John P. Carlin has a fascinating new book out, “Dawn of the Code War,” which discusses “how we tried to take cyberthreats out of the shadows and used the criminal justice system to shine light on cyberattacks.” Co-authored by journalist and historian Garrett M. Graff, the book takes the reader through the Obama years when, as former Assistant Attorney General for National Security and National Coordinator of the Computer Hacking and Intellectual Property (CHIP) program, John battled behind the scenes.
Like the Cold War, the Code War is not what we think of as war; it is a “complicated, multidimensional, international period of tension that requires resources across government and the private sector.” Whereas the United States concerned itself primarily with a single adversary during the Cold War, the landscape of the Code War is far more complex. It is being fought online in an environment of anonymity, against adversaries who may be individuals — hacktivists, criminals, terrorists — or organizations and nation states.
And unlike the Cold War that predated the Internet, this Blurred World War is different in six fundamental ways:
- Blurred lines between war and peace: If the Chinese had invaded the headquarters of the Solar World factory in Oregon, we would have known we were at war. If the North Koreans had destroyed Sony’s offices in Los Angeles, we would have known we were at war. If the Russians had broken into the DNC offices in Washington, D.C., we would have known we were at war. However, when these same acts are committed remotely, it’s much harder to clearly delineate between what counts as an act of war and what does not.
- Blurred lines between private and public: In the past, national security and defense was the main job of governments. The Ford Motor Company or Campbell Soup did not build their own defense systems to protect against Russian missiles. The internet, however, is owned and operated in large parts by private companies, and sharing is key to effective national defense.
- Blurred lines between nation states and individuals: Nuclear weapons and missile systems—weapons of mass destruction—required nation state sized investments. Today, chemical weapons, biological weapons and cyber weapons— zero day exploits, malware, ransomware and more — can be unleashed by individuals across the world.
- Blurred lines between physical and virtual worlds: During the Cold War, “Your car was your car and your computer was your computer.” But today, your car is a computer on wheels and your computer is distributed hardware, software and data. Money is almost all virtual and cryptocurrencies are entirely virtual.
- Blurred lines between domestic and international: Country borders still mattered during the Cold War. But the world of the Code War is flat. Government agencies still operate in domestic and international silos, while “terrorists from the Middle East can communicate directly with American citizens without ever setting foot inside our country.”
- Blurred lines between what is secret and what is critical infrastructure: The book goes on to describe how over the last decade, prosecutors, federal agents and the intelligence community worked with private sector security researchers and others to impose law and order.
Public attribution is an important element in dealing with these fundamentally new aspects of war. John and the agents in service to our country sent a message across the government that it was possible to prove in a court of law who was behind an attack. They sent a message to the private sector that the government would be aggressive in confronting bad behavior online, and they sent a message to foreign adversaries that this behavior was not acceptable, and that there would be consequences.
Much remains to be done, but thanks to John and others in service, as he says, “It was a start.”
In that book, John puts out a key message: “You need to report when your networks have been attacked because you never know how your intrusion, however seemingly minor, might impact a larger investigation.”
John tells a story about how a hacker complained to an administrator, irritated that his hacking job was repeatedly deleted from a retail company’s server. The administrator asked the hacker not to attack their servers, and the hacker agreed to move his job to another server for two bitcoins (about $600 in 2015). A few months later, the hacker stole credit card information and passed a list of military and government personnel’s identifying information to a terrorist group.
Consumers who search online, “How to report a breach,” may find themselves staring at the FTC’s guide on data breach response. Many find themselves utterly overwhelmed. It’s especially unfortunate because the people least likely to have the know-how to make sense of the issue are often the ones most susceptible. Small retailers are especially easy targets. They present weak links in larger company’s supply chains, and are often in no position to detect, let alone report, such problems. Even for large companies which might be able to detect a breach, there’s no law in the United States requiring timely disclosure. Companies including Uber, Yahoo and Equifax have waited weeks or even years before reporting a breach.
Even if more companies disclosed exposures more quickly, what, if anything, could be done? In an environment where attacks keep coming and breaches keep happening, consumers and employers are exhibiting breach fatigue. Consumer behavior indicates that costs and convenience take precedence over security, so as a result little is being done. Within the companies CEO and CISO heads may roll, but mixed effects on long-term stock prices somewhat mitigate the incentive for action. However, the impact on digital identities and the impact on national security and democracy is crystal clear. Lives are at stake, if not even the substance of our political system.
In the end of Carlin’s story, the government did catch the hacker, and a hellfire missile got the terrorist. For the rest of us, we may need to find a solution that doesn’t involve launching a missile. Unfortunately, there is no one solution. All of us have to do our part, step by step, one day at a time. Individuals should use a password manager and sign up for dark web monitoring as well as identity theft protection services. Companies need not only manage their own security risk posture, but should also take responsibility for educating, alerting, and protecting customers and their accounts. As for our government, it needs to stop accusing the victims—breached companies—and instead pass meaningful legislation which protects individuals as well as providing the incentives for companies to take the appropriate action in response to breaches.