Cyberspace is Formless
"We may distinguish six kinds of terrain, to wit: (1) accessible ground; (2) entangling ground; (3) temporizing ground; (4) narrow passes; (5) precipitous heights; (6) positions at a great distance from the enemy."
Sun Tzu admonishes us to know and understand each type of terrain to gain advantage. But what do we have in cyberspace? We all know that cyberspace is a network of networks, dispersed anywhere and everywhere the world over and all devices connected to it have assigned IP addresses, static or dynamic. The telecommunications network is the physical infrastructure that provides easy connectivity to cyberspace but its security is beyond the control of any user. While cyberspace may be an "accessible ground," we don't know if we are at "positions at a great distance from the enemy" or if the enemy is just around the corner from where we sit. And even if IP addresses provide us with endpoints that enable us to identify sources of attacks, such attack sources may not be the true source as IP addresses may be spoofed or botnets used. Hackers gain an advantage in this manner. They operate in the formless expanse of cyberspace. Thus, we should learn how to operate in it too.
Considering what we understand of the enemy's capabilities and methodologies, cyberspace, and our own capabilities, it would appear that defending the organization's ICT infrastructure is a daunting task. And indeed it is. Planning to develop a security posture is a good starting point.
"The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand."
How do we enhance our strengths? How do we correct our weaknesses? How do we take advantage of opportunities? How do we deal with threats? Answers to these questions may be found in what we understand of the cyber enemy, of cyberspace, and of ourselves. Sun Tzu says:
"The enlightened ruler lays his plans well ahead; the good general cultivates his resources."
Resources that we have lie in people, processes, and technology. If lacking in knowledge and skills, awareness, education, and training will help enhance existing knowledge and skills and develop new ones. If lacking in processes, adopting best practices and standards and developing policies, procedures, and guidelines will point us to the right direction. If lacking in technology, we can evaluate and acquire appropriate technology solutions that will help us establish a desired security posture. This is the appropriate response to Sun Tzu's admonition for us to cultivate our resources.
"By altering his arrangements and changing his plans, he keeps the enemy without definite knowledge. By shifting his camp and taking circuitous routes, he prevents the enemy from anticipating his purpose."
Sign up for CIO Asia eNewsletters.