5 Things I Learned from Reading Dawn of the Code War by John P. Carlin
January 23, 2021 | 8 Minute Read
In my continuing journey to learn more about cybersecurity, I reached out to some colleagues and other resources to find interesting and informative books about the field. I came across a great post by The Cybersecurity Hub (who you should follow on IG and LinkedIn ) with a list of great books recommended by security professionals. I purchased several, which I will write a similar post about, and the first one I chose to read before the end of the year was "Dawn of the Code War" by John P. Carlin.
Book Summary
The book starts with the origin of the internet, its design, and purpose as an academic project to share information. Then it goes into its development as a military/government product, and finally, its growth into the behemoth that it is today. With this development of the internet, it gave rise to technical tinkerers whose natural sense of curiosity and skills allowed them to improve the system. These people later became known as hackers, originally meaning those that broke down systems to build them back and understand them better.
The term “hacker” originally was positive as many of the first innovations were results of hackers. But with most good things, some people with ill intentions came and ruined everyone else’s fun. As more products, services, businesses, and infrastructure moved to the internet, these bad actors used the skills that original hackers used for innovation to perform unlawful acts. These individuals, groups, and nation-states became known as cybercriminals. As one of the first lawyers in the government to pursue criminals in this new environment tells the story of his pursuits. He expounds on how law and life has and will change with the growth of this new wave of crime. Carlin’s unique perspective as a lawyer outside of the tech space, someone inside the government, gave visibility to the global implications of some of the most significant cyber events to date. His expedition through the tech world introduced five new things I did not know about cybersecurity. These lessons are about security, perception, legislation, cooperation, and the future of the internet.
The Internet is Unsecure… on Purpose?
Carlin starts the story by describing how the internet came to be and its initial use. The original network connected universities that used it to share information and research. The goal is a new way to transfer knowledge over longer distances. Because of the academic and analysis capabilities, users agreed that the system would be open to access everyone on the network. Hackers were able to break the system down and rebuild it to implement features that would soon be spread throughout to improve it. Carlin then mentions how people outside the network were breaking in to gain access to the academic resources. Due to these intrusions, some offered the idea of encryption and password protecting some of the resources. Early adopters met this idea with vehement disagreement from those in the community.
I found this extremely interesting because it is the polar opposite of what I know about the internet today. The majority of issues and time spent on the internet today are applying security layers such as encryption. So, when Carlin wrote about how the early creators of the internet intentionally left out and forbade these security aspects, I was genuinely shocked. It is interesting to learn that the internet could be safer and more protected from the start. The lack of foresight as to what the internet could be, in essence, making it less safe for future users. All in the name of keeping the internet’s reputation as a free and accessible resource.
Reputation is Everything
Reputation matters to the creators of the internet itself and those that run their businesses on it. Throughout the book, there is an example of companies that run a large portion of their business and generate massive revenue using the internet. Rarely, however, were those companies mentioned due to their successes in cybersecurity. Many of the companies were victims of cyber attacks and criminals that either stole intellectual property, exposed sensitive customer data, or generated the loss of millions in revenue. However, early on, several of the companies hid these events to save face.
From Carlin’s experience with these companies, I learned that companies were not required to announce the occurrence or face any repercussions or remediations for these cyber events. Instead, companies would choose to keep the news internal or choose only to share with the proper authorities, understanding that it would never go public. Some companies feared that the damage to their reputation and brand would cost more than anything lost in the breach/attack. Despite my disagreement with that sort of choice, I understood the decision by those companies. I felt like there should have been some rule/law to protect companies that we’re following the guidelines and best practices and punished those that neglected to protect themselves and customers data for the sake of profit.
Legislation Lags behind Innovation
I believe Carlin uses examples like those from the last section to highlight the government’s delay between the constantly evolving landscape that is the internet. Throughout the book, Carlin and his team struggle to ring proper justice for individuals and groups who have been cybercrime victims. In the beginning, Carlin wrote about several occasions where the law lacked to distribute punishment for online events adequately. Such as the first virus/worm that was accidentally unleashed into the “wild” of the internet, as it infected and perpetuated across the internet, impacted many of its users. He would describe attacks attributed to government-sponsored actors who targeted large corporations and leaving millions of individuals exposed and irreparably damaging their livelihoods.
Due to the government’s classic characteristic of being behind the curve, some small offenses received extreme punishments to deter future behavior. While attacks like those perpetrated by foreign governments received virtually no recourse, there was not much within the predefined laws they could do short of declaring war. However, I learned from Carlin that it would take a coordinated and combined effort if there is a course of action.
Teamwork Makes the Dream Work
In the stories that Carlin talks about cybercriminals’ successful prosecutions, he goes into detail about the private sector and interagency communication’s role. However, he also shows the impedance of the process when one party is out of the investigative circle. The stories highlight that no single party alone has the time, resources, and workforce required to tackle crime on such a large scale without one piece.
Carlin displayed an example of the FBI, DoJ, DoS, DHS, serval private companies, and universities coming together to stop, find, and prosecute a major cybercriminal and his activities. I learned that the combined power, resources, technical and legal knowledge of the government and private sector could mutually protect the customers and citizens. The tech field will need this sort of communication, cooperation, and combined force will be required more and more as the internet grows.
Things will Get Worse… Unless We Act
From events such as DDoS attacks on the financial industry in the mid-2010s to more recent attempts on the 2016 and 2020 elections, Carlin believes the prevalence of cybercrime will only increase. Also, with an exponential boom in the amount devices that rely on the internet, the attack surface grows, and opportunity for exploitation grows with it. So, at the current pace and priority that security takes on the internet, crime will be rampant and devastating.
But there are actions we can take to resolve this. Suppose private, and public sectors move their resources and budgets towards preventative, rather than reactionary, cybersecurity measures. In that case, they could save not only money but the sensitive data of their users. Also, involving those with intimate knowledge of the internet in the legislative process can produce more robust and equitable cybercrime laws. Finally, I have seen recent trends that I would like to promote: the push for privacy and overall security of the apps, tools, and services that we interact with every day. As consumers, companies have shown that they will not prioritize anything other than profits and efficiency unless we as consumers realign our priorities.
Conclusion
Dawn of the Code War was a fantastic book, full of information written in a way that gripped my attention from start to end. I would give it an 8.5/10 overall and a tremendous start to my cybersecurity-focused reading catalog. I would love to hear more about what you all are reading and take all suggestions for great reading in the field of security. So, feel free to leave a comment with any book recommendations!
I appreciate you spending time giving this a read. And I hope you learned something! If you have any questions, comments, or concerns feel free to leave them below, the contact page, or find me on Twitter. Thanks!