ICO News

Four Ancient Chinese Military Philosophies That Can Help Guide Cybersecurity Today – Forbes

When Sun Tzu wrote his landmark military treatise The Art of War, he certainly didn’t have cybersecurity in mind. The 13 chapters devoted to military tactics remain one of the most important texts in human history.

Though traditional warfare continues on land across the globe, it is now increasingly waged online, where cybercriminals square off against governments, companies and individuals in a modern war measured not in the loss of life, but in breaches of privacy and trust.

Much ink has been spilled in recent years advocating for novel approaches to today’s cybersecurity challenges. But might we be overlooking the teachings of a bygone innovator? Are there approaches in The Art of War that cybersecurity professionals can adopt to fight hackers and threats today?

As we turn the page on a decade that was defined by the rapid emergence and massive impact of cyberthreats, I suggest considering these four core tenets of Sun Tzu’s philosophy that can guide today’s cybersecurity professionals.

Know The Enemy And Know Yourself (知己知彼,百战不贻)

The best way to understand a cybercriminal’s mindset is to be and think like one. In an environment when criminals have unfettered access to resources and tend to be a step ahead of their victims, the best defense is to gain a better understanding of your foe. Who are they? What are they after? What vulnerabilities do they tend to exploit? What tools do they tend to use?

An entirely new industry has evolved specifically for this purpose: white hat hackers. These “ethical” hackers leverage their skills for good by working with companies to identify bugs, and many organizations are embedding some white hats into their cybersecurity teams.

Many were former black hat (“bad”) hackers who can think like criminals and have a keen understanding of the cyber kill chain — the sequence of events involved in an external attack on an IT environment. An organization that has a better understanding of this will be in a much better situation to detect issues earlier on and defend itself from an attack.

Knowing the enemy certainly benefited Tzu on the battlefield, and his tenet applies equally well to the anonymous, complex and dark world of cybercriminals.

All Warfare Is Based On Deception (兵者,诡道也)

Deception was a critical tactic on the battlefields in Tzu’s time, and it remains an integral component of all warfare today. This includes cybercriminals who utilize social engineering methods to pretend to be someone or something else to gain access to an IT environment. Cyber professionals today must understand and prepare for deceptive methods like email phishing and malware, which present major risks to an organization.

Phishing grew over 40% in 2018, with the financial industry seeing the highest level of phishing attacks. Research also shows that 91% of cyberattacks start with spear-phishing. Phishing is particularly prevalent in the loosely regulated world of cryptocurrencies, especially around initial coin offering (ICOs) hype, which has taken advantage of eager crypto investors.

We will also start to see the emergence of AI-powered malware, which, according to IBM Security, “conceals its intent until it reaches a specific victim.” This new approach “unleashes its malicious action as soon as the AI model identifies the target … similar to a sniper attack, in contrast to the ‘spray and pray’ approach of traditional malware.”

Being mindful of deception and identifying such attempts early and often can save your organization from large-scale attacks. This is where security awareness training needs to be a critical part of your cyber strategy.

Just As Water Retains No Constant Shape, So In Warfare There Are No Constant Conditions (故兵无常势,水无常形)

It’s a fool’s errand to think you can perfectly prepare for the future. Sometimes the best way to improve the security and maturity of your organization is to be overly prepared and use established industry frameworks that are internationally recognized. This is especially true for cryptocurrency companies, which operate with loose regulations that don’t mandate the same levels of security more mature industries do.

The best approach for cryptocurrency companies is to adopt a regulated mindset and obtain certifications critical to regulated industries, such as ISO 27001, PCI-DSS, NIST Cybersecurity Framework, SOC2, and the new ISO 27701 and NIST Privacy Framework.

It’s essential to build a group of talented security professionals and constantly upskill them to adapt to changing conditions. Keep your organization improving and evolving, and assume a growth mindset for individuals. This is no easy task given the nearly 3 million cybersecurity job vacancies, looser regulations in some industries and evolving tactics of cybercriminals.

The Supreme Art Of War Is To Subdue The Enemy Without Fighting (战而屈人之兵,善之善者也)

Contrary to most accepted military strategies of the time, General Tzu understood the value of not coming to blows. Not fighting was, according to Tzu, the ultimate goal of war.

Cybercriminals don’t give up easily, which is why a “defense in depth” strategy should be adopted, which relies on the tendency for attackers to lose steam over time and move elsewhere. Layer your organization’s defense mechanisms to make it harder for attackers to breach an IT environment, and their return on investment won’t look so attractive. This less militant approach forces attackers to consider whether their time is best spent targeting you. Often, they will tend to divert their energy elsewhere, where security controls are more relaxed and the payout is more rewarding.

As attack surfaces widen and the amount of data in the world steadily increases, security challenges will continue to grow and become harder to block. A robust cybersecurity strategy means building a companywide security-minded culture where security is not driven by fear, but rather by self-awareness and the understanding that it’s a collective effort.

When building this culture, it warrants taking a holistic look at approaches both modern and ancient. While Sun Tzu predated cyberattacks by 2.5 millennia, his strategies remain relevant today and can serve as a beacon of light amid the confusing clutter of modern perspectives.


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.