Bad guy in front of laptop

The CISO’s Perspective: Sun Tzu and the art of cyberwar

It’s been nearly a year since my wife and I bought our home in the Village of Oregon, Wisconsin. Methodically, room by room, she has been decorating and furnishing rooms with my home office being the most recent accomplishment. She has a keen eye for decorating and a sense of detail that reveals much about our life together over the last 37 years. She knows how the little things make us feel good about where we’ve been and inform how we should react to where we are headed.

Among the details in my “new” office that really impresses me is the way my bride laid out the books on the shelves. Nestled amongst the mementos from our life in the Navy and our world travels, she placed the U.S. Navy Watch Officer’s Guide on a shelf across from my copy of Sun Tzu’s essays on the Art of War that I was given in 1988 as I received my commission (plus the certificate tendering my commission is framed and hangs on the wall above the shelf). Both books are staples in a Navy Officer’s life and great texts to pull out occasionally since many of life’s important lessons can be found in the pages. Seizing the opportunity found in my discovery on the book shelf, I decided it’s time to re-read Sun Tzu.

Many can quote the famous “Know your enemy, know yourself” attributed to the Chinese general, soldier and philosopher. Many turn it into a missive on ensuring you understand your defenses as well as you understand the offensive strategy your enemy will use to defeat you. While it would be fun to clarify that slight misinterpretation, I want to focus on the passage in the essay titled The Warring States where the career of a famous Chinese soldier named Wu Ch’i changed from soldier to government administrator. Unfortunately he practiced the same brutality in running civil affairs as he did on the battlefield – not always the wisest career move since the art of politics and the art of war are often in conflict. The essay noted that when the ruling King Tao was assassinated for being a corrupt ruler in 381 B.C., Wu Ch’i was also killed.

The essay goes onto talk about that important age where the relative chaos of politics and war called for “practical solutions to the problems of politics and war.” In those times there were scholars who traveled around offering leaders ideas on how to deal with war and defending their kingdoms.

At UW-Madison we have spent the last year listening to a battalion of vendors who wanted to give us advice and solutions to the current threats we face in what I’ll call Cyberwar (a convenient title for the sake of the blog). Vendors all believe their answer to problems are the best and are easily applied to higher education. The carry tales of how well they can see the unseen and how they understand the tactics, techniques and procedures our cyber adversaries. They tell tales of battles won and solutions generated that will easily turn our problems into historical tales if only we would give them the coveted contract.

Jeff Savoy leads the Monitoring and Incident Response domain team that has listened, observed, asked pointed and insightful questions, and supervised proof of concept demonstrations that led to a final selection of products and strategies to carry the UW-Madison to the next level of cybersecurity. The hard workers include Jim Richards, Allen Monette, Gary Faulkner and Along Vang – our front line of defense against bad cyber actors and vendors…

Oh, they have day jobs too! The Monitoring and IR Team manages a variety of vulnerability management and surveillance tools. They see activity across the network that could result in loss of availability of our networks and services; monitor intelligence resources that reveal indicators of possible compromises; reset accounts locked out due to advanced threats like phishing or other socially engineered threats; and they keep up with the diverse technologies on campus to ensure manufacturer patches are applied in time to avoid the inevitable disaster should a bad actor decide to exploit the vulnerability the patch is designed to fix.

The team investigates everything from conditions of weirdness to significant incidents to outright criminal activity. They have certified forensic analysts and frequently support campus legal and law enforcement investigations using our state of the art capabilities and tools. They hold certifications and titles that truly set them apart – on campus and within the IT security industry. While we are reluctant to share details for most of their activity, I can attest that they are at the top of their craft and we are real lucky to have them.

A quick disclaimer: The Monitoring and IR team do not monitor personal activity – unless that activity directly impacts the security of the campus networks or IT systems that support teaching and learning or the important research conducted on campus or with our networked partners. We look for technical indicators like virus signatures, malicious code, malformed packets, large scale data loss, and compromised credentials, not what websites are visited or the content of e-mail (unless the e-mail has a malicious file that could take out your laptops file system or spread viruses, Trojans or worms that will create chaos in our IT environment.

Let’s return to Sun Tzu for a moment. The essay The Warring States draws to a close by discussing that while war existed and was usually a result of personal or political conflict, war also helped usher ages of change. Iron was known in China as far back as 500 B.C. but was extremely rare since smelting had not been invented. Cybersecurity tools have likewise been constantly evolving but without a talented team to operate and tune them, their impact would be like the un-smelted iron ore, nice to look at but not effective for its full value. Stay tuned for updates as we incorporate a new set of tools and processes that will elevate our cybersecurity posture.

Look toward the Monitoring and IR Team to quickly add value to your IT systems and networks – even more than they do today.

As always, I appreciate your feedback. Simple rules – be nice, be fair and be honest. Please e-mail your thoughts to security@wisc.edu and we will periodically post them with helpful answers.