The Art of (Cyber) War: Where Military Strategy Overlaps with Cyber Security

The world of cyber security is constantly evolving, with new threats and attack vectors emerging on a regular basis. As organizations struggle to keep pace with these changes, they can learn a lot from the military's approach to security and defence.

In this article, we’ll be taking a deep dive into the tactics, techniques, disciplines, and philosophies found in the military and how they apply to cyber.

Military Doctrine in Cyber Security

It goes without saying that military philosophy applies across various aspects of civilian life, anywhere from business to security. There have been so many books, written by veterans, about the lessons-learned from military operations. Most of these disciplines apply to business, but I’d like to take a deeper dive into the application of military disciplines in cyber security. When you think of the military, you think of uniform soldiers marching in unison to their objective – rifle in hand. Hollywood has created this image of the military being full of gung-ho, Rambo-looking, gunslingers. While this might be true in some cases, there are fundamental principles taught to every soldier that they carry into their civilian lives. These days, the most common post-military career path for a veteran is cyber, and understandably so.

Andy Piazza, Head of Threat Intelligence at IBM X-Force & Former Senior Operations Supervisor for the US Army, says that it is clear how the military has influenced cyber discipline. “Overall, I think DoD heavily influenced cybersecurity,” Andy said when asked about the similarities between military and cyber doctrines, “From DARPA creating the internet itself to the heavy influence of former DoD personnel in the private sector ... This influence can be seen in most of our terminology: Red/Blue Team, DMZ, cyber-attack, etc.” He also stated that the military is a great training ground for early career professionals where most corporations recruit from.

“This influence can be seen in most of our terminology: Red/Blue

Team, DMZ, cyber-attack, etc.”

Military philosophy does not just apply at an organisational level, but at that of the individual. In the military a soldier is taught self-discipline, the ability to operate within a team/unit, technical and tactical proficiency, and the ability to give clear and concise feedback in a promptly manner – among other things. It is these soft skills that make veterans such great candidates for private sector positions, once they transition back to civilian life. That said, let’s investigate some of the philosophies, and strategies, applicable – and implemented – at an organisational level:

Resilience

Resilience is the ability to recover quickly from difficult or adverse situations, or to adapt and thrive in the face of change or uncertainty. In the context of cyber security, resilience refers to an organization's ability to withstand and recover from cyber attacks or other security incidents. A resilient organization is one that has implemented measures to protect against cyber attacks, such as strong security controls, threat intelligence gathering, and incident response planning. In addition, a resilient organization is able to quickly detect and respond to security incidents, minimizing the impact and reducing the time to recover from an attack. In essence, resilience is about being able to bounce back from adversity and continue to operate effectively, even in the face of unexpected challenges. In the context of cyber security, resilience is a critical attribute for organizations of all sizes, as cyber attacks are becoming increasingly common and sophisticated. By building resilience into their cyber security programs, organizations can better protect themselves from cyber threats and ensure the continuity of their operations.

Intelligence

One of the most important lessons that cyber security can learn from the military is the value of intelligence gathering. The military relies heavily on intelligence to understand the capabilities and intentions of potential adversaries, and the same is true of cyber operations. By gathering intelligence on potential cyber threats, organizations can better prepare for and respond to attacks. Intelligence gathering and analysis are critical components of any effective cyber security program. The goal of intelligence gathering is to collect and analyse information about potential threats and adversaries, including their capabilities, tactics, and intentions. This can include a wide range of data sources, such as threat intelligence feeds, network logs, and user behaviour analytics. Once this information has been collected, it must be analysed to identify potential security threats and vulnerabilities, as well as to develop effective strategies for defending against them. This may involve using advanced analytics and machine learning algorithms to identify patterns and anomalies in the data, as well as collaborating with other organizations and security experts to share intelligence and stay up-to date on the latest threats and attack techniques. By gathering and analysing intelligence effectively, cyber security professionals can gain a better understanding of potential threats and take proactive steps to prevent them before they can cause significant damage.

Deception

Deception is a military strategy – that can apply to cyber security – that involves intentionally misleading an adversary through misinformation or misdirection. Deception can be an effective way to detect and deter cyber threats. In cyber security, deception involves using tactics such as honeypots, honeytokens, and other decoy systems to distract attackers and mislead them into revealing their tactics and techniques. By deploying these decoy systems, organizations can gain valuable intelligence about potential attackers and identify weaknesses in their defences. Additionally, deception can help organizations buy time to respond to an attack, as attackers may become focused on the decoy system and overlook the real targets. However, it is important to note that deception should be used judiciously and in combination with other security measures, as it may not always be effective against sophisticated attackers who are able to distinguish between real and decoy systems.

Active Defence

Active defence is another strategy that can be adopted from the military. Active defence involves actively hunting for and disrupting cyber attacks, rather than simply waiting for them to occur. This approach recognizes that traditional defence measures, such as firewalls and antivirus software, may not always be sufficient to prevent sophisticated cyber attacks, and that a more dynamic and adaptive approach may be required. This strategy can include measures such as network segmentation, intrusion detection and response, and threat hunting. By adopting an active defence strategy, organizations can proactively identify and respond to cyber threats before they cause damage.

Active defence may involve using advanced threat intelligence and analytics tools to monitor an organization's systems and networks for potential threats and anomalies, as well as taking proactive measures to block and mitigate potential attacks. This might include techniques such as honeypots and deception technology, which are designed to trick attackers into revealing their tactics and techniques, and to identify potential weaknesses in an organization's defences. By adopting an active defence approach, organizations can be better prepared to respond to potential threats and attacks and can reduce the risk of significant damage and data loss.

Defence-in-Depth

Defence in depth is a security strategy that involves deploying multiple layers of security controls and defences to protect against potential threats and attacks. This approach recognizes that no single security measure is fool proof and that a comprehensive security program should incorporate multiple layers of defence to provide robust protection against potential threats. In a cyber security context, this could involve implementing security controls at multiple layers of a system or network to create a layered defence system that provides multiple barriers for attackers to overcome. This might include measures such as firewalls and intrusion detection systems at the network perimeter, access controls and encryption at the application layer, and data backups and disaster recovery plans at the data layer. By deploying multiple layers of security controls and defences, organizations can create a defence in depth strategy that provides a strong foundation for protecting against a wide range of potential cyber threats and attacks.

Adversary Emulation

In The Art of War, Eastern military philosopher and General, Sun Tzu, stated that, “Attack is the secret of defence; defence is the planning of an attack”. Adversary emulation is an important component of cyber security operations that involve identifying and exploiting vulnerabilities in an organization's systems and networks before attackers can do so. This approach recognizes that by identifying weaknesses in an organization's defences and exploiting them, cyber security professionals can gain a better understanding of the organization's security posture and identify potential weaknesses that need to be addressed.

“Attack is the secret of defence; defence is the planning of an attack.”

- Sun Tzu, The Art of War

These assessments can take many forms, including penetration testing and red team exercises that simulate real-world attack scenarios to identify vulnerabilities and test the effectiveness of an organization's defences. By conducting adversary emulation operations, cyber security professionals can gain valuable insights into potential vulnerabilities and develop effective strategies for defending against them, helping to ensure that an organization's systems and networks remain secure and resilient against potential attacks. However, it is important to note that offensive operations should always be conducted with appropriate legal and ethical considerations in mind, and in accordance with best practices and industry standards.

Structure & Uniformity

The structure and uniformity of the military can provide important lessons for organizations in the field of cyber security. One key lesson is the importance of clear and consistent communication, both within teams and across different departments or units. In the military, standard operating procedures, protocols, and protocols are often in place to ensure that everyone understands their roles and responsibilities, and that communication flows smoothly and efficiently. This can be translated into cyber security through the use of clear and consistent policies, procedures, and documentation, which can help to ensure that everyone understands their roles and responsibilities, and that communication flows effectively across different teams and departments. Additionally, the military's emphasis on teamwork and collaboration can also be applied in cyber security operations, where close collaboration between different teams, such as threat intelligence, incident response, and security operations, is critical for effectively detecting, preventing, and responding to potential cyber threats.

When I spoke to Harlan Carvey, Senior Incident Responder at Huntress & former USMC Communications Officer, he said that in a military unit, everyone wears their equipment the same way. Each soldier’s Medikit is located on the same place as the next. He went on to say that this is done to create a uniformity amongst soldiers so that, in the event that you need to locate a piece of equipment on a fellow soldier’s person, you know exactly where to find it. It also creates consistency. “Have one target; stick to it,” he added. This further strengthens the consistency and builds trust amongst operatives.

Lester Chng, Head of Crisis Management Exercises at BMO Financial Group & Former Officer in the Singaporean Navy, wrote an article on creating ‘Battlegroups’ within your organisation to strengthen security. In this article – focused on the financial services industry – he wrote about adopting the structure of a Naval Battlegroup within your organisation’s security team to combat fraud and cyber-crime. He stated that one is faced with similar challenges when combating financial crimes, as compared to Naval warfare. These challenges may include lack of information, resource management constraints, clarity of communication, and decision making. The concept of a Battlegroup within an organisation allows for “flexibility, increased reaction time, enhanced management of resources, and enforcing a sphere of influence,” according to Lester.

“Combating financial crimes pose many similar challenges and characteristics as naval warfare. Fog of war, Information inadequacy, resource management, clarity of communication and critical decision making. It is therefore no surprise that you may have a Battlegroup protecting your bank. The Battlegroup concept allows for flexibility, increased reaction time, enhanced management of resources and enforcing a sphere of influence.”

Cyber Warfare

The military's approach to cyber warfare can be applied to an enterprise environment through the adoption of a comprehensive cyber security strategy that combines both offensive and defensive measures. Defensive measures could include implementing defence-in-depth strategies that utilize multiple layers of security controls to protect against cyber threats, as well as developing incident response plans and conducting regular vulnerability assessments and penetration testing. Offensive measures could include developing a robust threat intelligence capability that allows the organization to proactively identify and respond to potential cyber threats, as well as engaging in active defence techniques such as the use of deception technology and other countermeasures. Additionally, specialized cyber security teams could be established within the organization to focus on specific areas such as threat hunting, incident response, and cyber risk management. Overall, by adopting a military-style approach to cyber security, organizations can better protect their critical assets and stay ahead of potential cyber threats in an increasingly complex and evolving threat landscape.

Cyber warfare has become a reality. [1][2] The battlefield no longer consists of military and public-sector entities. Anyone can be a cyber soldier nowadays. We saw this happening during the invasion of Ukraine this time last year. the Ukrainian Minister of Digital Transformation, Mykhailo Fedorov, announced – on the 26th of February 2022 – the creation of the IT Army. The IT Army acted as a volunteer cyber warfare organisation, with the primary goal of defending Ukraine’s digital infrastructure and information systems against adversarial cyberattacks. The minister called out to any and all cyber security and IT professionals, in support of Ukraine, to help fight-the-fight in cyberspace. We saw an influx of security practitioners, researchers, and IT professionals around the world, pledging their support to the IT Army against the Russian invasion. The world then realised that cyber warfare is borderless. Anyone with a computer and internet connection can answer the call of duty on the digital battlefront. Another realisation is that anyone can be a victim of war in this digital age. Your life may not be directly threatened, but we have seen how acts of cyber warfare have had large impacts on the livelihoods of many.

Why Military Doctrine Isn’t Widely Accepted in the Private Sector

There is a common stigma that military doctrine only works in the military. This stigma was created and fuelled by movies and cinema, depicting the military – and soldiers – as reckless gunslingers, who never look at an explosion when walking away from it. War is also not favourable and causes great loss and destruction. The involvement of politics in military operations and war also divides the general population into picking sides; those who are for the war and those against.

Cyber warfare and cyber crime are painted in a different light and don’t have the same effects as kinetic war and physical crime/violence. Physical destruction and loss of life – albeit a possibility – has never been a result of cyber operations or crime. The main motivating factors for cyber operations are misinformation or propaganda, espionage, monetary gain, or political leverage.

Ransomware is arguably the biggest cyber threat to any organisation, but nowadays – through resilience and recovery measures, and insurance policies – the effects of a ransomware attack can be greatly reduced, assets are easily reimbursed or recovered, and business operations can remain continuous.

Unless a hospital, critical infrastructure, or public service becomes the attack target – the individual will not have to endure the effects of a ransomware attack on an organisation. Thus, creating a separation of responsibility and accountability. There will be panic for a few days (maybe even weeks), but after that it’s business as usual again.

In the military you wake up every day thinking you’ll be attacked, and you prepare yourself and team mates accordingly. You have trained to think this way and you know how to respond to such situations. In cyber security, very few of us have this constant thought of impending attack. That said, I am not promoting scare tactics; it is not something we have to endure as security professionals.

We should approach these thoughts with an Assume Compromise philosophy. The idea behind it is that no matter how strong the organisation’s security measures are, it is impossible to guarantee that a breach will never occur.

We need to ask ourselves, “what is at stake?” What can I lose from a potential cyber-attack? Because the fact of the matter is that cyber-attacks will inevitably lead to physical damage, loss, and harm. The immediate reality of cyber threats is that our livelihoods are at stake. Threat actors have the capability to crumble infrastructure, cause major financial loss, and bankrupt businesses.

What if we take the word ‘military’ out of our sentences and thoughts when approaching these philosophies? Concepts such as zero-trust, assume compromise, threat intelligence, and resilience all stem from military doctrine. However, we think they are great concepts and strategies because they don’t shout “MILITARY”.

So, let’s look at concepts such as uniformity, structure, discipline, and training as non-military.

Unit 8200: Israel's Cyber Startup Engine

This article covered what the cyber security industry can learn from the military, but let’s look at the flip side of the coin: What can the military learn from cyber?

Let us look at a country like Israel, for instance. Israel has a mandatory military service policy.

All Israeli citizens, at the age of 18, have to enlist in the military and serve for at least 32 months. After their service, many continue their career in the military. Highly skilled individuals get assigned to specialised units. Israel’s Unit 8200 is a famous IDF Intelligence unit, with a strong focus on cyber operations and cyber intelligence. The unit is comprised of highly technically skilled operatives, generally around the ages of 18-21. Israel arguably presents the most talented cyber security professionals and companies on earth. Former members of Unit 8200 have gone on to founding great cyber security companies or occupy top positions in international tech companies.[1][2]

What makes members of this unit succeed as founders or help them reach top positions in the IT industry?

Idan Tendler, CEO of Fortscale, compares the management of Unit 8200 to that of a high-tech startup. New, young, recruits are immediately thrown in the deep end. They are forced to think on their feet and execute tasks with little or no guidance or supervision that, in-part, contributes to Unit 8200’s ‘startup’ culture. This further prepares members for their life in tech, post service. Having worn the uniform, individuals are highly respected in the business world and many doors are opened for members in their lives after the military.

In conclusion, the military is a breeding ground for cyber security talent and many soldiers find themselves in cyber roles post-service.

Military philosophies and strategies are also very applicable to cyber security disciplines. As we’ve seen, it is not just the cyber that can learn from the military. Unit 8200 has become the prime example of business practices that have been successfully implemented in the military.

As individual cyber security professionals, we can learn a lot from the disciplines of service members.

As security teams, we can learn a lot from military operations, tactics, and procedures.

And as organisations, we can learn from military philosophy and strategy to become more resilient against ever growing cyber threats.