On Security Strategy: Reviving the case for Deception and Obscurity

Lately, I’ve become aware of a book called “Deciphering Sun Tzu” by Derek M C Yuen which I’m avidly going through currently. But even before finishing, I’m learning so much that I couldn’t wait to write about some of the insights I’ve been having from it.

I was already familiar with 2 translations from the “Art of Sun Tzu”, but it wasn’t until I started reading this book that I really started to grasp its concepts and practical application of the knowledge. I was clearly focusing, as Derek Yuen refers to and as most of the Western readers of the book, just grabbing some flashy memes and using them when it suited my agenda.

The main thing that struck me was Derek’s explanation of how Chinese strategic thought differs from Western strategic thought.

“Chinese strategic thought is grand-strategic and systemic in nature. It is grand-strategic because it views war from a holistic perspective and employs all possible powers and means rather than military ones alone. It is systemic because it deals with nothing in isolation, but as an organic whole, with a full appreciation of relationships and contexts”(page 14). And furthermore, he also says “the Chinese tend to equate strategy (i.e. plan design to achieve a predefined aim) with stratagem (i.e a plan intended to outwit an opponent)(page 15).

One of Sun Tzu’s quote in Chapter 3 of “Art of War” is “the highest realization of warfare is to attack the enemy’s plans, next to attack their alliances, next to attack their army, and the lowest is to attack their fortified cities”

For all that Infosec and strategists in general, have come to quote Sun Tzu, why then is “Security through obscurity” or even upright deception not seen as an element that should be at the top of our security strategies ?

20 years ago it was a major no-no, today some already started seeing it as a valid approach when combined with other methods, but should it not have a higher importance ?

There are 2 parts to my challenge. For the first, I would refer to the historic example of the “Methods of Si-Ma’ in Ancient China, which preceded the strategic approach employed by Sun Tzu.

Their methods were predicated on benevolence and righteousness. On being noble even in war, and just. They would wait until the enemy was in his chosen formation before ordering an attack from his troops.

From the “Deciphering Sun Tzu” book, talking about these methods followed by a Duke, “While Mao condemns the duke as following the norm blindly without considering the tactical circumstances, the duke’s gravest miscalculation was the fact that he failed to take account of the cultural difference between himself and Chu ruler/generals. [..] he was doomed from the start”. This marked the twilight of the Zhou dynasty.

So, I think it’s clear cyber criminals in 2019 are doing whatever they can to get their hands on our data. From social engineering, to targeted attacks, to continuously mapping our infrastructures for changes they can take advantage of, for going after our employees in their personal lives to they can leverage knowledge and mistakes to gain a privileged foothold into our organisations. Are we, as an industry, following the modern equivalent of the Methods of Si-ma ? Are we also bound for doom then ?

Lastly, I’d quote from page 69 of Derek’s book:”warfare is the Tao of Deception: in other words, stratagem and deception are at the heart of the Chinese strategic tradition. Clausewitz [from whom most of modern Western strategic thought is centered], in contrast, dismisses the value of deception in warfare and instead emphasizes his thesis on the concentration of superior force at the decisive point’.

To do an analogy to Infosec, are we too concentrated on our improving and investing in our controls (wanting to create our superior force) that we end up being blind to less expensive and superior forms of our participation and role in the modern cyber war ? Because it exists. Allegedly, the Chinese and Russians and other parties are also coming after us to affect our Governments. Industry is an integral part of it, so we can’t just pretend it has nothing to do with us. If you live in the US or the UK, remember we have evidence they’re even going after our democratic systems. It’s time to try a) what’s been working for some (embedding resilience) and b) bringing back deception and obscurity as key components of our strategy.

Certainly resilience has a part to play, but I feel there’s an opportunity to think about more formal ways to embed Deception and Obscurity into our practices so we can start winning this.

I have a few ideas on how to approach this more formally, but would love to hear thoughts from other and contributions.

Mario Platt