Allie Mellen has written an interesting book that takes the reader through a comprehensive historical narrative of the past several decades’ worth of state-sponsored cyber attacks. While there have been numerous books on this topic, what makes this book unique is that she examines attacks that have been attributed to the US, Russia, and China, and shows their common and different approaches, and how they mix cyber warfare with their on-the-ground kinetic battles, such as what is happening in Ukraine over the past several years. 

Mellen comes to this from a deep experience with cybersecurity, including five years as an analyst at Forrester Research and several jobs for private cybersecurity vendors. 

Code War covers a lot of ground – from the earliest days of history to the present era, and how the modern digital age is just another way to repackage some of the ancient analog exploits. That deep historical coverage sets this book apart from other efforts that just skip lightly over the details and relevance of these antecedents. 

Each country has separate ways that they approach cybersecurity, both from offensive and defensive positions. Each also has different contexts in which it evaluates its cyber efforts. The US context is to ensure its national security, maintain a strong economy, and support various freedoms. China wants to maintain its regime stability, protect its national interests, and regain control and influence in Asia. Russia wants to maintain economic stability, ensure its citizens are loyal to the regime, and remain a world superpower. These mixed goals compete and conflict with each other. And while it is great to have goals, the contradictions and conflicts among them make it hard for each regime to clearly evaluate and execute its cyber efforts. 

Part of the problem, when seen in this tripartite context, is that the role and nature of the internet is vastly different among the countries. China’s internet is an instrument of state power, cultivated by absolute control. Russia’s internet is part of an hybrid digital/analog background of warfare against the world’s democracies. And in the US, the internet is part of maintaining a defensive and resilient digital ecosystem. 

One element in common with these efforts is their work to isolate their residents from the global internet community. These “splinternet” efforts restrict  freedom of speech and as Mellen notes, it “becomes more difficult to spread democratic values globally.” She chronicles the key steps of isolation and control of the internet with a series of well-researched case studies.

Mellen proceeds to deconstruct operational playbooks of the three nations, and how they have used cyberattacks to fulfill their social contracts with their citizenry. The American chapters cover a wide range of cyber misdeeds, including one chapter that tells the stories about how Nathan Van Buren and Aaron Swartz independently ran afoul of various federal laws about computer network security. Swartz got caught illegally copying millions of academic research articles in his campaign to make this information more publicly available, eventually killing himself rather than cop a plea. Van Buren was a Georgia cop who was charged with illegally unauthorized access to law enforcement databases, a case that went to the Supreme Court.  

Another historical luminary is a story of how Ben Franklin constructed one of the first disinformation campaigns. Granted, the internet was yet to be invented, but his playbook – using racist overtones – is very similar to many of the present day’s digital campaigns. “Disinformation operations have always been part of the US experience, they are just more easily scalable with the internet,” she writes.

Another story concerns how in the mid-1800s, Edgar Allen Poe was part of an abysmal voting practice called cooping, whereby people voted early and often, receiving free booze for their efforts. Mellen uses this to take a closer look at how American voting practice has become more secure, despite exaggerated recent claims to the contrary. This includes the efforts of the Cybersecurity and Information Security Agency that was once a leader in securing our elections before it lost its mission, its director Chris Krebs and at least a third of its staffers in 2024. 

Most IPJ readers are familiar with the stories about how Iran and Russia hacked our 2016 and 2020 elections, but Mellen dives into the details, showing how Iran for example tried to alter the final voting tabulations in 2020. Also a familiar tale for many readers is the plight of Phil Zimmerman, inventor of Pretty Good Privacy and how it became a legal lightning rod and the first technology to be designated a war-based munition. This has echoes of the current day whereby the Defense Department can designate Anthropic’s AI similarly (and perhaps equally unjustly).

Most of us are familiar with China’s Great Firewall, but Mellen describes its companion isolation and protective programs including the Golden Card Project (its own online financial network) and the Golden Shield Project (its national surveillance and censorship network). Some of these containment efforts have been abject failures, such as the Green Dam software that was a required application begun in mid-2009 to be installed on all Chinese computers and phones. The software was buggy and so unwieldy that the state eventually gave up the project within a few months.

Mellen analyzes numerous Russian attacks and susses out four common elements of their playbooks:

1. denial of service attacks, including GPS and satellite jamming,
2. Traditional espionage operations,
3. Psychological operations, such as phishing, disinformation, and audio/video deepfakes, and 
4. Malware-based data wipers.

Each of these elements has evolved over time, and carries its own hybrid physical attack vectors to amplify the attack. As I mentioned earlier, Ukraine is where all four of these elements were brought together alongside the physical warmaking machinery to form a single continuous battlespace.

Mellen’s tour through history and technology shows how political leadership has failed to live up to promises with its citizenry to maintain and improve their respective social contracts: China’s prosperity is crumbling, Russia’s safety is evaporating, and America’s economic divide continues to worsen. By having this deep historical dive, the reader can see where things went off the rails, and why.

Missing from her excellent treatment of world powers is a focus on Iran, although it is mentioned briefly in several case studies. Also missing is more than a passing glance at AI. 

Mellen concludes with a dark vision of the “fourth power,” that of the major tech companies who treat their users as “digital peasants living in a world of corporate feudalism. Users till the soil (creating data), pay taxes (such as subscription fees), and live in castles (the digital platforms themselves), having no say in how the kingdom is governed.” The real nation states like China, Russia and the US and the digital nation-states such as Google, Apple, and Meta all want your data and your attention so they can exploit you and leverage your resources.