Allie Mellen has written an interesting book that takes the reader through a comprehensive historical narrative of the past several decades’ worth of state-sponsored cyber attacks. While there have been numerous books on this topic, what makes this book unique is that she examines attacks that have been attributed to the US, Russia, and China, and shows their common and different approaches, and how they mix cyber warfare with their on-the-ground kinetic battles, such as what is happening in Ukraine over the past several years. 

Mellen comes to this from a deep experience with cybersecurity, including five years as an analyst at Forrester Research and several jobs for private cybersecurity vendors. 

Code War covers a lot of ground – from the earliest days of history to the present era, and how the modern digital age is just another way to repackage some of the ancient analog exploits. That deep historical coverage sets this book apart from other efforts that just skip lightly over the details and relevance of these antecedents. 

Each country has separate ways that they approach cybersecurity, both from offensive and defensive positions. Each also has different contexts in which it evaluates its cyber efforts. The US context is to ensure its national security, maintain a strong economy, and support various freedoms. China wants to maintain its regime stability, protect its national interests, and regain control and influence in Asia. Russia wants to maintain economic stability, ensure its citizens are loyal to the regime, and remain a world superpower. These mixed goals compete and conflict with each other. And while it is great to have goals, the contradictions and conflicts among them make it hard for each regime to clearly evaluate and execute its cyber efforts. 

Part of the problem, when seen in this tripartite context, is that the role and nature of the internet is vastly different among the countries. China’s internet is an instrument of state power, cultivated by absolute control. Russia’s internet is part of an hybrid digital/analog background of warfare against the world’s democracies. And in the US, the internet is part of maintaining a defensive and resilient digital ecosystem. 

One element in common with these efforts is their work to isolate their residents from the global internet community. These “splinternet” efforts restrict  freedom of speech and as Mellen notes, it “becomes more difficult to spread democratic values globally.” She chronicles the key steps of isolation and control of the internet with a series of well-researched case studies.

Mellen proceeds to deconstruct operational playbooks of the three nations, and how they have used cyberattacks to fulfill their social contracts with their citizenry. The American chapters cover a wide range of cyber misdeeds, including one chapter that tells the stories about how Nathan Van Buren and Aaron Swartz independently ran afoul of various federal laws about computer network security. Swartz got caught illegally copying millions of academic research articles in his campaign to make this information more publicly available, eventually killing himself rather than cop a plea. Van Buren was a Georgia cop who was charged with illegally unauthorized access to law enforcement databases, a case that went to the Supreme Court.  

Another historical luminary is a story of how Ben Franklin constructed one of the first disinformation campaigns. Granted, the internet was yet to be invented, but his playbook – using racist overtones – is very similar to many of the present day’s digital campaigns. “Disinformation operations have always been part of the US experience, they are just more easily scalable with the internet,” she writes.

Another story concerns how in the mid-1800s, Edgar Allen Poe was part of an abysmal voting practice called cooping, whereby people voted early and often, receiving free booze for their efforts. Mellen uses this to take a closer look at how American voting practice has become more secure, despite exaggerated recent claims to the contrary. This includes the efforts of the Cybersecurity and Information Security Agency that was once a leader in securing our elections before it lost its mission, its director Chris Krebs and at least a third of its staffers in 2024. 

Most IPJ readers are familiar with the stories about how Iran and Russia hacked our 2016 and 2020 elections, but Mellen dives into the details, showing how Iran for example tried to alter the final voting tabulations in 2020. Also a familiar tale for many readers is the plight of Phil Zimmerman, inventor of Pretty Good Privacy and how it became a legal lightning rod and the first technology to be designated a war-based munition. This has echoes of the current day whereby the Defense Department can designate Anthropic’s AI similarly (and perhaps equally unjustly).

Most of us are familiar with China’s Great Firewall, but Mellen describes its companion isolation and protective programs including the Golden Card Project (its own online financial network) and the Golden Shield Project (its national surveillance and censorship network). Some of these containment efforts have been abject failures, such as the Green Dam software that was a required application begun in mid-2009 to be installed on all Chinese computers and phones. The software was buggy and so unwieldy that the state eventually gave up the project within a few months.

Mellen analyzes numerous Russian attacks and susses out four common elements of their playbooks:

1. denial of service attacks, including GPS and satellite jamming,
2. Traditional espionage operations,
3. Psychological operations, such as phishing, disinformation, and audio/video deepfakes, and 
4. Malware-based data wipers.

Each of these elements has evolved over time, and carries its own hybrid physical attack vectors to amplify the attack. As I mentioned earlier, Ukraine is where all four of these elements were brought together alongside the physical warmaking machinery to form a single continuous battlespace.

Mellen’s tour through history and technology shows how political leadership has failed to live up to promises with its citizenry to maintain and improve their respective social contracts: China’s prosperity is crumbling, Russia’s safety is evaporating, and America’s economic divide continues to worsen. By having this deep historical dive, the reader can see where things went off the rails, and why.

Missing from her excellent treatment of world powers is a focus on Iran, although it is mentioned briefly in several case studies. Also missing is more than a passing glance at AI. 

Mellen concludes with a dark vision of the “fourth power,” that of the major tech companies who treat their users as “digital peasants living in a world of corporate feudalism. Users till the soil (creating data), pay taxes (such as subscription fees), and live in castles (the digital platforms themselves), having no say in how the kingdom is governed.” The real nation states like China, Russia and the US and the digital nation-states such as Google, Apple, and Meta all want your data and your attention so they can exploit you and leverage your resources.

Eric O’Neill has had an interesting career hunting down some of the worst spies and cybercriminals (he was one of the principals behind the takedown of Robert Hanssen). His book is a part travelogue, part instruction and best-practices manual, and part a detailed narrative of how cyber attackers ply their trade. If you haven’t heard of a few of the exploits (Colonial Pipeline, Solar Winds, WannaCry, and many others), this book is useful in describing the back story of these and others that have receded from the headlines. He draws on his own experiences at fighting these attackers from real life IT workers that are trying to keep their networks secure and protected, and “another grim reminder that once your data is out there, it’s out there for good—­ and the dark web has no return policy,” as he writes. The dark web – where criminals operate – has a gross cybercrime haul greater than Germany and Japan’s GDP combined.

We have already reached the place where we can’t trust everyday sites such as texts, FaceTime, Teams and other social sharing platforms. “Trust has become an uncommon commodity.”

O’Neill has spent years as a national security lawyer, corporate investigator and part of the threat response teams for cybersecurity vendors, so he knows the landscape very well. He wrote this book for a laudable purpose: “If enough of us become covert agents and learn to safeguard our personal data, we can also make the world safe from cyberattacks. This is how we start. One data point at a time.” His philosophy is that we must do better and start thinking like our adversaries if we are to repel their digital advances. “There are no hackers, there are only spies.” His years in law enforcement “left me with a simple axiom: Criminals are lazy. If they weren’t, they’d get day jobs.” So true. And being patient in understanding how your business has been compromised will pay off in finding where the breach took place and how to shore up your defenses.

The end of the book is worthy of clipping as a ready reference, what he calls the Spy Hunter Tool Kit. It is a list of dozens of valuable suggestions, such as never respond to a phishing text (such as the one I got while I was writing this review, asking me to change my PayPal password. (I no longer have a PayPal account, having gotten tired of all the scams and come-ons such as this one.)

His book was written while AI blossomed (I guess that is one way to describe it) and audio and video deepfakes became more common. One way to suss out if they are fake is to move your hands wildly at the beginning of a video conference call, although eventually AI will figure out a solution to this too.

If you are an experienced cybersecurity professional and want a book to give your friends, family, and co-workers, this is a good place to start with their education. If you are new to the cybercriminal world, this book will show you its depths and darkest corners, and hopefully motivate you to use better and unique passwords and other protective techniques.

This is a great introduction to cybercriminals and how to protect yourself from being their next victim.