The United States is in the “early stages of a Code War” with nation-state adversaries and other online threat actors -- while political leaders and the public have yet to fully “recognize” that the “war has begun,” John Carlin, the former assistant attorney general for national security under President Obama, writes in his new book “Dawn of the Code War.”
In “Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat,” Carlin and co-author Garrett Graff -- a former national security journalist and the executive director of the Aspen Institute's Cybersecurity and Technology program -- detail the evolving cyber threats facing the country, comparing this issue to the Cold War and the U.S. position in cyberspace to a “straw house” with a “wolf at the door.” The book was formally released on Oct. 16.
“We're living online in a straw house, yet even as the wolf approaches the door, not only are we not seeking shelter in a stronger house, we're continuing to cram ever more stuff into our straw house,” Carlin, currently chair of the Global Risk and Crisis Management team at law firm Morrison and Foerster, wrote. “Catching the wolf will not fix the problem as long as we continue living in the straw house. Another wolf will always come along.”
Carlin and Graff advocate for the U.S. “to be thinking faster -- and smarter -- or we risk seeing the internet overwhelmed by nefarious attackers, and our society's and our economy's strength depleted, perhaps not just by large-scale infrastructure attacks such as on the electrical grid, but also through the everyday decisions of ordinary people to not engage, to not speak out, or to not do business because of their fears and distrust of life online … even as the wolf approaches the door, not only are we not seeking shelter in a stronger house, we're continuing to cram more stuff into our straw house -- meeting today's threat requires both building a stronger house (defense) and chasing away the wolf (offense).”
Carlin and Graff outline the growth of cyber threats from the beginning of hacking decades ago, to the use of the internet to grow terrorist cells, to the weaknesses of internet-connected devices. They also highlight the fight to combat Russian interference in the 2016 U.S. elections, an event they describe as “our first true cyber Pearl Harbor."
Carlin discusses challenges in interview
In an interview with Inside Cybersecurity this week, Carlin said that the U.S. is “not where it needs to be” to address the threat of election interference.
“I think we've made some good steps, so it's better than it was, but it's not where it needs to be, and some have not,” Carlin said of the federal and state government response to election threats. “I think every state at a minimum should have some type of backup paper ballot so that they are not relying on all digital systems right now. Number two, in terms of something that hasn't been done, would be what I call the dead man's switch, which would be an announcement made in advance that we are going to retaliate, and a mechanism set up to it, so if there is a conclusion that someone has interfered in our elections, it's clear what the consequences would be.”
“There have been a couple different intentional statutory approaches to codify in law the idea that a non-partisan group of experts is going to determine if a nation-state is hacking, and if they are, they are going to report it, and that hopefully will drive action on our part to respond, like sanctions or other actions,” Carlin continued. “I think it's really important that we are very clear on that, because being clear on it might deter it from happening in the first place so we don't have to use those retaliatory actions.”
Carlin also said that while he couldn't point to any specific piece of election security legislation to support, that “it would be good if there was legislation that covers those areas,” and that designating election systems as critical infrastructure is “a good thing.”
Carlin told Inside Cybersecurity that the public, and many federal officials, still are not fully registering the threats in cyberspace, and that “people still think in the realm of the future threat, or science fiction,” an issue that is highlighted in “Dawn of the Code War.”
“I often find that people who aren't steeped in cybersecurity still believe that solving cybercrimes is nearly impossible, that it's all just anonymous bits and bytes moving invisibly across wires around the globe,” Carlin wrote. “But the truth is that, with persistence, resources, and work, we're able to solve many -- sometimes even most -- cyber attacks. It's certainly an uphill battle.”
Carlin wrote that “even now, after the damage and the effect are clear, there's no sign that the hacks caused any policymakers in Washington to change course as radically as we need to ensure our security going forward.”
Carlin told Inside Cybersecurity that he “hopes it doesn't take an event of sufficient scope and scale that then we commit the time and resources, give these agencies more resources that they need, create with Congress and regulatory agencies a more rational regime and increase the amount of education that takes place. I hope we can get the message out while we are still in the early stages, and that we take the necessary steps now.”
In the book, Carlin and Graff describe the U.S. as moving into the “fourth epoch” of evolving cyber threats, which Carlin classified as adversaries combining kinetic, real-world attacks with cyber incidents, and causing “disruption."
“If you do a blended attack, where you do a kinetic real world attack at the same time you launch that cyber attack, it would cause a lot of fear and disruption, so we need to try to think creatively about what they are trying to do, and then make sure that our defenses and risk management strategies are as creative as they may be,” Carlin told Inside Cybersecurity.
Another issue discussed in-depth in the “Dawn of the Code War” is Internet of Things devices, which Carlin and Graff say will number 20 billion worldwide by 2020, adding that “today there is no internet-connected device that's safe from a determined and advanced adversary.”
“We need to incentivize and set a minimum standard for building in security by design,” Carlin told Inside Cybersecurity. “It could range from things like using the label approach … and this could be voluntary, or this could be incentivized by legislation that would require those producing these products to certify that they've met a basic security standard, so if you get your toaster, it's got not the green energy label, it's got that it's met the cybersecurity standard label.”
Carlin noted, though, that in other sectors with “life and death consequences,” such as autonomous vehicles, “there may need to be a firmer hand in terms of what is required on the front end to meet the safety standards.”
Carlin said that while he is unsure as to whether he will write any follow-up books, one pressing reason he collaborated with Graff to create “Dawn of the Code War” was to praise the work of intelligence officials on cyber issues over the past several decades, and, as they wrote in the book, “a warning that we've built our modern society on top of fragile technology, with far too little thought as to the creativity of our adversaries.”
“I know we, as a government and as a society, are not close to where we need to be to tackle this future,” Carlin wrote. “The internet, a tool that was once created to help the US government survive a war, has now become a central point of global tension and a lurking threat to our daily lives. It doesn't have to be that way -- but we as a society and as a government need to commit to changing the trajectory.” -- Maggie Miller (mmiller@iwpnews.com)