Author, John P. Carlin, with Garrett M. Graff
Public Affairs, October 2018
Imagine being a senior government official summoned to the White House Situation Room to brief the President of the United States on what was then the most high-profile cyber incident in U.S. history — the devastating attack on Sony Pictures Entertainment.
Your first task is to summarize for him the plot of the “vulgar screwball comedy” called The Interview, the release of which by Sony Pictures prompted the attack. Imagine telling the President how the main characters, played by James Franco and Seth Rogen, played TV journalists who landed an interview with the North Korean leader, Kim Jong-Un, only to be recruited by the CIA to assassinate him in a plot that involves an illogical chase with a tiger, a tank, and later, somehow, Katy Perry.
Imagine trying to make sense of the fact that, against all odds and expectations, it was precisely that screwball comedy that motivated the North Korean government to launch the Sony attack — a real cyber attack that destroyed the data in thousands of corporate computers, exfiltrated valuable intellectual property, and publicly embarrassed company executives by leaking their private emails to a rapacious press.
Such was the reality for John Carlin, a former federal prosecutor who was Chief of Staff to FBI Director Robert Mueller, and, at the time of the briefing, Assistant Attorney General for national security. Carlin called those days the strangest in his nearly 20-year career in government.
Indeed, the anecdote is one of the most bizarre included in Carlin’s Dawn of the Code War, a book that provides a fascinating insider’s view not just of the Sony incident, but of nearly every major cyber attack targeting the U.S. in the last decade.
Encapsulated in Carlin’s retelling of the Sony incident are timely questions concerning the threats facing the U.S. government and American corporations, such as how to defend against them, and how best to respond. Those questions include issues that have vexed policymakers and government leaders throughout our nation’s most recent history: How do we define a cyberthreat: As an act of war? An act of vandalism, as President Obama called the Sony incident? A criminal act? An information operation? An attack on American private data and values?
And then, come the questions concerning what kind of response is appropriate against such a targeted attack. For example, who should organizations contact when attacked? Who in an organization is responsible for defending against cyber attacks? Who are these threat actors anyway, and what do they want? Does the attack violate any perceived international norms? What options does the U.S. government have at its disposal to respond? When and how should it do so? Are those means effective deterrents to future cyber criminals? And so on.
Readers of The Code War are treated to one man’s passionate personal mission to grapple with and answer each of those questions, both on a smaller scale relating to the Sony attack, and in the wider sense concerning the future of governmental cyber attack response against nation-states. Carlin describes how he helped to successfully transform the stodgy and largely Luddite Department of Justice into a more nimble, technologically savvy actor, one that is better suited to make a more efficient response to such an attack in future.
Expounding upon thoughtfully weighted themes such as “cybersecurity can’t just be an IT problem,” and “hackers are human,” Carlin builds the case for the use of federal indictments as one of the sharpest tools in the cyber policy toolkit. Spread across nine chapters and some 450 pages, Carlin’s account gives us an engrossing recent history of the threat landscape viewed from the front lines. In an industry where threat-related incidents come and go from the headlines with alarming regularity, and fade over time as public breach-fatigue sets in, this collation of events serves as a useful reminder of where we’ve been and how serious the problem of cyber attacks has become in recent years.
Included in later chapters are accounts of equally significant attacks including: Operation Aurora, in which the Chinese allegedly stole source code from thousands of tech companies (including Google); the takedown of the massive botnet Game Over Zeus; the alleged hacking of Yahoo! by Russian criminal and intelligence operatives; the theft of intellectual property from organizations, including Boeing, by various Chinese government groups; the alleged distributed denial-of-service (DDoS) attack on Wall Street banks and a New York state dam by Iranian actors; and the recent alleged Russian “active measures” operation to hack, influence, and undermine confidence in the U.S. election infrastructure during the 2016 presidential campaign.
Attacks that targeted the U.S. government are also discussed in more depth, including a lengthy chapter on the Office of Personnel Management (OPM) breach, in which Cylance features prominently. Carlin doesn’t attribute the attack on OPM to a specific Chinese group, but he does insinuate strongly that the Chinese government was responsible, despite the continuing lack of any official attribution from the Obama or Trump administrations. Carlin also links it to other alleged hacks by the same group, including one that affected the U.S. health insurance firm Anthem Blue Cross/Blue Shield.
What emerges from Carlin’s analysis is a clear picture of four nation-state threats to the U.S. — China, Russia, Iran, and North Korea — threats that present themselves as blended in nature. Russian threats combine criminal and government objectives and personnel; the Chinese threats meld traditional government espionage with economic espionage for commercial gain; the Iranian and North Korean threats mix espionage with sabotage and influence operations. Carlin argues convincingly that blended threats require a blended response, one that combines economic sanctions, diplomatic demarches, covert intelligence or military action, and criminal prosecution.
Like a prosecutor addressing a jury, Carlin goes into higher levels of detail to describe how cases were built from the ground up and resulted in indictments — instances where the U.S. government was able to state beyond doubt that specific individuals were responsible. One goal of that effort, Carlin notes, was to establish “that prosecutions are normal,” and that governments should “charge without hypocrisy”. In doing so, he argues, they strengthen the rule of law in an area that for many on both sides of the security industry still feels like the Wild West.
Carlin acknowledges this means that, at times, the Justice Department often becomes more stick than carrot. He describes feeling like the “skunk at the garden party,” pushing prosecutions when senior administration officials in other areas of government pleaded for a less confrontational approach. He also points to the pushback he got from within government as coming from National Security Advisor Susan Rice, Secretary of State John Kerry, and President Obama himself, all of whom separately argued that bringing prosecutions against China or Iran or Russia might thwart a parallel effort to work with those countries on something else of far greater economic and political value, be it climate change or non-proliferation.
To his credit, Carlin acknowledges that the policy he embraced of prosecuting nation-state actors was not always immediately or universally embraced by the victims themselves, many of whom are portrayed in the book as being more concerned about their corporate bottom lines or the happiness of their share-holders than they were about participating in the naming and shaming of individuals who largely operate outside the reach of U.S. law enforcement, and were therefore unlikely ever to be imprisoned.
But, the best analogy and, ironically, the best counterargument to Carlin’s thesis, is presented by Carlin himself at the start of the book when he writes: Stylistically as well as factually, Carlin’s book is an engrossing read. Far from the usual dry prose that often permeates biographical tomes by government officials, The Code War is delightfully full of colorful metaphors. Carlin cites FBI Director James Comey comparing Chinese government hackers to “drunken burglars” who make a lot of noise when they attack. He cites FBI Director Robert Mueller likening the U.S. cyber posture to the Roman Empire, which expanded because “all roads lead to Rome,” but which became uniquely vulnerable for the very same reason.
“We’re living online in a house of straw; yet even as the wolf approaches the door, not only are we not seeking shelter in a stronger house, we’re continuing to cram ever more stuff into our straw house. Catching the wolf will not fix the problem as long as we continue living in the straw house. Another wolf will always come along.”
It’s only in the book’s epilogue that Carlin makes his own rebuttal. There, he contends that rebuilding the “straw house” into something more resilient is only part of the solution. “We need efforts, too, on the offensive side,” he writes. “We need to chase the wolf away.”
Whether that goal is achieved, only time will tell. But if, as The Code War makes clear, the goal of the Justice Department over the last decade was to “shift the default inside government from keeping attacks secret to making them public…to help the public under-stand the threat better and allow companies and organizations to be more vigilant,” in that goal, John Carlin has succeeded mightily.
This book review was originally featured in BlackBerry Cylance's bi-annual print publication, 'Phi Magazine' - coming soon as a digital download on Cylance.com.