ArchiveOODA Original

The Cybersecurity Infantry, Part I: Retreat for Advantage

Read retired Marine H. John Poole’s Phantom Soldier. It doesn’t matter if you’re not in the infantry; read it anyway. It will open your eyes to the Eastern way of small-unit tactics. And while you’re reading it, contemplate the manifold parallels to cybersecurity. It will open your eyes to the global and all-pervading way of modern conflict on the plane of computer and communication systems.

While the squad leader and the cybersecurity professional might consider themselves residents of separate worlds, strong conceptual parallels exist between their domains. Before discussing specifics, it’s worth reviewing some of the core differences between the Eastern and Western perspectives. In Poole’s words,

If one were to summarize the differences between Eastern- and Western-style armies, one might say that the former generally do a better job of harnessing the perceptions and common sense of the people in contact with the enemy. Deceptive and multifaceted, this alternative “style of war” is difficult for the Western, “top down” thinker to comprehend. At times, it employs massive firepower; but more often, it relies on surprise. Its essence lies not in established procedure, but rather in flexibility to change. It encourages its practitioners to shift rapidly between opposites—to alternatively use one maneuver as a deception and its reflection as a follow through. ((Poole, Phantom Soldier, p. 13.))

To put this in Western terms, the Eastern perspective intuitively embraces systems thinking and includes a strong bottom-up aspect. Throughout his discussion of the Eastern approach, Poole peppers his narrative with multiple examples of how the Eastern approach influenced infantry engagements during World War II and Vietnam. In several of the cases, it’s actually a bit disturbing to read just how obstinate Western tacticians and leaders remained in the face of a more fluid way of fighting. It reinforces the notion that you see precisely what you want to see.

But how does this relate to cybersecurity? Several points of connection exist throughout the book. Here I introduce one with the intent of introducing more in follow-on posts.

Prior to reading Phantom Soldier, I seriously underestimated the importance of the ancient stratagem “[When the situation is growing hopeless,] running away [in good time] is the best stratagem.” ((Harro von Senger, The 36 Stratagems for Business, p. 189.)) I considered this, the last of the 36 stratagems, to be the stratagem of desperation, pursued only when all options have failed. The examples in Phantom Soldier caused me to reconsider. In fact, as Poole notes, “Of the 36 ruses, the last—running away—is probably the most important [italics mine] and least understood. When continuing to fight holds no strategic import, the Easterner will secretly withdraw.” ((Poole, p. 29.))

In support of this point, Poole cites the preface of the version of the 36 stratagems published by the Foreign Languages Press in Beijing. In fact, the opening sentence of the preference is “‘Of the 36 strategies, running away is the best choice.’” ((The Wiles of War: 36 Military Strategies from Ancient China, p. i.)) It’s on my shelf, but I never caught that. I’m not sure how I missed it, but I don’t think it would have meant much without reading the examples in Poole’s book, where he cites several cases of infantry employing efficacious tactical withdrawals. In one case, for example, a Japanese patrol on Guadalcanal engages Evans Carlson’s 2nd Raider Battalion, only to retreat. Poole follows the example by noting once again, that “While considered less than manly in the West, running away has always been tactically valid in the East. It helps a valued resource to live to fight another day. It also helps him to bait a trap.” ((Poole, p. 51.))

In another case, Poole discusses at length a harrowing engagement between U.S. Marines and Chinese troops at the southern end of the Chosin Reservoir in November 1950. Amid Poole’s discussion, we find this quote from Eric Hammel’s Chosin: Heroic Ordeal of the Korean War: “[L]ight probes were launched by very small Chinese groups along the Fox/5 line. The Chinese recoiled whenever they met resistance, but by drawing fire they exposed the locations of … Marine automatic weapons.” ((Hammel, pp. 56–59, as quoted in Poole, p. 90.)) Once again, tactical probing and withdrawal was used intentionally to shrewd effect. This isn’t to say that Western infantry units have never employed such a maneuver; it’s merely another example among many of a common and longstanding theme in Eastern small-unit tactics.

It’s also interesting to note how the various stratagems can be used to complement one another. In the Chosin example, the Chinese units combined stratagem 13 (“Beat the grass to frighten the snake”) with stratagem 36 (running away) to yield a deadly synergy. ((Note that not all presentations of the 36 stratagems employ the same numbering scheme.)) To summarize, then, a tactical engagement followed by a timely withdrawal can be used not only to setup an ambush, it can also be used to reveal information, a fact made clear in the full translation of stratagem 13: “Ascertain the doubtful; find out about the enemy before taking action. Return and bring the enemy’s secrets to light.” ((Wiles of War, p. 115.))

One more point of interest shows up in the Wiles of War translation of stratagem 36: “Evade the enemy to preserve the troops. The army retreats: No blame [italics mine].” ((Wiles of War, p. 328.)) This may be the most significant difference between the Eastern and Western perspective on the timely retreat: in Western culture, a retreat—no matter how justified—is viewed as a failure and subject to blame and recrimination, regardless of the fact that it may represent the best choice and offer a tremendous opportunity for learning. In this, the Eastern way is superior and represents tremendous wisdom. Learning is difficult when superior options are culturally forbidden and, when taken, lead to blame.

Turning to the domain of cybersecurity, it’s possible to extract several lessons. In the highly fluid world of cybersecurity, no attacker should adopt a rigid attitude of “no retreat,” and it’s doubtful that many do. For whatever reason, the nature of conflict on the cyber plane lends itself more intuitively to the systems-oriented, bottom-up perspective. As noted above, however, the value of the stratagem 36 lies not simply in the maxim “don’t retreat” but more importantly in the maxim “retreat for advantage.”

An attacker, for instance, might probe a system and withdraw simply to induce a defender to believe that his or her system is sufficiently secured. Alternatively, an attacker might attack and withdraw repeatedly to condition a defender to look in the direction of the attack and overlook attacks coming at other times from other directions. Finally, an attacker might engage and retreat simply to learn, as stratagem 13 suggests. The options available to the attacker are, if not endless, at the very least abundant enough to put the inelastic defender who thinks only in terms of the tangible at a tremendous disadvantage.

Clearly, a disconnect arises when the culturally “Western” defender views cybersecurity in terms of traditional conflict and expects the adversary to act accordingly. To lessen this disadvantage, the defender should ask (1) if everything is as it appears to be, (2) what the attacker wants the defender to do, and (3) what the attacker might have learned from the engagement. Additionally, the defender should always remember that an apparent retreat on the attacker’s part does not mean that the defender has “won” the engagement; indeed, the defender who believes this is quite possibly facilitating the attacker’s longer-ranged plan to deliver a doubly painful surprise somewhere down the road. Finally, the savvy defender will maintain an active learning loop, in which knowledge gained from observing fluid attackers is fed back into his or her defense.

In future posts in this series, I will discuss several more principles that emerge from a study of the Eastern approach to small-unit infantry tactics:

  • Operate “underground”;
  • Know the patterns and mix ’em up;
  • Adjust, morph, and adapt;
  • Don’t count, watch (avoid the spreadsheet mindset);
  • Decentralize and distribute.
  • Employ both the normal and the exceptional.
Mark Mateski

Mark Mateski

As both an analyst and a manager at a number of defense and security organizations, Mark has directed wargames, conferences, studies, and assessments covering a range of topics. For well over a decade he has been a thought leader in the red teaming community and has pioneered the application of systems engineering principles, techniques, and tools to the practice of red teaming. Dr. Mateski has earned degrees in political science, national security studies, and systems engineering. He is currently an executive security and strategy consultant and teaches eight different graduate courses for the Department of Engineering Management and Systems Engineering at The George Washington University. Visit the Red Team Journal