Tag: cyber strategy

The Art of Cyberwar | Part XIII | The Use of Spies

The principles:

“Knowledge of the enemy’s dispositions can only be obtained from other men.”

“However, spies cannot be usefully employed without a certain intuitive sagacity.”

“Be subtle and use your spies for every kind of business.”

“Hence, it is only the enlightened ruler and the wise general who will use the highest intelligence of the army for purposes of spying, and thereby they achieve great results.”

The Quiet After the Fire

After the smoke clears, the last weapon isn’t destruction; it’s knowledge. Sun Tzu closes his book here, not with conquest, but with insight. The general who knows through others, he says, wins without fighting. The one who fights without knowing spends blood buying what wisdom could have earned.

In modern form, intelligence replaces escalation. Information, verified and interpreted, is the ultimate force multiplier.

The Five Spies

Sun Tzu’s framework remains elegant and practical. He identifies five types of spies, each still alive and well in today’s cyber and geopolitical landscape.

  1. Local spies = insiders, collaborators, citizens.
    • Modern analogue: human intelligence, insider threat programs, whistleblowers, or local analysts embedded in culture.
    • Lesson: you can’t know an environment without someone who breathes its air.
  2. Inward spies – the enemy’s own people who provide insight.
    • Modern analogue: defectors, double agents, internal whistleblowers, or compromised insiders in adversary organizations.
    • In cyber: infiltration of adversary forums, threat actor telemetry, or behavioral analysis of attacker TTPs.
  3. Converted spies – enemy agents who have been turned.
    • Modern analogue: captured malware turned into indicators, enemy disinformation repurposed for exposure.
    • Intelligence and counterintelligence merge – data becomes self-revealing.
  4. Doomed spies – agents sent with false information, knowing they will be sacrificed.
    • Modern analogue: honeypots, decoy networks, misinformation campaigns used to draw out adversaries.
    • Lesson: deception has cost; calculate it.
  5. Surviving spies – those who return with verified knowledge.
    • Modern analogue: analysts who gather, vet, and integrate multiple data sources to produce actual intelligence.
    • Lesson: data isn’t knowledge until it’s interpreted and fed back into strategy.

The five together form a complete intelligence loop: gather, plant, deceive, sacrifice, verify.
Today, we refer to this as the intelligence cycle.

Information as the New Espionage

We live in an age where everything and everyone collects or steals your data. Apps harvest movement. Sensors record temperature and tone. Governments build databases so vast they blur into prophecy.

But the principle hasn’t changed: intelligence is not about having information – it’s about understanding what matters and when.

A terabyte of telemetry means nothing without discernment. One well-placed attacker can outperform a thousand firewalls.

Foreign Policy and the Failure of Insight

Throughout the 20th century, U.S. foreign policy often suffered from information abundance but a lack of the ability to interpret the intelligence it had gathered.

  • Pearl Harbor: a multitude of signals existed, but interpretation failed.
  • Vietnam: metrics replaced meaning – body counts masquerading as progress.
  • Iraq WMDs: intelligence distorted to paint a specific picture rather than inform decision-making.
  • Afghanistan: decades of data existed without a clear endgame, destroyed thousands of American lives, and wasted trillions of taxpayers’ dollars.

Each case proves Sun Tzu’s point: “If you know neither the enemy nor yourself, you will succumb in every battle.”

Intelligence was there, but self-awareness wasn’t. Knowing isn’t only about them; it’s about seeing what you refuse to see in yourself.

Cyber Intelligence: Seeing Without Touching

In cybersecurity, the “spies” are telemetry, sensors, analysts, and sometimes friendly adversaries.
Every alert, log, and anomaly is a scout’s report. But like all intelligence, its value depends on interpretation.

  • Local spies: internal logs and behavior analytics.
  • Inward spies: penetration testing, red-team operations, insider threat programs.
  • Converted spies: captured malware and attacker infrastructure repurposed for defense.
  • Doomed spies: honeypots, deception networks, and fake data seeds.
  • Surviving spies: analysts, threat-hunters, and intel-sharing alliances.

The objective is clarity without exposure, to see everything while remaining unseen. Fire consumes, intelligence illuminates.

The Moral Dimension of Knowing

Intelligence work carries moral weight. Spies, human or digital, trade in trust. Sun Tzu demands that the general handle them with the highest regard: reward them generously, guard them carefully, and never waste them carelessly.

The ethical parallel today is privacy. The line between intelligence and intrusion is measured in intent and restraint. Knowledge gathered without purpose is voyeurism. Knowledge used without reflection is manipulation.

Sun Tzu’s ideal: learn enough to prevent war, not to justify one.

Strategic Lessons for Leaders

  1. Listen to your scouts.
    Truth often arrives quietly, wrapped in discomfort. Leaders who dismiss dissent lose foresight.
  2. Reward information honestly.
    Transparency and gratitude feed the flow of truth; fear and ego choke it.
  3. Centralize interpretation, not collection.
    Many sensors, one mind – unified analysis, decentralized data.
  4. Balance secrecy with accountability.
    Intelligence held too tightly becomes blindness.
  5. Use information to avoid fire.
    The goal of knowledge is to make destruction unnecessary.

From Fire to Silence

The transition from Attack by Fire to Use of Spies is the book’s moral hinge. After escalation comes discernment; after destruction, discipline.

Sun Tzu understood what modern states and corporations often forget: Force is crude, information is subtle – and subtlety wins the wars that power cannot.

In cybersecurity, this is the move from reaction to anticipation. In foreign policy, it’s the evolution from aggression to diplomacy. In leadership, it’s the shift from command to comprehension.

The best security posture isn’t dominance – it’s awareness. The most powerful army is one that rarely fights.

Epilogue — The Quiet Art

The Art of War ends not with blood or banners, but with silence, a stillness that comes from mastery.

True security, like true wisdom, is invisible.
It doesn’t announce itself.
It doesn’t need to.

When you know yourself and your adversary, every threat is already half-dissolved. When you act only when necessary, victory becomes maintenance rather than spectacle. And when you can learn from what moves unseen, you stop fighting the same battles over and over again.

As Operation Aurora proved, a sophisticated cyber espionage campaign that quietly infiltrated major tech companies, the side with better intelligence rarely needs to escalate; quiet knowledge can outmaneuver brute force.

That’s the art of cyberwar – when you know yourself and your adversary, every threat is already half-dissolved. When you act only when necessary, victory becomes maintenance rather than spectacle. And when you can learn from what moves unseen, you stop fighting the same battles over and over again.

That is the final lesson of Sun Tzu, and of cyberwar:
Not destruction, but understanding.
Not conquest, but control of your own attention.
Not escalation, but insight.

Not noise, but silence.

The art is not in the fight, but in the knowing. Return always to the principle: “Knowledge of the enemy’s dispositions can only be obtained from other men.”

And, in the end, mastery is realizing you rarely need to fight at all.

The Art of Cyberwar | Part IX | The Army on the March

“The Army on the March” — Illustrated for The Art of Cyberwar, Part IX. This artwork evokes the visual language of classical Chinese scroll painting, capturing the essence of Sun Tzu’s Chapter IX with striking thematic fidelity. The scene unfolds in layers across a sweeping golden landscape: tightly ordered battalions march along mountain paths, supply barges cross a winding river, and distant formations assemble beneath the rising sun. Each element reflects the logistical burden, psychological tension, and environmental dependence that define an army deep into foreign territory. At the foreground, a lone commander on horseback surveys the terrain, flanked by advisors whose varied stances suggest counsel, observation, and caution. His elevated vantage mirrors Sun Tzu’s emphasis on awareness — the practice of reading fatigue, momentum, and environmental signals before they harden into irreversible consequences. The river crossing, perilous and slow, symbolizes the fragility of overextension; the distant city, shimmering beyond the horizon, represents both ambition and the looming threat of exhaustion. The overall composition blends serenity with strain, grandeur with vulnerability. In doing so, it transforms ancient military wisdom into a timeless reminder for modern strategists: every march requires vigilance, and every expansion carries its cost.

The Principle:

“When you leave your own country behind, and take your army across neighboring territory, you find yourself in a position of dependence on others. There you must watch for signs of strain.”— Sun Tzu

The Signs Before the Fall

Sun Tzu’s ninth chapter is about perception.

Here he shifts from action to awareness. It’s about how a commander reads fatigue, imbalance, and internal decay before they destroy an army from within.

This is not simply a lesson in combat, but more importantly, it’s a lesson in foresight. This is a crucial distinction that often separates a near-flawless victory from a crushing defeat.

Because every empire, every enterprise, every cyber defense effort eventually faces the same drift:

  • expansion that outruns understanding
  • momentum that hides exhaustion
  • ambition that blinds leadership
  • reach that exceeds resources

Armies break this way.
Companies implode this way.
Nations lose coherence this way.

In martial arts, this is the moment a fighter looks powerful, but their footwork is mis-aligned, the subtle tell of hand movement, the delayed return to guard, or the half-beat of hesitation that usually precedes success but this time leads to being hit.

Sun Tzu teaches us: if you can’t read the signs, you can’t survive the march.

Overreach: The Eternal Temptation

History loves proving this point.

Rome’s legions stretched from Britain to Mesopotamia until it could no longer feed its own frontiers. Britain built an empire “over all seas,” only to watch its overstretched supply lines rot from within.

The United States, victorious after World War II, constructed a global presence so vast that presence itself began replacing purpose.

Sun Tzu warned: The longer the march, the more fragile the army becomes.

Modern America has been marching for generations, militarily, economically, digitally, and each expansion has carried both pride and price.

Corporations experience the same decay. Cloud ecosystems suffer it even faster. What begins as strength, scale, reach, integration, becomes fragility when maintenance exceeds cost-tolerance.

In martial arts, overreach is the fighter who throws too many power shots, chasing a knockout rather than reading the opponent. They exhaust themselves long before the opponent is even breathing heavily.

Strength without pacing is just a longer route to collapse.

The Weight of Infinite Reach

In cybersecurity, overreach becomes complexity collapse.

Each new department adopts a new tool. Each executive demands a new dashboard. Each vendor promises a universal cure.

Suddenly:

  • no one sees the whole system
  • logs pile up unread
  • alerts become background noise
  • integrations multiply into untraceable webs
  • dependencies form faster than they can be understood

What once felt powerful becomes paralyzing.

Foreign policy suffers the same rhythm on a grander scale.

WWI.
WWII.
The Cold War.
Korea.
Vietnam.
Bosnia
Iraq.
Afghanistan.

Each began with a clean, confident objective. Most devolved into attrition, mission creep, and moral fatigue. It can confidently be argued that mission creep began with WWI, but that’s a conversation for another time.

Sun Tzu would summarize it simply: When the troops are weary and the purpose uncertain, the general has already lost.

In BJJ, this is the fighter who scrambles nonstop, burning energy on transitions without securing position. Sometimes, not even needing to scramble or change position, but hasn’t trained long enough to even know that.

In boxing, it’s the puncher throwing combinations without footwork. The fighter simply stands in place, wondering why his punches never land.

In Kali, it’s the practitioner who commits too aggressively, losing awareness of angles and openings.

The march becomes too long.
The lines become too thin.
And collapse becomes inevitable.

Business: The Corporate Empire Syndrome

Businesses suffer the same fate as empires.

Growth attracts attention. Attention fuels pressure to expand. Expansion becomes compulsive.

Suddenly, the company is chasing:

  • ten markets
  • ten products
  • ten strategies
  • ten “high-priority” initiatives

Each of these demanding its own “army.”

The parallels to national instability are perfect:

  • Expansion without integration
  • Strategy scaling faster than understanding.
  • Leaders mistaking size for stability.

Eventually, the weight becomes unsustainable.

The company can no longer “feed the army.”
Costs rise.
Culture cracks.
Purpose fades.

What killed Rome wasn’t the final battle; it was the slow erosion of balance across its territory.

Most businesses die the same way, and so do most digital ecosystems.

In Wing Chun, this is the collapse of structure, the moment you can see a fighter trying to do too much, forgetting the centerline, being everywhere except where they need to be.

Overreach is always invisible until it isn’t.

The Modern March: Cyber Empires and Digital Fatigue

Our networks are the new empires.

Every integration is a border.
Every API is a supply line.
Every vendor is an ally whose failure becomes your crisis, and you can never plan for when that crisis comes.

Cloud architecture multiplied this exponentially.

Organizations now live everywhere and nowhere at once.

Sun Tzu’s image of an army dependent on supply lines maps perfectly to modern digital infrastructure:

  • Multi-cloud systems
  • SaaS sprawl
  • CI/CD pipelines with invisible dependencies
  • Third-party integrations with inherited vulnerabilities

When visibility fades, risk multiplies. When dependencies become opaque, consequences become catastrophic.

A company that cannot trace its supply chain of code is like an army that has lost its map.

One outage.
One breach.
One geopolitical tremor.

And the entire formation can buckle.

We call this “scalability.”
Sun Tzu would call it: Marching too far from home.

Reading the Dust Clouds

Sun Tzu taught his officers to read subtle signs:

  • dust patterns revealing troop movement
  • birds startled into flight
  • soldiers’ voices around the fire
  • the speed of camp construction
  • the tone of marching feet

Modern versions of those signs are just as revealing:

  • Escalating ‘critical’ alerts no one addresses
  • Morale fading under constant pressure
  • Defensive posture maintained through inertia
  • Strategies repeated because they worked once, not because they work now
  • Partners showing hesitation before they show defection

In WWI, the Lusitania offered one of the clearest “dust clouds” in modern history.

Germany declared unrestricted submarine warfare. British intelligence knew passenger liners were targets. The Lusitania was warned. The U.S. was warned. Even the ship’s cargo, which included munitions, made it a predictable target.

Yet the warnings were dismissed.
The signs were clear.
The perception failed.

And America’s reaction, too, was predictable; a “neutral nation” was pushed closer to war by a tragedy entirely foreseeable. Some might argue that certain American politicians sought to force the US into the war. Again, that’s a discussion for another time.

Sun Tzu’s maxim remains timeless: The first to lose perception always loses position.

The Cost of Endless Motion

Overextension rarely appears dramatic at first.

It looks like success:

  • revenue rising
  • troops advancing
  • dashboards expanding
  • integrations multiplying

Then the consequences arise:

  • fatigue
  • erosion
  • misalignment
  • burnout
  • doubt

You begin fighting just to justify how far you’ve marched.

In cybersecurity, this is the company chasing every vulnerability without fixing their architecture.

In foreign policy, it’s the nation fighting endless “small wars” that collectively cost more than stability ever would.

In boxing, it’s the fighter who keeps moving forward until they walk into exhaustion, not a punch.

In Kali, it’s the flow practitioner who adds complexity until their movement becomes noise rather than intent.

Sun Tzu warned: An army that has marched a thousand li must rest before battle.

Modern systems rarely rest. We only measure uptime, not wisdom.

Restraint as Renewal

The answer isn’t retreat, it’s an informed, measured rhythm.

Knowing when to:

  • advance
  • consolidate
  • recover
  • regroup
  • reconsider the terrain

Strategic restraint is not weakness. It is self-preservation.

Rome could have lasted longer by fortifying fewer borders. Corporations could thrive longer by protecting focus instead of chasing scale. Nations could endure longer by strengthening their homeland defenses before ever wasting a single dime projecting power abroad.

Sun Tzu’s art was never about conquest. It was about sustainability.

Victory without stability is just defeat on layaway.

Awareness in Motion

Awareness is the antidote to overreach.

It requires honest measurement:

  • what’s working
  • what’s weakening
  • what’s cracking
  • what’s already lost

It requires humility: no army, business, or nation can move indefinitely without rest.

In cybersecurity, awareness is visibility.
In leadership, it’s listening.
In foreign policy, it’s simply remembering.

Awareness doesn’t stop momentum. It calibrates it.

It’s the half-beat between breaths that keeps the system alive.

Bridge to Chapter X | Terrain

Sun Tzu ends this chapter by looking outward again.

Once you’ve learned to read fatigue, imbalance, and decay within, the next step is to read the environment beyond.

The internal determines how you survive the external.

Which returns us to the opening principle: When you leave your own country behind…you find yourself in a position of dependence on others.

An army on the march teaches us to see ourselves. Chapter X Terrain teaches us to read the world:

  • its obstacles
  • its openings
  • its deception
  • its opportunities
  • its traps

Awareness of self means little without awareness of landscape. That’s where the next battle begins.

The Art of Cyberwar | Part II | Let Your Great Object Be Victory

The principles:
“In war, let your great object be victory, not lengthy campaigns”…because “There is no instance of a country having benefited from prolonged warfare.”
— Sun Tzu, The Art of War, Chapter II

The Art of Cyberwar -- Part II -- Be Wary of Lengthy Campaigns

Historical precedent demonstrates that nations failing to adapt are often used as cautionary examples. Despite significant resources, the United States has not yet overcome this strategic challenge.

From Vietnam to Afghanistan, the United States has exemplified Sun Tzu’s warning by conflating endurance with strength and persistence with strategy. When military presence supersedes the objective of victory, campaigns extend beyond their intended purpose, resulting in significant human and material costs.

The Illusion of Victory

Following President George H. W. Bush’s declaration on March 1, 1991, that the United States had overcome the ‘Vietnam syndrome,’ national sentiment was celebratory. The Gulf War was conducted rapidly and with precision, widely broadcast as evidence of renewed national confidence. The conclusion of the Cold War was perceived as a triumph for democratic governance.

However, this perceived redemption represented a recurrence of previous strategic errors. The primary lesson of Vietnam—the futility of engaging in conflict without a defined objective—remained unheeded. Demonstrating rapid military success led to neglect of the risks associated with protracted engagements lacking clear victory conditions or exit strategies.

In subsequent decades, this hubris manifested in new conflicts. The invasions of Iraq and Afghanistan were initially framed as missions of defense and liberation, but evolved into prolonged operations characterized by strategic inertia. Between January 1968 and January 2022, the United States expended approximately $41 trillion on regime-change wars, supporting unstable governments, and reconstructing nations without explicit local consent.

When the conflict concluded in Kabul in August 2021, the resulting images closely resembled those from Saigon in 1975: helicopters evacuating personnel, abandonment of allied partners, and governmental collapse returning control to the previously ousted regime.

Two wars. Two generations. One unlearned truth:

“Contributing to maintain an army at a distance
causes the people to be impoverished.”

The resulting impoverishment extended beyond material losses to include diminished clarity, discipline, and strategic purpose.

The Cost of Long Wars

Sun Tzu recognized that prolonged conflict leads to internal deterioration. Geographic and temporal distance not only depletes resources but also impairs strategic perception.

Extended campaigns obscure strategic objectives and make it difficult to define victory when mere survival becomes the primary focus.

This confusion often results in a detrimental shift from strategic planning to operational maintenance.

The Cyber Parallel

A similar pattern is evident in contemporary cybersecurity. Prolonged defensive operations manifest as alert fatigue, excessive expenditures, and staff burnout. Continuous patching, monitoring, and incident response create an environment of persistent engagement. While terminology evolves, the underlying strategic mindset remains unchanged.

Cybersecurity teams often become engaged in repetitive activities, addressing recurring issues through marginally varied approaches without achieving lasting resolution.

This situation represents the cybersecurity equivalent of protracted military engagements, often referred to as ‘forever wars.’ Effective leaders, including Chief Information Security Officers (CISOs), recognize the importance of strategic restraint.

It is neither feasible nor advisable to attempt to defend all assets indiscriminately. The primary objective is not comprehensive awareness but rather targeted precision.

Security efforts should prioritize critical assets and aim to resolve threats efficiently rather than sustain ongoing conflict.

“The leader of armies is the arbiter of the people’s fate.”

Within organizational contexts, this leadership role may be assumed by a security architect, team leader, or any individual responsible for directing security resources. The fundamental responsibility remains the protection of the enterprise.

Victory Over Attrition

The primary cost of protracted conflicts, whether conventional or digital, is cumulative exhaustion. Achieving victory requires recognizing the appropriate moment to cease operations, consolidate gains, conduct assessments, and facilitate recovery.

Regardless of the domain, whether physical or digital, conflicts that lack a definitive conclusion cannot be considered genuine victories.

Once again, highlighting the timeless nature and importance of imbibing this story’s principles: “In war, let your great object be victory, not lengthy campaigns…”
because “There is no instance of a country having benefited from prolonged warfare.