Advanced Persistent Conflicts: Sun Tzu, Genghis Khan and the Art of Security in the Cyber Age
Updated: May 27, 2019
“Thus, what enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is FOREKNOWLEDGE. That is, knowledge of the enemy’s dispositions, and what he means to do. Now this foreknowledge cannot be elicited from spirits; it cannot be obtained inductively from experience, nor by any deductive calculation. Knowledge of the enemy’s dispositions can only be obtained from other men." – Sun Tzu “Art of War”
I admire the Chinese culture in many ways. I admire that when they set a priority, they focus on it with a clarity of mission that allows them to pursue their goals with single-minded determination. Unfettered by the shackles of a democratic process (great shackles though they be), they set the standard when it comes to mission focus.
This has been true with respect to espionage and intelligence gathering dating back centuries, so it really should come as no surprise to anyone that more often than not, when it comes to instantiating prolific intelligence networks and gathering sensitive information, the Chinese government continues to set a certain standard.
The Chinese have dominated this field dating back to the 13th century, the time of the Great Khans who devised the most sophisticated intelligence network known at the time. The system had the hallmark of today’s cyber espionage requirements—security clearances, tokens, fast dissemination of information, and spies infiltrating commercial networks. Genghis Khan instituted a set of laws called the Yasa code- a merit based system that rewarded performance and loyalty, not religion or ethnic background- and together with the Yam system, the Mongols’ communication network that allowed information to travel at the rate of 200-300 miles per day (in the 13th Century!), he enabled an authoritative and sophisticated network of spies to flourish in merchant trade routes all through the Mongol Empire. I probably hold Genghis Khan in special esteem because he is my great great great ….great grandfather (this is not a significant fact because his progenies prolific breeding tendency has resulted in 0.5% of the world male population or roughly 16 million descendants living today who carry his genetic code).
Genghis Khan’s information system succeeded because it was supported by a rigid code, had infrastructure to support the mission (straightening of roads, clearing of valleys, availability of resources (horses) at every way station), alignment of incentives (merchant access to best routes if they worked as spies as well as meritocracy to reward performance) and clear set of priorities, supported by the public, that embraced use of offensive (misinformation) and defensive capabilities to ensure success. Of course, ruthless enforcement was also part of the equation, which probably requires a certain flexibility in terms of respect for individual rights.
That determination and focus continues today. Recent headlines and developments clearly indicate that Chinese are “fully engaged in leveraging all available resources to create a diverse, technically advanced ability to operate in cyberspace as another means of meeting military and civilian goals for national development.” Cyber capabilitiesare part of their wartime arsenal and their society and their infrastructure (including transformation of C4ISR) is geared to facilitate that mission… much as Genghis Khan’s was.
“In all fighting, the direct method may be used for joining battle, but indirect methods will be needed in order to secure victory.”– Sun Tzu “Art of War"
Today’s threat landscape can be defined by the term “Advanced Persistent Conflicts”. Advanced because the tools are increasingly technology based (think cyber), persistent because there is no definitional timeline, no beginning and therefore no end, and conflict because the lexicon of war is outdated. Historically, the military paradigm involved a progression from peace to crisis to war, and eventually back to peace. Conflicts, in the context of war had a clearly defined beginning and end. Even the 100-year war, punctuated by numerous unsuccessful attempts at truce, had a well-defined end to it in 1453. World War I, WWII, and the Cold War, had defined enemies, defined timelines, and a call to action that was met by generations of soldiers who dunned a uniform to serve their country, or humanity, as the case may be. A clear threat, met with clear purpose, defined by a clear end to the conflict. The United States has been truly great at rising to the task in this environment- we are the perfect adversary for perfectly defined enemies.
Today, we live in a different environment. An environment defined by persistent conflict but undefined broadly, at least in the United States, by a clear mission and a clear sense of the enemy. We behave in a gray zone with frenemies who invade our networks, steal our information, but buy our debt and support our economy. Declaration of war feels like a thing of the past. Take Stuxnet. Some actor, likely a state actor that will remain unnamed, used offensive cyber capability to destroy a sovereign nation’s infrastructure. In the last century, that would have qualified as a declaration of war. None was made this time.
And in this state of perpetual conflict, the United States faces an imminent threat from within. That is – is our society, our political system and common will, set up to do business and succeed against advanced persistent conflicts? Especially when the conflict is not defined by enemies storming our gates with weapons in hand, but rather lurking in our networks where they possess the power to cause as much destruction as they would with their battle axes and machine guns.
In fact, cyber-attacks represent perhaps the most troublesome component of today’s conflict landscape, regardless of whether they involve nations-states, criminals or terrorist groups. As Stuxnet made clear, cyber tools are capable of disrupting and destroying networks, physical infrastructure, and critical systems. “In the 21st Century, bits and bytes can be as threatening as bullets and bombs,” said former Deputy Secretary of Defense, Bill Lynn in a recent speech.
Is it time to recognize that in the cyber age, there is and will be no peace for the United States? That because of the nature and capabilities of cyber technologies, we are in a state of conflict and we will be in a state of conflict perpetually for the foreseeable future? And that this reality requires a new kind of call to action and clarity of purpose?
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” - Sun Tzu “Art of War”
There are lessons to be learned from the Chinese: Singular focus on a mission; Infrastructure commitment to support the mission; Proper alignment of incentives; Leadership. While I don’t believe that the Chinese focus on information warfare poses an existential economic threat to the US (with historical dominance in espionage, they still didn’t launch the first airplane, discover electricity, invent the Internet, personal computers, the microprocessor , GPS navigation … though I will give them gunpowder, paper/printmaking and the compass, all critically important historically), it clearly presents a significant military and national security threat, a threat that needs to be addressed day-to-day with equal clarity of mission, embraced publicly and privately. The challenge is just as equally an obligation of the private sector to embrace as it is of our government. Though our government, and specifically our military and intelligence agencies, must first set clear priorities to guide our collective action and response.
And if the strength of China is singular and long term focus, the strength of America is innovation, determination and fearlessness, strengths resident in our businesses and entrepreneurs more than anywhere else. If every entrepreneur in Silicon Valley embraced the concept that we live in the age of perpetual global conflict fueled by offensive cyber-attacks, with a multitude of adversaries (criminal and state-run), some of whom are simultaneously friend and foe, and we need to re-invent our approach to security, how quickly could we vitiate and even eliminate this threat?
“Security against defeat implies defensive tactics; ability to defeat the enemy means taking the offensive.” – Sun Tzu “Art of War"
It is time to recognize that we are all under attack and you no longer have to wear a uniform to be a soldier in today’s conflict.
An abridged version can be found in The Daily Caller