads to being hit.

Sun Tzu teaches us: if you can’t read the signs, you can’t survive the march.

Overreach: The Eternal Temptation

History loves proving this point.

Rome’s legions stretched from Britain to Mesopotamia until it could no longer feed its own frontiers. Britain built an empire “over all seas,” only to watch its overstretched supply lines rot from within.

The United States, victorious after World War II, constructed a global presence so vast that presence itself began replacing purpose.

Sun Tzu warned: The longer the march, the more fragile the army becomes.

Modern America has been marching for generations, militarily, economically, digitally, and each expansion has carried both pride and price.

Corporations experience the same decay. Cloud ecosystems suffer it even faster. What begins as strength, scale, reach, integration, becomes fragility when maintenance exceeds cost-tolerance.

In martial arts, overreach is the fighter who throws too many power shots, chasing a knockout rather than reading the opponent. They exhaust themselves long before the opponent is even breathing heavily.

Strength without pacing is just a longer route to collapse.

The Weight of Infinite Reach

In cybersecurity, overreach becomes complexity collapse.

Each new department adopts a new tool. Each executive demands a new dashboard. Each vendor promises a universal cure.

Suddenly:

  • no one sees the whole system
  • logs pile up unread
  • alerts become background noise
  • integrations multiply into untraceable webs
  • dependencies form faster than they can be understood

What once felt powerful becomes paralyzing.

Foreign policy suffers the same rhythm on a grander scale.

WWI.
WWII.
The Cold War.
Korea.
Vietnam.
Bosnia
Iraq.
Afghanistan.

Each began with a clean, confident objective. Most devolved into attrition, mission creep, and moral fatigue. It can confidently be argued that mission creep began with WWI, but that’s a conversation for another time.

Sun Tzu would summarize it simply: When the troops are weary and the purpose uncertain, the general has already lost.

In BJJ, this is the fighter who scrambles nonstop, burning energy on transitions without securing position. Sometimes, not even needing to scramble or change position, but hasn’t trained long enough to even know that.

In boxing, it’s the puncher throwing combinations without footwork. The fighter simply stands in place, wondering why his punches never land.

In Kali, it’s the practitioner who commits too aggressively, losing awareness of angles and openings.

The march becomes too long.
The lines become too thin.
And collapse becomes inevitable.

Business: The Corporate Empire Syndrome

Businesses suffer the same fate as empires.

Growth attracts attention. Attention fuels pressure to expand. Expansion becomes compulsive.

Suddenly, the company is chasing:

  • ten markets
  • ten products
  • ten strategies
  • ten “high-priority” initiatives

Each of these demanding its own “army.”

The parallels to national instability are perfect:

  • Expansion without integration
  • Strategy scaling faster than understanding.
  • Leaders mistaking size for stability.

Eventually, the weight becomes unsustainable.

The company can no longer “feed the army.”
Costs rise.
Culture cracks.
Purpose fades.

What killed Rome wasn’t the final battle; it was the slow erosion of balance across its territory.

Most businesses die the same way, and so do most digital ecosystems.

In Wing Chun, this is the collapse of structure, the moment you can see a fighter trying to do too much, forgetting the centerline, being everywhere except where they need to be.

Overreach is always invisible until it isn’t.

The Modern March: Cyber Empires and Digital Fatigue

Our networks are the new empires.

Every integration is a border.
Every API is a supply line.
Every vendor is an ally whose failure becomes your crisis, and you can never plan for when that crisis comes.

Cloud architecture multiplied this exponentially.

Organizations now live everywhere and nowhere at once.

Sun Tzu’s image of an army dependent on supply lines maps perfectly to modern digital infrastructure:

  • Multi-cloud systems
  • SaaS sprawl
  • CI/CD pipelines with invisible dependencies
  • Third-party integrations with inherited vulnerabilities

When visibility fades, risk multiplies. When dependencies become opaque, consequences become catastrophic.

A company that cannot trace its supply chain of code is like an army that has lost its map.

One outage.
One breach.
One geopolitical tremor.

And the entire formation can buckle.

We call this “scalability.”
Sun Tzu would call it: Marching too far from home.

Reading the Dust Clouds

Sun Tzu taught his officers to read subtle signs:

  • dust patterns revealing troop movement
  • birds startled into flight
  • soldiers’ voices around the fire
  • the speed of camp construction
  • the tone of marching feet

Modern versions of those signs are just as revealing:

  • Escalating ‘critical’ alerts no one addresses
  • Morale fading under constant pressure
  • Defensive posture maintained through inertia
  • Strategies repeated because they worked once, not because they work now
  • Partners showing hesitation before they show defection

In WWI, the Lusitania offered one of the clearest “dust clouds” in modern history.

Germany declared unrestricted submarine warfare. British intelligence knew passenger liners were targets. The Lusitania was warned. The U.S. was warned. Even the ship’s cargo, which included munitions, made it a predictable target.

Yet the warnings were dismissed.
The signs were clear.
The perception failed.

And America’s reaction, too, was predictable; a “neutral nation” was pushed closer to war by a tragedy entirely foreseeable. Some might argue that certain American politicians sought to force the US into the war. Again, that’s a discussion for another time.

Sun Tzu’s maxim remains timeless: The first to lose perception always loses position.

The Cost of Endless Motion

Overextension rarely appears dramatic at first.

It looks like success:

  • revenue rising
  • troops advancing
  • dashboards expanding
  • integrations multiplying

Then the consequences arise:

  • fatigue
  • erosion
  • misalignment
  • burnout
  • doubt

You begin fighting just to justify how far you’ve marched.

In cybersecurity, this is the company chasing every vulnerability without fixing their architecture.

In foreign policy, it’s the nation fighting endless “small wars” that collectively cost more than stability ever would.

In boxing, it’s the fighter who keeps moving forward until they walk into exhaustion, not a punch.

In Kali, it’s the flow practitioner who adds complexity until their movement becomes noise rather than intent.

Sun Tzu warned: An army that has marched a thousand li must rest before battle.

Modern systems rarely rest. We only measure uptime, not wisdom.

Restraint as Renewal

The answer isn’t retreat, it’s an informed, measured rhythm.

Knowing when to:

  • advance
  • consolidate
  • recover
  • regroup
  • reconsider the terrain

Strategic restraint is not weakness. It is self-preservation.

Rome could have lasted longer by fortifying fewer borders. Corporations could thrive longer by protecting focus instead of chasing scale. Nations could endure longer by strengthening their homeland defenses before ever wasting a single dime projecting power abroad.

Sun Tzu’s art was never about conquest. It was about sustainability.

Victory without stability is just defeat on layaway.

Awareness in Motion

Awareness is the antidote to overreach.

It requires honest measurement:

  • what’s working
  • what’s weakening
  • what’s cracking
  • what’s already lost

It requires humility: no army, business, or nation can move indefinitely without rest.

In cybersecurity, awareness is visibility.
In leadership, it’s listening.
In foreign policy, it’s simply remembering.

Awareness doesn’t stop momentum. It calibrates it.

It’s the half-beat between breaths that keeps the system alive.

Bridge to Chapter X | Terrain

Sun Tzu ends this chapter by looking outward again.

Once you’ve learned to read fatigue, imbalance, and decay within, the next step is to read the environment beyond.

The internal determines how you survive the external.

Which returns us to the opening principle: When you leave your own country behind…you find yourself in a position of dependence on others.

An army on the march teaches us to see ourselves. Chapter X Terrain teaches us to read the world:

  • its obstacles
  • its openings
  • its deception
  • its opportunities
  • its traps

Awareness of self means little without awareness of landscape. That’s where the next battle begins.

The Art of Cyberwar | Part VI | Weak Points and Strong

matt shannon art of cyberware chapter VI weak points an strong

The principle:
“So in war, the way is to avoid what is strong and to strike at what is weak.”

Strength and Weakness Are Temporary

Sun Tzu emphasized that strength and weakness are dynamic rather than static. Although this principle may seem self-evident, it is often overlooked in practice. Many individuals disregard straightforward strategies, mistakenly believing that complexity is required. This oversight often leads to the violation of previous strategic principles or “lessons learned”, indicating a lack of genuine understanding.

It is essential to recognize that what appears robust today may become fragile in the future, while seemingly vulnerable elements can become decisive with time and increased awareness.

Power, whether military or digital, shifts with context.

The critical factor is not the quantity of resources, but the ability to perceive the entire operational landscape. Vulnerabilities arise not only from an adversary’s strengths, but also from areas where situational awareness is lacking and the speed at which adaptation occurs when new realities emerge.

In contemporary contexts, both nations and security architects often neglect this fundamental principle. There is a tendency to focus on constructing increasingly formidable defenses rather than developing adaptive strategies. Regardless of the scale of these defenses, adversaries require only minor vulnerabilities to compromise their effectiveness. Always remember, your adversaries only need to find a tiny leak in the walls to bring the entire system down.

Predictability: The Modern Weakness

Even the most secure fortresses eventually become familiar terrain for attackers. Cyber adversaries do not rely on brute force; instead, they employ strategic analysis. They examine organizational habits and exploit vulnerabilities such as unpatched servers, unmanaged privileged or service accounts, unchanged passwords, and the susceptibility of executives to social engineering.

Their success depends not on force, but on the predictability of organizational behaviors.

Nations exhibit similar vulnerabilities. Bureaucratic routines solidify into doctrine, which can devolve into dogma. Adversaries exploit these predictable patterns, waiting for repetition before executing successful attacks.

Historical events, such as the Pearl Harbor attack, the September 11 attacks, the Gulf of Tonkin incident, and numerous cyber intrusions, demonstrate that deficiencies in critical thinking, complacency, rigidity, and hubris significantly increase the likelihood of successful surprise attacks.

When Comfort Masquerades as Strength

Many organizations and governments allocate excessive resources to familiar areas, fostering a false sense of security. This environment allows risks to proliferate unnoticed, undermining overall resilience.

Cybersecurity teams often spend millions fortifying infrastructure while leaving users untrained.

Organizations frequently monitor technical metrics while neglecting human behavior. The most significant vulnerabilities often arise from areas presumed to be under adequate management.

System failures are typically attributable not to insufficient funding, but to misaligned priorities.

This pattern is evident at the national level as well. Large militaries and substantial budgets often obscure underlying fragilities, including slow adaptation, reliance on outdated assumptions, unstable alliances, and insufficient strategic foresight regarding emerging forms of conflict.

Historical Lessons of Misguided Strength

The First World War began with nations convinced that industrial might and rigid plans guaranteed victory. Those plans dissolved within months under the weight of modern weapons and static thinking.

During the Vietnam War, a major power misinterpreted its capacity for endurance as a guarantee of superiority. The Viet Cong’s guerrilla tactics transformed conventional advantages into significant liabilities.

Even the rapid success of Operation Desert Storm fostered complacency. Efficiency was mistaken for enduring security, and the perceived triumph was erroneously interpreted as evidence of invincibility.

Each era reaffirms the principle that the most conspicuous assets are not necessarily the most powerful.

Flexibility as True Power

Sun Tzu’s insight was to conceptualize power as dynamic movement. He advocated that a general should emulate water, seeking the path of least resistance and adapting to the terrain.

Within the cyber domain, the operational landscape evolves rapidly, with new threats, actors, and vulnerabilities emerging on a continual basis.

In this context, strength is defined by agility:

  • Rotate keys and credentials regularly.
  • Automate but verify.
  • Decentralize authority so teams can act without waiting for hierarchy.

The most effective defenders are those who demonstrate the greatest adaptability, learning and evolving more rapidly than adversaries can adjust their tactics.

Lao Tzu’s Echo

Lao Tzu put it simply:

“Water overcomes the stone not by strength, but by persistence.”

Endurance surpasses dominance. Properly understood, flexibility is not a sign of weakness but of resilience, characterized by the capacity to absorb disruption and recover to an original state.

In the digital context, resilience is reflected in recovery planning, redundancy, and organizational culture. The true measure of strength is not the infrequency of failure, but the speed of recovery following a compromise.

Turning Weakness Into Insight

All systems possess inherent flaws. Denial of these vulnerabilities allows them to remain concealed until a crisis occurs. Proactive defenders employ audits, red-team exercises, and transparent communication to identify weaknesses at an early stage.

Transparency transforms potential liabilities into opportunities for organizational learning.

Nations could use the same humility.

Public acknowledgment of mistakes enhances credibility, whereas concealment increases risk. The most resilient governments are not those without flaws, but those capable of adapting transparently before their constituents.

From Awareness to Action

Identifying vulnerabilities constitutes only part of the challenge; addressing them effectively demands both discipline and restraint.

In cybersecurity, this approach entails prioritizing remediation over self-congratulation, thorough preparation prior to disclosure, and critical evaluation before taking action.

In policy contexts, this requires deliberate prioritization, engaging only in actions where the anticipated outcomes justify the associated costs.
Misapplied strength can become a source of vulnerability, whereas a thorough understanding of weaknesses can provide strategic foresight.

The Next Step: The Flow of Force

Sun Tzu ends this chapter with motion: the strong shifting to the weak, the weak transforming to the strong.

He implies that awareness must evolve into timing. The wise general aligns his force with the moment, not against it. And that, “All men can see the tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.”

This concept serves as a transition to the subsequent lesson, which focuses on the dynamics of energy in motion and the strategic management of power with balance and rhythm.

We’ve learned where to stand. Next, we’ll learn how to move. As Master Tzu concludes Chapter VI:

Military tactics are like unto water; for water in its natural course runs away from high places and hastens downwards. Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions.

Leading us directly back to this lesson’s seemingly simple principle: “So in war, the way is to avoid what is strong and to strike at what is weak.”

The Art of Cyberwar, Part V | Energy | The Use of Force

the art of cyberwar part V energy and the use of force. matt shannon cloud security.

The principles:
In all fighting, the direct method may be used for joining battle, but indirect methods will be needed in order to secure victory.

Indirect tactics, efficiently applied, are inexhaustible as Heaven and Earth, unending as the flow of rivers and streams; like the sun and moon, they end only to begin anew; like the four seasons, they pass away to return once more.

The Power of Controlled Motion

Sun Tzu’s fifth chapter deals with energy, not as brute strength, but as direct application of force.

He warned that a commander must know when to cultivate and store power and when to release it. Misapplied use of Energy burns itself out. However, when energy is focused, it bends the world to its will.

It’s an idea that translates effortlessly to today’s digital battlefield. Nations, like networks, often fail not because of a lack of capability, but because of a lack of control.

True mastery isn’t in how much force you can deploy. It’s in knowing how little you need to. It’s akin to the idea that, sure, you can kill a fly with a hammer, but is it the most effective tool at your disposal?

The Cost of Unchecked Energy

American Diplomatic and Military History is full of examples of lawmakers mistaking our capacity for clarity.

In Korea, overwhelming U.S. power pushed back North Korean forces, only to overextend toward China’s border and trigger an entirely new front. And thus, we have burdened ourselves with maintaining the “38th parallel” ever since.

In Vietnam, energy became inertia, force applied endlessly without definition, draining political and moral capital alike. If only the “peacemakers” at the Treaty of Versailles had let Ho Chi Minh deliver his speech on the Rights of Man, perhaps there would have been no quagmire in Southeast Asia to begin with. A guerrilla war that would take nearly 60,000 American lives and lead to what became known as the “Vietnam Syndrome.”

In Iraq, “shock and awe” demonstrated that a singular “tactical victory” can be swift, while a strategic victory remains elusive. Notwithstanding the entire list of false pretenses that led to the invasion of Iraq to begin with.

Each conflict began with a belief in momentum and ended with war fatigue. Demonstrating once again, force without direction always collapses under its own weight.

The lesson isn’t that force is wrong; it’s that force, when misapplied and unguided, becomes self-consuming. Power is not infinite. Neither is attention, money, or public trust.

The Cyber Equivalent: Sprawl and Burnout

Organizations repeat these same mistakes in digital form.

A breach occurs, and the reflex is to rush to acquire new tools, policies, and budgets, thereby triggering a cyberwar “surge.”

New dashboards, new alert monitoring, and new vendors lead to a surge in activity, while clarity plummets.

This is cyber energy without strategy, effort disconnected from insight.

As Sun Tzu also said: Amid the turmoil and tumult of battle, there may be seeming disorder and yet no real disorder at all; amid confusion and chaos, your array may be without head or tail, yet it will be proof against defeat.

Teams exhaust themselves chasing incidents instead of patterns. Leaders demand constant escalation, not realizing that perpetual crisis is its own vulnerability.

The result mirrors the national trap: motion is mistaken for genuine progress. The ability to endure is mistaken for endurance.

Energy as Rhythm, Not Frenzy

Sun Tzu described two forms of force:

  • Normal energy — the steady discipline that sustains the fight.
  • Extraordinary energy — the precise, unexpected burst that wins it.

In cybersecurity, the equivalent is security posture and precision in the application of policies.

Normal energy is the quiet work of patching, monitoring, and awareness training. Extraordinary energy is the calm, swift, and accurate incident response that turns chaos into closure.

Both are needed. But one cannot exist without the other. A team that never rests has no energy left to strike when it matters most.

It’s the same in martial arts.

In Wing Chun:
Normal energy = quality structure and energy sensitivity.
Extraordinary energy = the skill to deliver a singular, intercepting strike that ends the exchange.

Muay Thai:
Normal energy = footwork, guard, pacing.
Extraordinary energy = the slashing elbow, a stabbing teep, or perfectly placed knee.

BJJ:
Normal training energy = position, pressure, framing.
Extraordinary training energy = the ability to feel a submission triggered by feeling the opponent’s mistake. Or in Mandarin it’s an old idea called Wu Wei, or effortless action. Meaning, I don’t present the opportunity to attack; the enemy presents it to me, like water finding a leak in the dam.

A Security Team that never rests has no energy left for anything extraordinary.

Good CISOs, like good generals, good fighters, and good grapplers, understand rhythm. They know when to conserve strength so that action, when it comes, is clean and effective.

As Master Tzu also knew, “When he utilises combined energy, his fighting men become as it were like unto rolling logs or stones.” Leading to, … “the energy developed by good fighting men is as the momentum of a round stone rolled down a mountain thousands of feet in height. So important is the subject of energy.

Diplomacy and the Misuse of Force

In diplomacy, the same physics apply. The U.S. has often wielded immense power but uneven patience.

Moments like the Marshall Plan and the Cuban Missile Crisis demonstrated the value of precision, employing limited force, clear objectives, and a proportional response.

But elsewhere, the misapplication of force became diplomatic impotence on full display. Prolonged occupations and open-ended interventions constantly drain strategic reserves of will and trust.

Every drone strike, every unconstitutional data collection program, every new cyber warfare doctrine carries a similar risk: that power’s convenience will overshadow its consequence.

The Taoist counterpoint from Lao Tzu still resonates to this day:

“He who knows when to stop never finds himself in trouble.”

Knowing when not to act is the highest use of force. It’s the difference between control and compulsion.

The Lesson for Cyber Strategy

A strong digital defense isn’t constant action, it’s intelligent action.

Practical translation:

  • Automate the repeatable.
  • Escalate only with context.
  • Protect attention as aggressively as data.
  • Reserve extraordinary effort for extraordinary situations.

Energy mismanaged becomes sprawl. Energy focused becomes resilience.

It’s never the size of the arsenal. It’s the precision of the response.

Momentum and the Myth of Constant Action

Modern life rewards constant motion, refresh, respond, and reply.
In cybersecurity and foreign policy alike, stillness feels dangerous to the untrained mind.

But strategy lives in the pause between movements. Quality fighting skills are always more effective when you can strike on the half-beat, a fundamental separator on the mats, and on digital and physical battlefields.

Force has a short half-life. When it’s used endlessly, it decays quickly and fades into the ether. When it’s reserved for the right moment, it changes everything.

A breach contained quietly is often a bigger victory than a public takedown.
A crisis de-escalated without violence often preserves more stability than any show of strength.

Knowing When to “Flow With the Go”

As one of the greatest living legends in Brazilian Jiu-Jitsu, Rickson Gracie once said, “In Jiu Jitsu we flow with the go.”

Meaning:

  • don’t fight force with tension
  • stay aware but not trapped by focus
  • stay smooth and adaptive
  • flow with the opponent’s energy
  • let well-trained instinct and structure guide you

That metaphor fits the digital era perfectly. The best blue or purple teamers, like the best leaders, don’t fight the current; they learn to read it and swim with it, not against it.

Lao Tzu would say that “the soft overcomes the hard,” not through weakness but adaptability. Force channeled through awareness is stronger than force spent in anger.

In warfare and cybersecurity alike, energy is a currency. Spend it recklessly and you’ll be empty when it matters. Spend it wisely and you’ll be leading on the battlefield.

Final Reflection

Knowing how to use force is knowing its limits.
Sun Tzu and Lao Tzu shared the same truth from opposite angles:
Power must be balanced by patience.
Energy must be stored as much as it is spent.

History punishes those who forget this. So does network and security architecture.

The art isn’t in using force; it’s in knowing when the situation calls for little, none, or overwhelming force.

That’s not mysticism. That’s strategic maintenance. And it’s as accurate in security architecture as it is on the battlefield.

All of these lessons point us directly back to our opening principles: “In all fighting, the direct method may be used for joining battle, but indirect methods will be needed to secure victory.” And, “Indirect tactics, efficiently applied, are inexhaustible as Heaven and Earth, unending as the flow of rivers and streams; like the sun and moon, they end only to begin anew; like the four seasons, they pass away to return once more.

The wise strategist learns to move the same way.

The Art of Cyberwar | Part III | Attack by Stratagem

The principle:
If you know the enemy and know yourself, you need not fear the result of a hundred battles.  Sun Tzu – Chapter III

the golden era

Strategy vs. Stratagem

A strategy is designed for longevity, while a stratagem addresses immediate challenges. Strategy anticipates years ahead to foster resilience. Stratagem focuses on the next breach, exploit, or distraction.

Within cybersecurity, strategy encompasses architectural design, layered controls, validated incident response plans, and a culture prepared to act decisively during crises. Stratagem represents the attacker’s tools, such as persuasive emails, covert code injections, or precisely timed physical penetration tests.

Both approaches are powerful, yet each possesses inherent limitations.

The Modern Battlefield: Fluid and Fractured

The threat landscape evolves continuously. Traditional boundaries are replaced by cloud environments, API vulnerabilities, and interconnected third-party networks. Security architects must prioritize adaptability and fluidity over static defenses to effectively mitigate risks.

Zero Trust principles, continuous validation, and integrated security practices throughout the development lifecycle enable proactive identification and mitigation of vulnerabilities prior to production deployment. In an environment where compromise is presumed and rapid response is critical, these measures are indispensable.

Effective defenders adopt a proactive stance. They anticipate adversary actions, analyze behavioral patterns, and design systems to adapt under attack rather than fail.

Attack by Stratagem: The Psychology of Exploitation

Major breaches often originate through psychological manipulation rather than technical flaws. Techniques such as phishing, vishing, and deepfakes exploit cognitive vulnerabilities to diminish user awareness. This approach mirrors historical propaganda methods, where controlling perception leads to controlling behavior.

While governments previously leveraged headlines and radio broadcasts, contemporary attackers exploit digital interfaces such as login pages and hyperlinks. Both strategies depend on user fatigue, habitual behavior, and misplaced trust. If users believe a fraudulent login page is legitimate, they inadvertently compromise security.

Similarly, if citizens equate fear with patriotism, they may relinquish critical judgment in favor of perceived safety. As Ben Franklin observed, individuals who prioritize temporary safety over essential liberty may ultimately forfeit both: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

This tactic operates effectively across a spectrum, from individual email inboxes to broader ideological movements.

The Architecture of Awareness

A resilient security architecture reflects the characteristics of an aware and vigilant mindset.

Network segmentation limits the blast radius. Application hardening predicts misuse before it happens.

Firewalls and Security Information and Event Management (SIEM) systems provide the critical, irreplaceable resource of time.

Knowing your environment is knowing yourself.

Without a thorough understanding of all dependencies, exposures, and behavioral patterns, it is impossible to detect significant changes or anomalies. The same principle applies at the national level: when societies cease to critically evaluate their narratives, division and deception proliferate with ease.

Propaganda Built Into the Code

James Montgomery Flagg, I Want You for U.S. Army, 1917, collection of Chip and Carrie Robertson, photo by Robert Wedemeyer
James Montgomery Flagg, I Want You for U.S. Army, 1917, collection of Chip and Carrie Robertson, photo by Robert Wedemeyer

From Woodrow Wilson’s Committee on Public Information to the televised theater of Desert Storm, America learned how framing shapes belief.

Attackers apply similar principles, constructing their deceptive tactics by exploiting established trust.

Deceptive login pages replicate corporate portals, ransomware communications adopt professional language, and deepfakes are crafted to appear and sound authentic.

The primary threat is not the attack itself, but the absence of awareness regarding potential dangers. Stratagem prevails when critical scrutiny is abandoned.

Reverse Engineering the Present

Post-incident analyses consistently reveal that warning signals were present before breaches. Although alerts, logs, and telemetry data were available, they did not translate into actionable understanding.

Visibility does not equate to genuine situational awareness.

Historical events reinforce this observation.

The United States has engaged in conflicts based on incomplete or inaccurate information, often mistaking perception for certainty.

In both cybersecurity and geopolitics, failure frequently results from conflating raw data with meaningful insight.

Understanding adversaries requires effective intelligence gathering, including threat hunting, reconnaissance, and red-team exercises.

Self-awareness in cybersecurity necessitates discipline, such as maintaining asset visibility, ensuring policy integrity, and sustaining composure during operations.

A deficiency in either area enables adversarial stratagems to succeed.

The Quiet Defense

The most robust networks, analogous to resilient individuals, operate discreetly.
They do not engage in ostentatious displays; instead, they maintain a constant state of preparedness.

Their resilience is embedded within their structural design rather than expressed through rhetoric.

Authentic resilience does not stem from more active dashboards or faster technical tools. Resilience is rooted in organizational culture, situational awareness, and a humble approach. It is defined by the ability to learn, adapt, and respond more rapidly than emerging threats.

Cybersecurity, akin to statecraft, is a continuous endeavor to prevent breaches. Success is achieved not by engaging in every conflict, but by anticipating and neutralizing threats before they materialize, thereby securing victory without ever having to fight. Bringing us full circle back to understanding the fundamental nature of the original principle: If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Top 1%…at something

Grammarly sent me a little “you might have a problem” email earlier this week.

Apparently, I’ve written over 900,000 words in the last five weeks. They claim it’s more than 99% of users, with more unique words than 99% of them too. I don’t know how that’s true, but I definitely have been writing a lot lately. I had no idea it was even close to that much.

It’s both kind of cool and kind of hilarious. Why? Because it wasn’t part of a strategy, a streak, or even a goal. It just came from putting in the writing reps. One sentence, one section, and one page at a time.

I’d love to say it’s all poetry and brilliance. But it’s hardly that. It’s been mostly retelling of long hours coaching, martial and security strategies and the kind of sentences that get rewritten three or four times before they sound right.

Still, I’ll take it.

Some of it’s for the book. Some of its old stories I’m finally writing down. Some of it’s heart-wrenching, some of it’s about training, traveling, coaching, fighting, or just trying to make sense of the thoughts that appear between deadlifts, dog walks, deep in the mountains or just walking into the office.

It reminded me of something George Washington once said:

To be prepared for war is one of the most effective means of preserving peace.”

Sometimes the work is the preparation. And sometimes the work is the peace. Not trying to be prolific, just consistent.

Keeping the standard high, even when no one’s watching.

So, here’s to showing up, stringing some stories together, and hoping at least a few of them land where they’re supposed to.

Now, back to work.

The Art of Cyberwar | Part II | Let Your Great Object Be Victory

The principles:
“In war, let your great object be victory, not lengthy campaigns”…because “There is no instance of a country having benefited from prolonged warfare.”
— Sun Tzu, The Art of War, Chapter II

The Art of Cyberwar -- Part II -- Be Wary of Lengthy Campaigns

Historical precedent demonstrates that nations failing to adapt are often used as cautionary examples. Despite significant resources, the United States has not yet overcome this strategic challenge.

From Vietnam to Afghanistan, the United States has exemplified Sun Tzu’s warning by conflating endurance with strength and persistence with strategy. When military presence supersedes the objective of victory, campaigns extend beyond their intended purpose, resulting in significant human and material costs.

The Illusion of Victory

Following President George H. W. Bush’s declaration on March 1, 1991, that the United States had overcome the ‘Vietnam syndrome,’ national sentiment was celebratory. The Gulf War was conducted rapidly and with precision, widely broadcast as evidence of renewed national confidence. The conclusion of the Cold War was perceived as a triumph for democratic governance.

However, this perceived redemption represented a recurrence of previous strategic errors. The primary lesson of Vietnam—the futility of engaging in conflict without a defined objective—remained unheeded. Demonstrating rapid military success led to neglect of the risks associated with protracted engagements lacking clear victory conditions or exit strategies.

In subsequent decades, this hubris manifested in new conflicts. The invasions of Iraq and Afghanistan were initially framed as missions of defense and liberation, but evolved into prolonged operations characterized by strategic inertia. Between January 1968 and January 2022, the United States expended approximately $41 trillion on regime-change wars, supporting unstable governments, and reconstructing nations without explicit local consent.

When the conflict concluded in Kabul in August 2021, the resulting images closely resembled those from Saigon in 1975: helicopters evacuating personnel, abandonment of allied partners, and governmental collapse returning control to the previously ousted regime.

Two wars. Two generations. One unlearned truth:

“Contributing to maintain an army at a distance
causes the people to be impoverished.”

The resulting impoverishment extended beyond material losses to include diminished clarity, discipline, and strategic purpose.

The Cost of Long Wars

Sun Tzu recognized that prolonged conflict leads to internal deterioration. Geographic and temporal distance not only depletes resources but also impairs strategic perception.

Extended campaigns obscure strategic objectives and make it difficult to define victory when mere survival becomes the primary focus.

This confusion often results in a detrimental shift from strategic planning to operational maintenance.

The Cyber Parallel

A similar pattern is evident in contemporary cybersecurity. Prolonged defensive operations manifest as alert fatigue, excessive expenditures, and staff burnout. Continuous patching, monitoring, and incident response create an environment of persistent engagement. While terminology evolves, the underlying strategic mindset remains unchanged.

Cybersecurity teams often become engaged in repetitive activities, addressing recurring issues through marginally varied approaches without achieving lasting resolution.

This situation represents the cybersecurity equivalent of protracted military engagements, often referred to as ‘forever wars.’ Effective leaders, including Chief Information Security Officers (CISOs), recognize the importance of strategic restraint.

It is neither feasible nor advisable to attempt to defend all assets indiscriminately. The primary objective is not comprehensive awareness but rather targeted precision.

Security efforts should prioritize critical assets and aim to resolve threats efficiently rather than sustain ongoing conflict.

“The leader of armies is the arbiter of the people’s fate.”

Within organizational contexts, this leadership role may be assumed by a security architect, team leader, or any individual responsible for directing security resources. The fundamental responsibility remains the protection of the enterprise.

Victory Over Attrition

The primary cost of protracted conflicts, whether conventional or digital, is cumulative exhaustion. Achieving victory requires recognizing the appropriate moment to cease operations, consolidate gains, conduct assessments, and facilitate recovery.

Regardless of the domain, whether physical or digital, conflicts that lack a definitive conclusion cannot be considered genuine victories.

Once again, highlighting the timeless nature and importance of imbibing this story’s principles: “In war, let your great object be victory, not lengthy campaigns…”
because “There is no instance of a country having benefited from prolonged warfare.

Dispatches From The Blue Ridge

The day began like the perfect hymn for the weekend. First light spilling over the ridgeline. Fog blowing across the mountains like they’re alive and breathing. The whole place is brought to life by the energy of the mountains, the wind, the sun, and the sky.

You can hear a waterfall in the distance, as steady as time itself.

Later, a violet sunset arrives as the last of the day’s light folds into the night.

Then, at nightfall, the only things that remain are the ghost stories and the million stars in the sky, like a thousand bridges of light overhead, leading some old, lost spirits home over the horizon.

Overreach Is the Enemy of Resilience

yalta imperial over reach

History shows that the biggest threats to national security, safety, and sovereignty usually come from within. Empires, and leaders, often fail not because they are weak, but because they try to do too much, too quickly, and often end up heading in the wrong direction.

The Yalta Conference in February 1945 brought together Churchill, Roosevelt, and Stalin in an alliance of necessity. Few in the 1930s could have imagined democratic America and Britain siding with Stalin’s Soviet Union; yet necessity led to a partnership with lasting consequences.

The alliance beat Nazi Germany, but it also allowed the Soviet Union to spread into Eastern Europe, which led to the Cold War. The key takeaway: short-term use of power without considering long-term impact can resolve immediate issues but create new, lasting problems.

The same risks are present in cloud security today. Trying to do too much still undermines resilience.

Why Overreach Happens

Overreach is a common trap. If having some power is good, it’s easy to think that having more is better. In cybersecurity, this often happens because of:

  • Fear of falling behind leads teams to adopt new tools without a clear strategy.
  • Vendor pressure, with marketing insisting, “If you don’t have this, you’re insecure.”
  • Internal signaling, where having numerous tools initially appears impressive, but problems soon emerge.

Historical Lessons: The Cost of Overreach

Germany in WWII: Too Much, Too Fast

Germany under Hitler is a classic example of overreach. In 1941, the Nazis invaded the Soviet Union. Initially, their advance was rapid, and they gained significant territory. However, German forces became overstretched, supplies dwindled, winter conditions set in, and the supply lines became unmanageable. What appeared to be a demonstration of power ultimately contributed to their downfall.

Lesson: Expansion without capacity undermines itself.

Japan: Provoking Too Many Enemies

Japan’s decision to attack Pearl Harbor in 1941 reflected a similar flaw. In pursuit of empire across Asia, Japan provoked a much larger adversary: the United States. Instead of consolidating its position, this overreach led to a conflict Japan could not sustain. Lesson: Overreaching creates adversaries you can’t manage.

The Allies: Yalta’s Unintended Consequences

Even the victors faced challenges. The Yalta alliance was necessary at the time, but also carried significant risk. By permitting the Soviet Union to expand into Eastern Europe, the Allies set the stage for forty years of Cold War tension, arms races, and indirect conflicts. Gaining power in one region led to new risks elsewhere.

Lesson: Gains made without foresight can create future vulnerabilities.

The Cost of Overreach in Cloud Security

The same dynamics play out in modern cybersecurity:

  • Integration gaps: When you have too many tools, it’s like an army spread too thin—there are weak spots attackers can find.
  • Alert fatigue: More dashboards overwhelm teams, dulling response rather than sharpening it.
  • Diluted focus: Chasing new tools causes basics (IAM, logging, patching) to be neglected.

The main takeaway is that the paradox is that spending more and adding complexity often reduces resilience rather than strengthening it.

The Better Path: Discipline and Restraint

History points to a better approach. Resilience isn’t about growing without limits. It comes from balance, self-control, and getting the basics right.

For nations, that means understanding the limits of alliances and occupations. For cloud teams, it means:

  • Focusing on fewer, stronger tools that integrate smoothly.
  • Start by mastering the basics: IAM policies, patching cycles, logging, and monitoring. These may not be exciting, but they are essential.
  • Resisting the urge to sprawl. Don’t buy tools or add features for the sake of appearances. Invest only where it truly adds resilience.

Closing Parallel

Yalta reminds us that even the strongest powers can make bargains that carry unintended consequences. Overreach may appear to be a sign of strength in the moment, but it often sows the seeds of weakness for the future.

In cloud security, the same is true. More tools don’t equal more safety. Complexity can backfire. Overreach creates vulnerabilities. The key lesson: resilience means mastering the essentials and exercising discipline, not doing more for the sake of it. This is as true in geopolitics as it is in cybersecurity.

Where have you seen overreach undermine resilience in your organization?

Want to dive deeper into the history and strategy behind these lessons? Here are some recommended reads:

  • The Origins of The Second World War, by A.J.P. Taylor
  • Depression, War, and Cold War: Studies in Political Economy, by Robert Higgs
  • Churchill, Hitler, and “The Unnecessary War”: How Britain Lost Its Empire and the West Lost the World, by Patrick J. Buchanan
  • The New Dealers’ War: Franklin D. Roosevelt and the War Within World War II, by Thomas Fleming
  • The War That Ended Peace: The Road to 1914, by Margaret MacMillan
  • Paris 1919: Six Months That Changed the World, by Margaret MacMillan