In his classic series, Martial Arts and Ways of Japan (Weatherhill, 3 volumes, 1973–1974), Donn Draeger (https://en.wikipedia.org/wiki/Donn_F._Draeger) draws distinctions between “Martial Art”, “Martial Way”, and “Martial Sport”. I strongly recommend these books to, well, pretty much anyone. They’re excellent books.

According to Draeger (Draeger, D. (1973). Classical Bujutsu: The Martial Arts and Ways of Japan, Volume 1, p19):

In modern terms, then, martial “arts” would focus on military and law-enforcement applications, while martial “ways” would focus primarily on personal improvement, and martial sports would focus on competition and performance.

While there can be significant overlap in the techniques used and in some training methods, I think the vital difference is in the intent and focus of the training, and in placing the training in the correct context.

As an example, martial sports are extremely popular, and a lot of people get a lot of satisfaction out of participation and watching them. It can be great exercise, and competition can be very exciting and satisfying. But don’t make the mistake of assuming that training in a martial sport teaches you how to protect yourself if you are attacked on the street, or you may find yourself in the position of the boxer who just got knee-capped, or the tae kwon do practitioner who just got punched in the head (both illegal strikes in certain variations of these sports).

NOTE: All of this assumes study with a “real” instructor. All bets are off if you’re “training” at a McDojo, or under someone who is a charlatan. In such cases, you may find yourself in the position of this man who attempts to use Chi to block punches... (https://www.bullshido.net/man-attempts-to-use-chi-to-block-punches/)

At the other end of the spectrum, don’t expect soldiers or police be “exciting” to watch. Their training will focus on how to kill, disable, or neutralize a threat in the most efficient way possible.

All of that said, if you are honest with yourself and understand the context of your training, you will get the most out of it. And, of course, it is possible to have multiple goals – you can train for sport and for self-defence, but understand the trade-offs. You will do as you train. If your training consists entirely of kata (forms), and you never actually hit anything, don’t assume that you will have a “powerful” punch.

Ok, but what does any of this have to do with InfoSec?

Setting aside the obvious overlap in the area of physical security, effective InfoSec is dependent on a clear understanding and prioritization of threats and responses, along with a recognition that we all have our strengths and weaknesses. So, if the boxer we describe above is interested in self-defence in addition to competition, she may decide to study other systems which focus on grappling or kicking, or focus more specifically on self-defence. Either way, this starts with an honest evaluation of your current risk profile and of your personal goals.

Troy Hunt (https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pragmatic-security/) makes a number of excellent points about understanding the threat profile of most people with regard to their mobile devices. It’s easy to say that biometrics (fingerprint or facial recognition) are less secure than a passcode, but is that true in practice? What’s your actual risk profile? If it’s losing your phone, the two are near-equivalent (ie, most people won’t be able to break either). What about someone looking over your shoulder? Well, a passcode can be seen and used by a bystander, so fingerprint/facial recognition is better in that context.

What about the situation where someone with a gun wants access to your phone? Or, what about the $5 wrench? It’s pretty effective against both techniques. (https://xkcd.com/538/)

Looking at InfoSec more generally, consider some parallels with martial arts training.

As one example, sparring (https://en.wikipedia.org/wiki/Sparring) is a training tool which provides a simulation of an actual fight, with the goal of providing some degree of experience which will be useful if/when you participate in an actual fight.

In practice, how is this different from Red Team / Blue Team exercises often engaged in by InfoSec practitioners? (https://csrc.nist.gov/glossary/term/Red_Team_Blue_Team_Approach)

It should be noted that there is a lot of debate about the effectiveness of such exercises and how “realistic” they are. Some organizations use protective gear, while others disallow certain techniques, or apply other artificial restrictions such as time limits or limiting matches to 1:1. Similarly, Red Team / Blue Team exercises, are usually restricted in various ways – limiting the time period of the attack, or avoiding certain classes of techniques. In both cases, it is necessary to balance the level of realism with the level of risk to the organization or individual. (This is a critical factor in all types of training – combat training is not effective if injuries compromise your effectiveness in combat...)

How about mind-set?

Well, at one end of the spectrum, hackathons are comparable to competitions common in martial sports, where the goal is to compete and win.

Others, such as academics, will come up with approaches , attacks, and techniques which may not necessarily be practical (at the moment), but which certainly advance the discipline of cyber-security in fascinating ways. I would consider such people to be analogous to “martial wayists”. A great example of this sort is some of the research done by Ben Gurion University (https://cyber.bgu.ac.il/) in Israel. One of my favourites (https://cyber.bgu.ac.il/spies-can-eavesdrop-by-watching-a-light-bulbs-vibrations/) is where they developed a technique to eavesdrop on people in a room by watching a light-bulb’s vibrations. Amazing stuff!

At the other end of the spectrum are the hardcore security practitioners who share the “kill or die” mentality of “true” martial artists. These InfoSec artists are focused on dealing with real situations in real environments, and will generally strip away the BS until they get to the core issues so they can address them.

So, what’s the point? How does this help?

One thing I find very helpful is that I can apply many of the concepts I have encountered in my martial way training to InfoSec. It’s one thing to consider something like patching as “just something you have to do”, but very different to consider it in the context of anticipating an attack.

I recall hearing an old adage about your opponent being the only one who will be truly honest with you. Many people in your life will encourage you and support you, and often allow you to believe that you are better than you are, but if you are in a fight, your opponent will strike where they see weakness.

Many years ago, when I was pretty early in my karate training, I was sparring with one of our black-belts (For context, we did not use protective gear, and practised with “minimal” contact to the body, and no contact to the head. At the black-belt level, serious injuries were very rare, but bruises to the body / limbs were very common.) This person was a shodan at our dojo (first degree black belt), but had also trained for many years in several Chinese arts (Tai Chi and Kung Fu, as I recall). He was very good, both technically and as a teacher, and had excellent control.

As we sparred, he was telling me to keep my guard up, but I just wasn’t “getting” it. After a while, he tried a different strategy. He started striking, again and again, at my chest, to make it crystal clear what he was talking about. I collected a number of bruises, but eventually got the point and improved my guard.

Similarly, your various colleagues and vendors will offer advice around where to focus your efforts, and good penetration testing and “red-teaming” can certainly help, but a dedicated adversary will find things you never dreamed of.

How does this help, though? A number of ways... It helps you understand that you cannot stop all attackers, and it’s pointless to try – always assume that your opponent is stronger, faster, more experienced, etc. All you can do is minimize your risk as much as you can, by addressing the basics. Basic techniques, kata, sparring, endless practice, and continual research. Or, in InfoSec terms, patching, network segmentation, threat modelling, vulnerability assessments, penetration testing, etc, etc, etc.

One last item – I tried (briefly, but unsuccessfully) to find a source for that adage about your opponent being honest, and found a post about “The Two Biggest Lies in Martial Arts” (http://www.senseiando.com/biggest-lies-in-martial-arts/). In this post, a common misconception about Judo was described as an “ugly truth” and “false advertising”. I found it astonishing that someone calling himself a martial artist (including exposure to Judo and Brazilian Jiu Jitsu), would make such a statement.

Judo is often described as the “gentle art”, based on translating the Japanese word “ju” as “soft”, “supple”, or “flexible”. Taking this to mean that the art is “soft, flowing, and easy” is a fundamental misunderstanding of the concepts of “hard” and “soft” in the martial arts. In fact, hard and soft (“go” and “ju”, in Japanese) define a spectrum and the principles behind a given technique. (While not a Japanese speaker, I strongly suspect that “soft” or “gentle” is actually a horrible translation of the Japanese word “ju” in this context.)

“Hard” would be used to describe techniques which are direct and which usually move in a straight line. For example, a punch could be considered hard, and a block (which essentially attacks the punch) could also be considered hard. In contrast, a deflection, or pivot, or side-step could be considered “soft” in that they avoid and focus more on technique than strength.

In practice, no art is entirely hard or soft, and a balanced martial artist must understand both concepts and include them in their training.

In the context of InfoSec, we need to understand that some attacks will be “hard” and direct. A DDOS (“Distributed Denial of Service” https://en.wikipedia.org/wiki/Denial-of-service_attack) attack or other “brute force” attack can be considered in this way. They attempt to overwhelm a system’s defences to compromise it. On the other hand, searching for vulnerable non-production systems, or using side-channel attacks, or other indirect techniques could be considered “soft”, but no less dangerous.

For me, thinking of InfoSec as a martial art enriches my understanding of both InfoSec and martial arts training. So, very useful for me. I hope you find some value in it as well.

Cheers!