Pentesting can be an enormously valuable service, but we must be aware enough when hiring or employing a pentester to balance both the advantages and disadvantages of the practice. Yes, it can reveal holes in our security, but it can also promote an illusion of security. Further, while it can help validate our current security efforts, it can, if handled poorly, itself become a potential source of misperception and even vulnerability. Before opening our systems and operations to pentesters, we should consider the following caveats, cautions, and questions: Read on …
As a red teamer, I value the Eastern perspective on deception and stratagem. I’m also aware that Edward Luttwak’s relevant caveats are worth considering. Extending Clausewitz, Luttwak observes that the path of deception is just that because, paradoxically, it is often the one that makes the least sense. Top use Luttwak’s example, I take a difficult road to surprise you because the road that makes the most (objective?) sense is also the road you expect me to take. Thus, as Luttwak says, “all that is done by way of paradoxical action as well as secrecy and deception must weaken the overall effort and perhaps greatly, but surprise yields its advantage whenever the enemy’s reaction is weakened to an even greater extent.”1 Read on …
- Edward Luttwak, Strategy, p. 7. [↩]
To understand the Russian approach to strategy and conflict, we must first understand something about the concept of reflexive control. Initially developed and championed by Vladimir Lefebvre, it’s a uniquely Russian view on stratagem and deception that repackages and reframes much of what we usually associate with Sun Tzu. If we expect deception and stratagem from China but not from Russia, we’ve set yourself up to be surprised. We’d be foolish to assume that the Russians are not currently employing reflexive control against the West.
By definition, reflexive control is “a means of conveying to a partner or an opponent specially prepared information to incline him to voluntarily make the predetermined decision desired by the initiator of the action.”1 In other words, when employing the theory of reflexive control, you paint a picture of the world, that, if successful, your opponent accepts. This false picture compels your opponent to act in your favor. A close term in the U.S. lexicon is “perception management,”2 although the tone of reflexive control is arguably broader and more Machiavellian. Read on …
While I’m now only teaching the two-day “Becoming Odysseus” red teaming course to organizations, I’ve decided to offer a one-time online course on the topic of Eastern and Western approaches to strategy—something that I believe all red teamers should understand. In the three-hour course, I’ll spend the first two hours discussing the differences between the traditional perspectives as well as some of the Western variations that attempt to merge East and West. Specific topics and thinkers I’ll address will include
- Traditional Chinese and Greek modes of thought;
- Clausewitz, Jomini, and the Western way of war;
- Liddell Hart, Boyd, and variations on the Western way;
- Sun Tzu and shi, hsing, ch’i, and cheng; and
- The Russian concept of reflexive control.
We’ll then play out a red team case exercise from the Eastern and Western perspectives. Not only should it be a lot of fun, it should also yield some practical takeaways. Register here.
Earlier this year, an author asked me to summarize my thoughts regarding the superior red teamer. Only a small portion of my response will go into the book, so I thought I’d share the remainder of my thoughts with RTJ readers.
I first pointed the author to a 2003 RTJ post titled “10 Principles of Good Red Teaming.” While the points in that piece talk about the red team, I apply them equally to the red teamer. In hindsight, I’d change item 8 in the post to emphasize perspectives rather than order—in other words, we need to understand the relevant perspectives before we jump into the specifics. I’d also add something specific about systems thinking (more on that below). These edits aside, though, I think the original list has aged well. Read on …
I just added two new quotes to our red teaming quotes page (with a bit of additional commentary on each there). The first is from Polybius, the second from Miyamoto Musashi.
It is to be ignorant and blind in the science of commanding armies to think that a general has anything more important to do than to apply himself to learn the inclinations and character of his adversary.1
The way to win any battle according to military science is to know the rhythms of the specific opponents, and use rhythms that your opponents do not expect, producing formless rhythms from rhythms of wisdom.2
I discovered both quotes in Barton Whaley’s outstanding book on deception, Practice to Deceive.
I just finished a draft chapter in my book, and I thought I’d add to my set of running thoughts with a new post. So far, it’s involved quite a bit of reading and integrating, and it helps me to push aside the stacks of books and think about exactly what it is I think I’m learning.
Now that I’ve said I’m sympathetic to Clausewitz’s portrayal of war as a complex system, I have to balance that by saying that I believe the traditional Eastern strategists possess a superior understanding of systems-in-action. What’s more, they aren’t bound by the more structured Greek modes of thought and the Western bias for direct action. Because of this, Eastern strategies and stratagems tend to be more artful than those we find in the writings of Clausewitz, Jomini, and, indeed, most modern Western strategists. Not surprisingly, the Western strategists who do exhibit Eastern shrewdness (Liddell Hart, Boyd) borrowed heavily from the East.
My issue with the traditional Eastern strategists is that they largely dismiss the potentially ravaging effects of uncertainty. They believe that their philosophy and methods eliminate uncertainty. By flowing with the system and nudging it when necessary, they deem to manage it. The question is whether they can. I’ll explore that question in my book.
I mentioned in the previous post, that my RTJ output has declined because I’ve been working on a book. Although I won’t be serializing it here on RTJ, I will from time to time share some things I’ve learned along the way.
So far, one of the biggest lightbulb moments for me has been my reassessment of Clausewitz. I’ve long been familiar with his main contributions as well as some of the more common criticisms of his work. It wasn’t until I started digging more deeply into the Eastern way of war, though, that I began to fully appreciate the value of the “Clausewitzian” perspective. Read on …
Regular RTJ readers have no doubt noticed that posts have been infrequent lately. The main reason is that I’ve been very busy writing a book. I’ll talk more about it soon, but for now I’ll say that I’ve been immersed this past couple of months in the writings of Clausewitz, Jomini, Luttwak, Sun Tzu, Sun Pin, Mao, Jullian, Liddell Hart, Boyd, and others. It’s been absolutely fascinating, but it’s absorbed all the time I would have otherwise taken to post here. I’ve actually started—and nearly completed—a couple of posts only to fold them into the book. If I find the time, I might run a short online class later this fall on the similarities and differences between the Eastern and Western perspectives on strategy. Stay tuned …
In May, the U.S. Department of Defense published Joint Doctrine Note 1-16, “Command Red Team.” If you haven’t read it yet, you should. One of the more interesting aspects of the document is how it divides red teaming into four activities. We’d like to learn which of these types you perform, but first, take a minute to review the definitions: