Dina Temple-Raston is a special correspondent at NPR working on a technology project expected to air in the spring. Previously, she had covered terrorism for the network for more than a decade. She is also the creator and host of an independent podcast available on iTunes about adolescent decision-making and the brain called “What Were You Thinking,” and an adjunct professor at Temple Law School.
As a young journalist, I lived in a town in northeast China where foreigners were so scarce, locals stopped me on the street and asked if I’d be willing to come home with them for dinner. “My grandmother has never seen a foreigner up close,” my companions would explain. “She’ll be so excited that I’ve actually found one to show her.” A short time later I would find myself in a small rural house, sitting on a heated ceramic bed known as a k’ang, allowing someone’s grandmother to pet my hair. (European hair is very different from Chinese hair, they would tell me — silkier.)
This was all taking place in the late 1980s when I had a rather unusual job as a special foreign assistant to the governor of Liaoning province, a man named Li Changchun. Just 42 years old at the time, he was China’s youngest sitting governor and was in charge of testing programs to modernize the Chinese economy. Under his watch, China allowed the first bankruptcy of a state-run company, launched a small public bond market and permitted workers at a particular factory to elect their own managers. It was the beginning of what came to be known as “capitalism with Chinese characteristics.”
All this came to mind when I began reading “Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat,” a new book by John P. Carlin, a former assistant attorney general for national security. Writing with journalist and historian Garrett M. Graff, Carlin provides a behind-the-scenes look at our conflict in cyberspace with China, Iran, North Korea and Russia.
As the national coordinator for the Justice Department’s Computer Hacking and Intellectual Property program during the Obama administration, Carlin oversaw a network of specially trained prosecutors who focused on cybercrime. In the beginning, the group was prosecuting the usual cast of characters — spammers, fraudsters and copyright infringers — but sights eventually turned eastward, toward China. “China’s approach to espionage was guided by a philosophy known as ‘thousand grains of sand,’ ” Carlin writes, “the geopolitical intelligence equivalent of ‘death by a thousand cuts.’ ” Or death by a thousand phishing emails.
China literally created an army of hackers who cracked into foreign servers to steal plans, negotiating strategies and proprietary information. Their continued efforts to steal American intellectual property were expected to be a key topic of discussion this weekend between President Trump and the Chinese president at the Group of 20 summit. Beijing has been equally aggressive about ensuring that information stays out of China, constructing what has come to be known as the Great Firewall to control what the Chinese people can see on the Internet. Chinese leaders had a long-standing feud with Google for precisely this reason. In late 2010, members of China’s Politburo bristled when they discovered that a censored version of Google in China still turned up unflattering stories about themselves and their families.
One leader in particular had Googled his children, Carlin writes, didn’t like what he found and had a new-world response — he directed a cyberattack against the company. His name, when Carlin revealed it in the book, stopped me cold: It was none other than the reformist governor I had worked for, Li Changchun. A few months later, Google effectively pulled out of China entirely.
Carlin makes clear that China was only the beginning. Destructive cyberattacks from Iran came next. Iranian hackers penetrated systems for the Sands Hotel and Casino in 2014, targeting casino company owner Sheldon Adelson. Adelson had been pushing for “a stronger stand against Iran’s nascent nuclear weapons program, including a military strike designed to demonstrate to Iran that the United States meant business,” Carlin writes. “Soon after, Iran hackers began digging around, probing the Sands Casino’s digital infrastructure.”
That February, employee emails at the company seized up, and anyone who “logged onto the website of the world’s largest gambling company found [it] replaced with a world map marked with flames showing the locations of its American casinos. . . . The local Las Vegas newspaper likened the attack to ‘scenes out of the 1983 movie WarGames.’ ”
The natural question rising out of all of this, and one that is central to Carlin’s book, is how is America to respond? Certainly, teaching people (my husband calls them “carbon units”) to spot hacking — phishing emails or anomalies in their Internet lives — is one option. Holding attackers accountable is another. Carlin was part of an early effort to do just that.
The first charges against state-backed hackers were quietly brought years ago, in 2014. The U.S. attorney in Pittsburgh, David Hickton, built a case against Chinese military hackers who were stealing information from companies in his district, and Carlin was part of the team that eventually filed charges against them. If there is a shortcoming in the book, it is that in Carlin’s telling the center of gravity in this case and others seems to shift away from U.S. attorneys in the field to officials at the Justice Department in Washington. Hickton, for example, eventually charged five Chinese military officers (working under pseudonyms like Ugly Gorilla and KandyGoo) with electronic theft of information. He distributed wanted posters that featured images captured from the laptop cameras of the hackers as they worked. They were all in Chinese army uniforms. That was an important milestone.
“Until that point,” Carlin writes, “they’d face almost no costs and there was little reason to cease or alter their behavior. . . . Whether it is a state-owned enterprise or a state-supported enterprise in China, if you can figure out and prove that they’ve committed the crime, charging them . . . affects their reputations and that then causes them to recalculate.”
Carlin makes the case that naming and shaming state actors is necessary for America to defend itself against this new brand of warfare. He does an admirable job explaining the stakes, and for someone trying to get up to speed, this encyclopedic accounting of the opening shots in the code war is an excellent primer. For those who have been following cyber for some time, however, the book may seem to cover familiar ground. One gets the sense that Carlin’s position prevented him from telling us much more than we already know. (He quotes the New York Times and open-source reporting extensively, which made me wish that he’d revealed more of what he learned by being in the room.)
“Criminals, terrorists and spies [have] made themselves at home on a global network that was never designed with safety and security in mind,” Carlin writes, adding that the book is a “warning that we’ve built our modern society on top of fragile technology, with far too little thought as to the creativity of our adversaries.” If this sounds vaguely familiar, it should. A bipartisan 9/11 report said one of the failures that plagued the intelligence community ahead of those attacks was one of imagination. The comparison isn’t lost on Carlin.
By John P. Carlin with Garrett M. Graff
PublicAffairs. 464 pp. $30