/ Published July 26, 2019
Dawn of the Code War: America’s Battle against Russia, China, and the Rising Global Cyber Threat by John P. Carlin with Garrett M. Graff. Public Affairs, 2018, 464 pp.
Recent publication trends involving cyber subjects summarize the past two decades’ activity with shaded perspectives about motivation and intent. John Carlin in Dawn of the Code War, with Garrett Graff’s assistance, covers much-discussed activities from a Department of Justice (DOJ) perspective including Carlin’s multiyear role as chief of staff for FBI director Robert Mueller. These depictions offer some expanded views while failing to substantially improve upon similar works including Rise of the Machines by Thomas Rid, Cyberspies by Gordon Corera, or Dark Territory by Fred Kaplan. These other works formulate unique cyberspace perspectives while Code War focuses almost exclusively on DOJ dealings with other agencies during and after cyber events. For example, the Qassam Cyber Fighters section merely relates investigatory actions from the Drug Enforcement Administration, FBI, and National Security Agency rather than any efforts or collaboration originating from Carlin. This book is an excellent place to start for those new to the global cyber commons and cyberattacks against the United States, although those with greater familiarity can skip this work.
As mentioned, Dawn of the Code War loosely follows John Carlin’s exposure as a Justice Department agent and leader for multiple cyber events, including espionage, attack, and influence operations. Each chapter—beginning with his initial 2004 exposure—describes one to two years of an experience between the United States and adversary cyber actors as well as any eventual mitigation. The work explores three primary mitigation policies advanced by the DOJ: demonstrating clearly where US cyberspace laws create boundaries, supporting the US private sector through its actions, and communicating to foreign adversaries that continued espionage and attacks are unacceptable. Every chapter attempts to advocate those tenets to some degree, forging a policy path as well as norm expectations for those unfamiliar with US cyber operations. Each instance reveals individuals Carlin knows and when he worked with them during their time with the Justice Department.
Eight central stories advance as single chapters that begin with China recruiting human intelligence agents to conduct economic espionage through multiyear campaigns based on obtaining corporate positions and physically transferring documents to today’s current cyber practices. During his time with Robert Muller, Carlin may have shaped cases like those against GameOver Zeus’s criminal activities and China’s attacks on the US Office of Personnel Management (OPM), and even exerted some influence investigating Russia’s 2016 presidential election interference. Each chapter’s single primary case includes subordinate attacks and activities that build an overall picture for the selected time frame. The work addresses how President Bush’s cyber initiative could have formed the groundwork to advance cybersecurity before being abandoned by the Obama administration for a fresh cyber start. The Obama administration’s reliance on being more naturally tech-savvy than previous regimes probably delayed more stringent cyber approaches against cyber adversaries. Actions against the Iranian Qassam Cyber Fighters’ US bank campaign and Russian hacktivist actions in Ukraine took years to pursue and fully develop, and Carlin successfully highlights administrative difficulties in obtaining clear attribution or building any federal consensus about retaliatory actions when pursuing federal criminal cases. Particularly noteworthy are the expanded insights into foreign attacks against US private companies with Iran’s destructive Sands Casino attack and North Korea’s multiple Sony attacks during 2014.
Each chapter has some additional coverage for recent attacks, with the best overall chapter tying the Target and TJ Maxx credit card attacks to Anthem’s data exfiltration before exploring the subsequent larger attacks against the federal government’s OPM. The OPM attack describes three separate Chinese-attributed cyberattacks that, in Director of National Intelligence James Clapper’s opinion, impacted central cybersecurity tenets by undermining the confidentiality, availability, and integrity of federal data involved in verifying US federal employees' financial, personal, and security clearance files (361). The three OPM attacks, months apart, each targeted different network systems. OPM’s recovery process eventually discovered one piece of installed malware per device, and no attack was discovered until three weeks after the last. Carlin clearly shows that despite the US government’s own cybersecurity focus during the relevant time periods, federal agencies failed to meet their own standards for commercial industry. A 90-day cyber-defense improvement sprint in 2015 resulted in only 15 of 29 agencies meeting basic cyber security requirements (365). After 10 years of Carlin’s assistance directing policy and legally pursuing adversaries, evidence indicated that barely 50 percent of federal agencies complied with even the most basic preventative measures.
There is some new material about US actions against foreign cyberattacks, but uncovering Carlin’s own role was difficult. His appearance seems perfunctory and based on personal connections rather than contributing activity. For example, the Russian-oriented “Slavik” chapter does not include a single action by Carlin. The standard for authors recounting personal actions in their government service—if not a full biography—should be compilations similar to Juan Zarate’s Treasury’s War (2013), describing the Department of Treasury’s counterterrorist financial actions. Carlin does possess considerable personal knowledge as a recently departed federal official, though the text fails to convey any sense of urgency or immediacy that he feels toward these struggles from his own experience. The overall conclusion makes a perfunctory mention of a “Code War,” the need for increased training, and carrying American values onto the Internet, all good ideas but lacking connection to earlier material. Carlin’s text offers some learning, but any emphasis on the Justice Department’s unique influences unfortunately are absent.
Overall, Dawn of the Code War provides an adequate introduction to the last decade’s cyber activity, especially those in the Gray Zone of not-war, faced by the United States. Cyberspace novices will get a substantial grounding while more advanced readers may find some interesting nuances about previously studied attacks. Carlin and Graff manage to advance the field somewhat with compiling significant information under a single cover to create a worthwhile stop. The text jumps somewhat chronologically but not to such an extent as to make following the material difficult. Long for an individual account at 400-plus pages, the book reads quickly. I found the material mildly entertaining and beneficial overall. While this work is not my first suggestion to pursue for a cyber history, I recommend that new cyber students add it to their bookshelf and more experienced students consider Code War for their backlog. An improvement would be a future work from Carlin depicting his own experiences in greater detail.
Dr. Mark T. Peters II, USAF, Retired
"The views expressed are those of the author(s) and do not reflect the official policy or position of the US government or the Department of Defense."