'On War' From Carl Von Clausewitz (Part 2)

Hi !

The theories of Carl von Clausewitz provide a powerful framework for understanding cybersecurity as a form of modern conflict shaped by uncertainty, politics, and strategic priorities. To concretely apply its principles to cybersecurity, you must stop viewing IT security as a purely technical issue and start treating it as a conflict of human wills.

Here is a methodological guide to transposing his fundamental principles into your cyber defense strategy:

  1. Cyberwar as a continuation of several things

In cybersecurity, attacks are rarely random; they can be motivated by political, economic, strategic objectives, or by a challenge. Always remember that cyber operations should be analyzed in their geopolitical context.

Here are some examples:

  • Cyber-espionage;
  • Disruption of critical infrastructure;
  • The desire to determine who is the best;
  • Implementing operations to influence something or someone.
  1. Dissipating the “Fog of War” Through Visibility

The fog represents uncertainty and misinformation on the battlefield. In cyber, the fog always benefits the attacker, who hides in the shadows of the network.

Remember that you cannot defend what you cannot see. A lack of visibility into logs or connected devices (Shadow IT) is the modern equivalent of fog.

To mitigate this potential lack of visibility, deploy total visibility tools (SIEM, EDR, XDR) to centralize telemetry, etc.

You can also invest in Cyber Threat Intelligence (CTI) because understanding who is attacking you and how they operate (their TTPs) helps clear the fog and allows you to anticipate their movements rather than just reacting.

  1. Reducing “Friction” Through Operational Simplicity

Clausewitz explains that friction (the unexpected, fatigue, failures) is what causes the most perfect plans to fail.

A example among others, a 200-page Incident Response Plan (IRP) is useless in the middle of a ransomware crisis.

Friction will inevitably set in (panic, loss of access to documentation, tools failing to respond) so to address this:

  • Simplify your playbooks: reduce them to one-page checklists for each type of incident ;
  • You can use concrete Action as automate repetitive tasks (using a SOAR) to eliminate human error under high-stress situations ;
  • Set up “out-of-band” alternative communication channels (e.g., Signal or isolated servers) that are ready to use if the primary network is cut off.
  1. Identifying and Hardening the “Center of Gravity” (Schwerpunkt)

The Center of Gravity is the vital element upon which the entire power of the adversary (or your own) depends. If this point falls, everything collapses.

Remember that you cannot defend every server, every folder, and every connected device with the same level of intensity. You must map your network to find your own Schwerpunkt.

Identify your critical assets (Active Directory, customer databases, source code). Concentrate 80% of your hardening, monitoring, and encryption efforts on these areas.

Against the attacker, identify the weak point of their command infrastructure (Command & Control or C2 servers). Isolating these servers from your network cuts off the head of the attack.

  1. Concentration of your forces

You should see a cyber conflict is a continuous cycle:

Attack -> defense -> adaptation

Resources should not be spread too thin because your resources are often not infinite and the area to be covered may be extended. So we need to prioritize high-value assets and high-impact threat and this requires a lot of work :

  • Continuous improvement of your defense ;
  • Go hunting for threats that may evolve. Don’t forget that the hacker(s) have some resources and various plans (including backup plans to achieve their goals) ;
  • Consider adopting adaptive security strategies. A bit like a reed bending in the storm.
  1. Exploiting the “Superiority of the Defense” Clausewitz theorized that defense is inherently stronger than attack because the defender chooses the terrain and waits for the attacker to exhaust themselves or make a mistake.

The attacker must move through your infrastructure so your network architecture should be designed to be their worst nightmare.

Some exemple, adopt a Zero Trust model (never trust, always verify). Every single lateral movement by the attacker must require re-authentication.

Deploy Honeypots, these are fake, intentionally vulnerable servers. By entering them, the attacker reveals their presence and tools without causing actual damage. You are using your home-field advantage to trap them.


Summary


To align your organization with Clausewitzian thought, ensure your cyber strategy balances these three pillars:

  1. Reason (Governance / CISO) : The cyber strategy must align with the business and policy risks of the company (no tech for the sake of tech).

  2. Talent (The Blue Team): Well-trained analysts who are capable of using intuition and managing the unexpected when facing the friction of a live attack.

  3. Passion (Company Culture): Training and raising awareness among employees so they are not the weakest link (phishing), but rather an engaged first line of defense.

Cybersecurity is not just about tools, vulnerabilities, or code. It is about conflict under uncertainty. Clausewitz provides a framework for understanding that reality: the “fog of war”, friction, imperfect information, and the constant tension between strategy and execution. These are not abstract ideas; they describe the everyday environment of modern security operations.

Frameworks like MITRE ATT&CK explain attacker behaviors in detail, but they do not fully capture the systemic chaos defenders face. I mean misconfigurations, human error, incomplete visibility, and competing priorities. Clausewitz helps make sense of that complexity and teaches why perfect security is unattainable, but effective strategy is not.

Reading Clausewitz does not make someone a military strategist; it builds discipline in thinking about priorities, trade-offs, and resilience. It reinforces the need to identify what truly matters, to concentrate resources, and to remain effective despite uncertainty and disruption.

Even if cybersecurity professionals never formally apply the theories of Carl von Clausewitz, they are overlooking a critical foundation if they haven’t at least read On War. At a minimum, anyone working in cybersecurity should read it, not as a historical text, but as a practical guide to understanding how to operate, decide, and endure in a constantly evolving conflict.


We will continue in a future article the principles laid out in "On War".

Cheers
Security Strategy